A prior blog post discussed the Target data breach, the retailer's security preparations, and management's post-breach response. Months before the breach, Target installed robust breach-detection software. During the breach, that software provided alerts which management missed. That blog post referenced a Bloomberg Businessweek article which reported breach details.
The Businessweek article went further and explored possible links between the breach and Russian hackers operating in Odessa, Ukraine. First things first. There will be plenty of time later to profile the hackers. Today, stay focused on breach details, the retailer's post-breach response, and the breach investigations. The goal is to report what happened so things can be fixed. Consumers want and need to know they can trust banks and retailers to protect their payment card information.
The article also published this flow diagram:
See box #1 which mentioned a HVAC vendor and used the word "probably." The conclusion seems to have been based upon an email attack described in this KrebsOnSecurity article:
"... investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical... Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers. Two of those sources said the malware in question was Citadel – a password-stealing bot program..."
Fazio confirmed that it experienced an attack (Adobe PDF). The KrebsOnSecurity article included a "theory" about how hackers with billing credentials accessed systems with point-of-sale cashiers. I expected something more definitive than a "theory." I expect something more definitive than "investigators believe" -- ideally, "investigators analyzed" or "investigators found."
Knowing the exact scenario is important, so relevant fixes can be applied to prevent a massive breach like this from happening again. Hopefully, Target's final breach investigation report will clarify and explain things.
I wonder about the investigators' conclusions. How do investigators know with 100 percent certainty that (only) this specific HVAC vendor breach was the setup? How do the investigators know that credentials weren't stolen from any other Target vendors? How do investigators know that no other vendors experienced data breaches allowing hackers access to Target's systems?
During the past 6+ years I've written this blog, I've learned that online thieves are smart, persistent, and go where the money is. A January 2014 Let's Talk Payments article mentioned several of Target's major partners:
"Companies performing these [payments processing] roles for Target were identified in a research note by Robert W. Baird & Co analysts on Dec. 19... the merchant acquirer used by Target for credit and debit card transactions is Bank of America Merchant Services, a joint venture of Bank of America and KKR’s First Data Corp... The note also identified Vantiv of Cincinnati as processing transactions for Target customers who type in personal identification numbers for debit transactions... Target-branded payment cards are issued by Toronto’s TD Bank Group."
Regular readers of this blog recognize First Data and understand how much information the processor collects about consumers. (New to this blog? To learn more, select "Data Breaches," "Payment Procesors," or "Retail" in the right-column tag cloud. Or enter a company name in the right-column search mechanism.) Regular readers of this blog also recognize Bank of America Merchant Services, and its joint venture with First Data to process the payment transactions of the bank's retail (e.g., checking, debit card, credit card) customers. Other banks probably have similar arrangements with First Data.
Target's REDcard loyalty program includes the Target-branded credit and debit payment cards. According to a quarterly filing with the S.E.C., REDcard penetration increased from 12.8 to 18.6 percent during 2013. That's huge growth in one year. Good for Target: its shoppers like using REDcards. Bad for Target: its data breach has threatened that growth, REDcard usage by shoppers, and payments processors' revenues (and profits).
Smart hackers would focus on vendors with the best credentials; credentials that provide the best access to Target's computer systems and network. Another question: which vendor probably has the best credentials: a small HVAC vendor or a key business partner? The KrebsOnSecurity article discussed how Target required two-factor authentication for some vendors and not others. Maybe a small HVAC vendor was the easiest way in for the hackers. Maybe not. I hope that the formal Target breach investigation clarifies and explains things. Maybe the answers will be the same as reported in the KrebsOnSecurity article. Or maybe not.
In a January 2014 new story by SC Magazine, a First Data Corp representative denied that the processor's systems were breached:
"First Data processes some transactions for one of Target's acquirers, but we have no indication that our systems were involved in any of the incidents reported by Target,"
"No indication" doesn't sound to me like a resounding, definite "no" with 100 percent confidence. Reportedly, the First Data representative also said:
"The situation being reported by Target is a concern to all of us in the payments industry... data security is of paramount importance to First Data, which is why we work closely with our clients to protect cardholder data through our own system monitoring and the risk management solutions we offer our clients.”
Hmmm. Payments processors have had data breaches... massive ones. You may remember the Global Payments and Heartland breaches. First Data Corp has experienced a data breach too, at its Western Union unit.
Reportedly, the U.S. Secret Service is also investigating the Target data breach. That implies an interest in any systemic retail or banking security issues affecting the country's money supply. Systemic issues that come to mind are breaches at multiple retailers, the obsolete technology for payment cards, weaknesses in retail payment processes, and breaches at banks or payments processors. To me, a breach at a tiny HVAC vendor don't seem to rise to level of systemic.
Again, this is all speculation. I'm not saying one of Target's partners was breached. I don't have access to the data investigators have. All I'm saying is that a thorough, broad breach investigation needs to ask the question: was anyone else breached? The Target breach shook consumers' trust, and the breach investigation needs to address that. Trust matters. Consumers want to trust that banks and retailers can protect their card payment information.
Maybe the answer to this question will be the same; a small HVAC vendor's breach was the setup. Maybe not. A lot has happened since January. When 110 million records are stolen, one has to ask... one has to look, thoroughly.
I'd hate to think that the breach investigation stopped after finding the HVAC vendor breach and didn't look further for earlier breaches at other vendors or partners. If one wants to reassure consumers of secure card payment processes, you have to look further... and thoroughly. And if there were other breaches, report them, too.
If a payments processor was also breached, then those partners would likely be added as defendants to any lawsuits. The Businessweek article mentioned 90 lawsuits. Several lawsuits have already been filed by banks and by shoppers.
What's your opinion of the Target breach? What questions do you have? How were you affected by the Target breach?