Lessons Local Businesses Can Learn From Target’s Malware Attack
This post also appeared in The Tennessean, where Concept Technology has a bi-weekly feature in the Business section.
As a business handling data, if you collect it, you have to protect it.
And when you don’t, the results can be extremely damaging.
Never was this more apparent than with the November 2013 breach of Target’s point-of-sale systems. It was the second-largest retailer breach in U.S. history, and still many of the details surrounding what happened are murky (and the attackers aren’t talking).
It appears that the malware attack targeted one of Target’s heating and air conditioning vendors, Fazio Mechanical Services Inc. Fazio is based in Sharpsburg, Pa., and has done business with a number of Target locations and other top retailers, such as Trader Joe’s and Whole Foods.
The attacker was able to use Fazio Mechanical’s privileges on Target’s network to successfully attack Target’s cash register systems. At this time, we can’t be sure if the malware was spread via email, a malicious website or infected removable media.
According to unnamed sources of Brian Krebs, former Washington Post reporter and author of the highly regarded Krebs on Security blog, the breach “appears to have begun with a malware-laced email phishing attack sent to employees at (Fazio Mechanical).”
The attack, which lasted roughly a month last year from mid-November to mid-December, collected 40 million credit card records and 70 million client records, including addresses and telephone numbers.
Avivah Litan, fraud analyst for Gartner Inc., who was interviewed by Krebs, “estimates that Target could be facing losses of up to $420 million as a result of this breach. … In addition, Target will need to upgrade its retail systems to handle more secure chip-and-pin credit and debit cards.” John J. Mulligan, Target executive vice president and chief financial officer, said this upgrade would cost $100 million. Target CIO Beth Jacob recently resigned in the wake of the incident.
The moral of the story is that a security breach at a small company — Fazio Mechanical has an estimated $12.5 million in annual revenue — caused a half-billion dollars in damage, and the costs are still adding up.
Supply and vendor chain security is a bigger issue these days than it used to be. For example, as an attacker, I wouldn’t want to go directly after Target. With an active and professional security apparatus, the retailer is a relatively hard target. Instead, you would want to attack one of Target’s vendors and use them as a back door — best if you pick a smaller company that probably doesn’t spend much time or money on security practices.
Don’t let this happen to your business.
It’s yet to be determined whether Target will be liable for failing to comply with the payment card industry compliance standard. Perhaps the biggest headache that’s driving companies’ interest in IT security right now is dealing with compliance issues like the PCI.
It’s no wonder companies are confused — the standard takes up 800 pages of technical jargon.
The way toward achieving PCI compliance is two-pronged:
Technical solutions.
Technical compliance has always been a moving target. Since threats change day to day, with new vulnerabilities and problems popping up constantly, you need someone to pay attention to these threats all the time.
Policy solutions.
Policies can help PCI compliance by outlining who has access to what information. For example, a policy can determine who has access to third-party information or how long client data are maintained.
You can’t buy PCI compliance, and there are no products on the market that can ensure it. But what you can do is keep up with technologies and strategies that will help to ensure compliance.