On December 18, 2013, data and security blogger Brian Krebs broke the story that one of the largest retailers in the world, the Target Corporation (“Target”), had suffered a significant data breach. Initially the public was told the breach affected upwards of 40 million customers, but within a month the story had evolved: it was revealed that in fact more than 70 million customers had information stolen, including names, emails and phone numbers. (Source: TechCrunch Magazine, “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails And Phones,” by Sarah Perez, January 10, 2014).
By the end of the following year, Target had incurred nearly a quarter of a billion ($252 million) in costs arising from the data breach, as well as resulting significant damage to the company’s reputation. (Source: “Target Breach Price Tag: $252 Million and Counting,” Privacy and Security Matters blog post by Kevin M. McGinty, February 26th, 2015).
Since that time, a number of folks have looked at the Target breach trying to understand what went wrong, including Verizon consultants that the company brought in for a post-mortem. According to an article published last week in ComputerWorld (citing Kreb’s, who published details of the Verizon report on his blog KrebsOnSecurity), “Verizon consultants [ ] came back with results that point to one overriding – if not dramatic – lesson: be sure to implement basic security best practices.” (emphasis added). (Source: ComputerWorld Magazine, “Report: Target failed on security basics,” by Tim Greene, October 1, 2015.)
To follow are two of the more interesting “basic” cybersecurity fails the report identified. For a review of the complete list, take a look at the full ComputerWorld article and Kreb’s report found at http://tinyurl.com/nv9kd63.
- “Weak passwords: From the post: “Within one week, the security consultants reported that they were able to crack [86 percent of Target’s passwords] that allowed access to various internal networks, including; target.com, corp.target.com; email.target.com; stores.target.com; hq.target.com; labs.target.com; and olk.target.com.” The post says that Verizon consultants also cracked 12 (34%) of 35 admin domain passwords.”
- “Failure to segment networks: From the post: “‘[N]o controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.’ … In one instance, they were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.”
The Target breach, like so many other high profile compromises, presents some important lessons about information security and data breach prevention, the most profound of which is that cybersecurity has to begin with the basics. There are complicated layers and technical issues involved in breaches, to be sure, but for organizations looking to sure up their cyber-defenses, sometimes the best place to start is the “A B C’s,” getting the “easy stuff” right to protect the company and it’s customers from the attacks that will most surely come.