Chapter 7. Retailgeddon

Far out in western Pennsylvania, cars sat parked in the lot of a white, nondescript building. Four flags flew proudly above the main entrance. The exterior of Fazio Mechanical Services was plain—but despite its humble facade, the tiny HVAC company boasted an impressive clientele: Sam’s Club, Super Valu, Trader Joe’s, and Target, among many others.

Inside the white walls of the building, an email quietly landed in someone’s inbox. The reader clicked, triggering installation of malicious software and opening the door for cybercriminals. Little did anyone know that this one tiny act would trigger an avalanche that would lead to the theft of 40 million credit card numbers and eventually bury an international retailer in a multiyear data breach crisis that included lawsuits, congressional investigations, and nearly $300 million in cumulative expenses.1 With a click, the infamous Target breach began.

1. Target, 2016 Annual Report, accessed January 12, 2018, https://corporate.target.com/_media/TargetCorp/annualreports/2016/pdfs/Target-2016-Annual-Report.pdf.

Target’s HVAC vendor, Fazio Mechanical, didn’t stand a chance. The small, family-owned company had no real-time malware protection (instead, it had a free version of Malwarebytes Anti-Malware Scanner, which was not licensed for corporate use and ran only on demand).2 Criminals lurked in Fazio Mechanical’s systems and eventually captured a password to a Target web portal.3

2. Brian Krebs, “Email Attack on Vendor Set Up Breach at Target,” Krebs on Security (blog), February 12, 2014, https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target.

3. Fazio Mechanical Services, “Statement on Target Data Breach,” accessed January 12, 2018, https://web.archive.org/web/20140327052645/ http://faziomechanical.com/Target-Breach-Statement.pdf.

On November 12, 2013, the criminals used Fazio Mechanical’s credentials to access Target’s network.4 From there, criminals wormed their way deep inside Target’s network, eventually installing malware on the retailer’s point-of-sale (POS) systems that would capture and steal credit card numbers as customers swiped them. The criminals initially installed the malware on a small group of POS terminals between November 15 and November 28, testing and honing their tools.5

4. Hearing on “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches” Before the S. Comm. on Commerce, Science, and Transportation, 113th Cong. (March 26, 2014), https://corporate.target.com/_media/TargetCorp/global/PDF/Target-SJC-032614.pdf (written testimony of John Mulligan, Chief Financial Officer, Target).

5. Brian Krebs, “Target Hackers Broke in Via HVAC Company,” Krebs on Security (blog), February 5, 2014, https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company.

By the end of November, the criminals had pushed their malware out to the majority of Target’s POS systems, ultimately compromising POS devices at more than 1,800 stores across the United States.6 The malware was programmed to copy customer credit card numbers to an internal file share, where it was collected and transferred to an outside server. Throughout December 2013, the criminals transferred millions of stolen credit card numbers out of Target’s network and then uploaded them to a carding forum, where they were sold.

6. Krebs, “Target Hackers Broke In.”

The timing was impeccable. “At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.”7 Because the hack coincided with Target’s peak shopping period, criminals managed to collect a whopping 40 million credit card numbers in two weeks.

7. M. Riley, B. Elgin, D. Lawrence, and C. Matlock, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” Bloomberg, March 17, 2014, https://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data.

Target knew nothing of the theft until mid-December, when it was alerted by the U.S. Department of Justice and the Secret Service. By then, the damage was done. By December 11, Easy Solutions, a fraud tracking company, had noted a “10 to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every bank and credit union.”8

8. Elizabeth A. Harris and Nicole Perlroth, “For Target, the Breach Numbers Grow,” New York Times, January 10, 2014, https://www.nytimes.com/2014/01/11/business/target-breach-affected-70-million-customers.html.

Card issuers and banks were well aware of the breach and had identified Target as a common point-of-purchase—a place where all the affected cards had been used and therefore a likely source of compromise. They kept quiet, waiting for law enforcement and card brands to investigate—until someone tipped off investigative journalist Brian Krebs.

On December 18, 2013, Krebs outed the retailer, after sources from two large banks leaked information to him about the breach. “Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records,” reported Krebs on his popular blog, Krebs on Security. “According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.”9

9. Brian Krebs, “Sources: Target Investigating Data Breach,” Krebs on Security (blog), December 18, 2013, https://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach.

A media uproar ensued. Taken by surprise, Target’s management team fumbled the response. The company remained silent during the first day. The next day, it issued a terse statement confirming the breach and disclosed that up to 40 million cards may have been stolen, affecting customers who shopped at Target between November 27 and December 15 (later extended to December 18).10

10. Melanie Eversley and Kim Hjelmgaard, “Target Confirms Massive Credit-Card Data Breach,” USA Today, December 18, 2013, https://www.usatoday.com/story/news/nation/2013/12/18/secret-service-target-data-breach/4119337.

As banks and customers struggled to rein in card fraud and issue replacements in the busy days before Christmas, news of the breach quickly ignited a massive public relations nightmare. “Target’s once-envied reputation may never fully recover from the massive data breach,” reported Kim Bhasin of the Huffington Post. “Public perception of Target fell off a cliff after the breach and remains at historic lows.”11

11. Kim Bhasin, “Target’s Reputation May Never Be the Same Again,” Huff Post UK, January 27, 2014, http://www.huffingtonpost.co.uk/entry/target-reputation_n_4673894.

Bad news continued to leak out over the coming weeks, like a car wreck in slow motion. Fourth-quarter profits were down a whopping 46%. In January, Target announced that the personal information of up to 70 million people might have been exposed (including name, address, phone number, and email address), bringing the total number of potentially affected people to 110 million. Investigative reporters from Bloomberg revealed shocking details of the hack, which showed that Target had repeatedly missed internal alerts from its expensive intrusion detection system (IDS). Former employees shared unflattering details of Target’s internal IT management, scarring the company’s reputation.

As the retailer continued to struggle with the breach response over the coming months, even loyal customers lost patience. “Wow do I regret shopping at Target,” vented one frustrated customer on Facebook. “Because they can’t secure info I had to have a card canceled and it dropped my credit score 12 points,” Another customer added, “I was understanding in December . . . but now I am just pissed off.”12

12. Bhasin, “Target’s Reputation.”

The chief information officer (CIO) stepped down. The chief executive officer (CEO) stepped down. Target hit bottom.

The Target breach was the first of what would become a series of major, public POS breaches affecting retailers during 2013-14, which we will refer to as Retailgeddon.

Retailgeddon was a turning point. It happened because of advancements in cybercriminal technology combined with a dramatic leap forward in investigative reporting tactics. Payment card breaches were already happening; but the epidemic got worse, and at the same time, the media suddenly had a way to detect and report on these breaches. As a result, retailers across the country suddenly found themselves in the headlines for being hacked.

In this chapter, we will outline the changes that caused the Target breach to blow up, and analyze the retailer’s response. Then, we will discuss the impacts on Retailgeddon on the wider communities and show how the resulting rollout of EMV (“the chip”) diverted funds from retailers that might otherwise have been invested in more modern and secure payment technologies.

7.1 Accident Analysis

Imagine that you are driving down a straight road in the desert, pushing 80 mph in a little red sports car. Suddenly, the road before you changes. You find yourself careening around the corner of a snowy mountain pass, with a steep drop off and no guard rail—but still in your little red sports car. Eek!

This is essentially what happened to Target. Between 2008-13, enormous new cyber risks emerged for retailers, but many executives didn’t see them coming. Target’s leadership continued to drive the company using their familiar techniques, not realizing that the road had become very dangerous and their car was not well equipped to handle curves.

Target was hardly the only retailer in this position. The company’s spotty cybersecurity posture was very much the norm for the retail industry, as evidenced by the pileup of retail breaches that occurred in the same time frame as the Target breach. The threat landscape had changed quickly, and retailers did not adapt.

Why did Target, in particular, become the “poster child of mega retail breaches”?13

13. Jennifer LeClaire, “Cost of Target Data Breach: $148 Million Plus Loss of Trust,” Newsfactor, August 20, 2014, https://www.newsfactor.com/story.xhtml?story_id=00100016BSDE.

Much like a car accident, the Target data breach crisis was the result of multiple factors. Timing was undeniably a huge factor: The company was in the wrong place at the wrong time. A year earlier, and Krebs might not have broken the story before the company was ready. A year later, and no one would have been shocked—the public had become desensitized to payment card breaches. Any other month, and the pressure of the holiday shopping season wouldn’t have complicated the breach response.

At that particular moment in cybercrime history:

  • Commercial exploit kits had recently become widely available, enabling criminals to compromise and control large numbers of endpoint systems with relatively little effort.

  • Attackers had developed sophisticated tools and techniques for pivoting through the supply chain and moving laterally within the networks of hacked organizations.

  • Carder forums and the darknet markets had developed into full-fledged e-commerce systems, capable of moving very large quantities of stolen card numbers.

  • Retailers still had huge gaps in their cybersecurity, incident response, and breach preparedness programs.

  • Financial institutions had reached a breaking point with respect to payment card breaches and were searching for ways reduce their losses.

  • Investigative reporter Brian Krebs had developed strong ties with financial institutions and gained access to darknet markets, enabling him to uncover data breach scandals far more quickly than ever before.

All of these factors combined to create a very slippery road—and drivers weren’t paying attention.

7.1.1 Pileup

Immediately on the heels of the Target breach, Neiman Marcus and Michaels announced their own credit card data breaches.14 Throughout 2014, wave after wave of POS breaches hit the news. Sally Beauty, a beauty products retail chain, was outed in March 2014, after 260,000 credit cards stolen from their stores reportedly went up for sale on the dark web. An analysis by Krebs indicated that the company was breached due to credential theft from an employee remote access portal, and malware was installed on approximately 6,000 POS systems.15

14. Bill Hardekopf, “The Big Data Breaches of 2014,” Forbes, January 13, 2015, https://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/.

15. Brian Krebs, “Deconstructing the 2014 Sally Beauty Breach,” Krebs on Security (blog), May 7, 2015, https://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach.

In May, casino operating company Affinity Gambling announced a data breach of POS systems at casino resorts. By June, PF Chang’s China Bistro announced a data breach affecting 33 restaurants in 16 states, which dated back to September 2013.16

16. Brian Krebs, “P.F. Chang’s Breach Likely Began in Sept. 2013,” Krebs on Security (blog), June 18, 2014, https://krebsonsecurity.com/2014/06/p-f-changs-breach-likely-began-in-sept-2013; John H. Oldshue, “P.F. Chang’s Data Breach Spans 33 Restaurants in 16 States,” LowCards.com, August 4, 2014, https://www.lowcards.com/p-fchangs-data-breach-spans-33-restaurants-16-states-25949.

On July 31, 2014, the Department of Homeland Security (DHS), Secret Service, the National Cybersecurity and Communications Integration Center (NCCIC) and the Financial Services Information Sharing and Analysis Center (FS-ISAC) issued a joint alert warning of a new, potent POS malware strain known as Backoff.17 Within weeks of the federal alert about Backoff, UPS announced that it had been hit—and it discovered the breach only because of the government’s alert.18

17. U.S. Department of Homeland Security, Backoff: New Point of Sale Malware (Washington, DC: US-CERT, July 31, 2014), 3, https://www.us-cert.gov/sites/default/files/publications/BackoffPointOfSaleMalware_0.pdf.

18. UPS Store, Data Security Incident Information, 2014, https://web.archive.org/web/20140830000548/ http://www.theupsstore.com/security/Pages/default.aspx.

The same month, supermarket chain Supervalu announced a “potential data breach that might have affected more than 1,000 stores” in which “hackers [installed] malicious software onto the company’s point-of-sale network.” Dairy Queen, too, confirmed that the company was investigating a breach, after being alerted by the Secret Service. The organization’s franchise system—where stores were operated independently—made it tricker to coordinate the DQ investigation and incident response.19

19. Brian Krebs, “DQ Breach? HQ Says No, But Would it Know?” Krebs on Security (blog), August 26, 2014, https://krebsonsecurity.com/2014/08/dq-breach-hq-says-no-but-would-it-know.

Despite the unending reports of retail breaches, there were indications that the public announcements represented just the tip of the iceberg. In August 2014, the New York Times reported that “seven companies that sell and manage in-store cash register systems have confirmed to government officials that they each had multiple clients affected, the government said Friday. Some of those clients, like UPS and Supervalu, have stepped forward, but most have not.”20

20. Nicole Perlroth, “U.S. Finds ‘Backoff’ Hacker Tool Is Widespread,” New York Times, August 22, 2014, https://bits.blogs.nytimes.com/2014/08/22/secret-service-warns-1000-businesses-on-hack-that-affected-target/.

The onslaught continued in early September 2014, when Krebs broke the story that Home Depot had been hacked. Fifty-six million debit and credit card numbers were compromised. According to Krebs, Home Depot’s POS systems had been infected with “the same malware as Target”—a new variant of BlackPOS. By late September, sandwich chain Jimmy John’s had likewise confirmed a credit card breach at 216 stores (although the story was largely dwarfed by Home Depot’s far more massive breach).21

21. Brian Krebs, “Jimmy John’s Confirms Breach at 216 Stores,” Krebs on Security (blog), September 24, 2014, https://krebsonsecurity.com/2014/09/jimmy-johns-confirms-breach-at-216-stores/.

Kmart announced a cardholder data breach in October 2014, disclosing that “the payment data systems at Kmart stores were purposely infected with a new form of malware (similar to a computer virus). This resulted in debit and credit card numbers being compromised.”22 As the year came to an end, Staples rounded off the list by announcing that a breach “may have affected 1.16 million customers’ cards.”23

22. Alasdair James, “Kmart Investigating Payment System Breach,” Kmart, October 10, 2014, http://www.kmart.com/en_us/dap/statement1010140.html.

23. Tom Huddleston Jr., “Staples: Breach May Have Affected 1.16 Million Customers’ Cards,” Fortune, December 19, 2014, http://fortune.com/2014/12/19/staples-cards-afiected-breach.

Data Breach Fatigue

It’s no wonder that the term “breach fatigue” entered mainstream use in 2014. By April, according to the Ponemon Institute, 30% of people surveyed had received two breach notification letters in the previous two years, 15% received three letters, and 10% received more than five letters.24 By May, 110 million Americans—nearly a third of the nation’s population—had had their personal data exposed in a breach during the prior year. And the breach announcements just kept coming!25

24. Experian, “Top Findings from Ponemon Institute Study Show Data Breach ‘Fatigue’ Possibly Increasing Consumers’ Fraud Risk but Many Want Protection Provided by Breached Organizations,” Experian News, May 14, 2014, https://www.experianplc.com/media/news/2014/top-findings-from-ponemon-institute-study-show-data-breach-fatigue-possibly-increasing.

25. Jose Pagliery, “Half of American Adults Hacked this Year,” CNN Tech, May 28, 2014, http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/index.html.

“Breach fatigue” is a term to describe the apathy experienced by consumers who have been desensitized to news of data breaches. “I feel nothing,” wrote one consumer, Elise Hu, after the Home Depot breach was announced. “How many megahacks have we consumers faced in recent memory? . . . But because banks are responsible for making us whole if our credit cards are misused, and we are simply issued new cards (an annoying hassle, but not life-altering), I join you in reacting to news of these hacks with a shrug.”26

26. Elise Hu, “I Feel Nothing: The Home Depot Hack and Data Breach Fatigue,” All Things Considered, NPR, September 3, 2014, https://www.npr.org/sections/alltechconsidered/2014/09/03/345539074/i-feel-nothing-the-home-depot-hack-and-data-breach-fatigue.

Neal O’Farrell, the founder of the Identity Theft Council, expressed concern about the impact of breach fatigue on security efforts. “The more breaches consumers go through without experiencing any direct and tangible financial consequences, the less likely they are to care or worry about the next breach, or the next one, or the one after that,” he writes. “[Consumers are] less likely to respond, to beef up their vigilance, and equally less likely to alter their behavior or change their habits. Consumers are also more likely to ignore any alarms, alerts or notifications, and less likely to demand or accept offers of free credit monitoring or identity protection.”27

27. Neal O’Farrell, “Data-Breach Fatigue: Consumers Pay the Highest Price,” Huff Post, December 16, 2014, https://www.huffingtonpost.com/creditsesamecom/data-breach-fatigue-consu_b_5990040.html.

The consequences of breach fatigue go far beyond the individual consumer. As O’Farrell points out, apathetic consumers are less likely to hold breached organizations accountable, leading to less oversight and fewer proactive security measures. “[T]hey’ll be too tired and cynical to be outraged anymore. . . . And without that rage, nothing has even a remote chance of changing.”

Even judges seemed to succumb to “breach fatigue.” After years of litigation, in 2017 a federal district court judge dismissed a lawsuit filed by financial institutions against Schnuck Markets, Inc. “The breach at Defendant’s stores took place during what seemed to be the boom of data breach activity, at a time when many retailers were caught either unaware or unluckily in the cross-hairs of cybercrime,” wrote judge Michael J. Reagan in his ruling. “Unfortunately, losses were sustained, losses that in retrospect should have or could have been prevented, but not every loss can be compensated via legal action.”28

28. Community Bank of Trenton v. Schnuck Markets, Inc., No. 15-cv-01125-MJR (S.D. Ill. 2017), https://cases.justia.com/federal/district-courts/illinois/ilsdce/3:2015cv01125/71778/68/0.pdf.

In short: a judicial “meh.”

7.1.2 Small Businesses Under Attack

At the time that Fazio Mechanical was hacked, small businesses across the United States were in the midst of an epidemic. Their bank accounts were being drained by cybercriminals who sent phishing emails to employees, stole their online banking credentials, and then transferred tens of thousands of dollars to money mules through wire transfers or fake payroll entries. Criminals found that small businesses were easy prey—few had the resources or knowledge to invest in security, and most small business owners thought that no one would want to break into their companies.

“[W]hile small businesses may assume that they have nothing a targeted attacker would want to steal, they forget that they retain customer information, create intellectual property, and keep money in the bank,” observed Symantec’s research team in their 2012 Internet Security Threat report. “[M]oney stolen from a small business is as easy to spend as money stolen from a large business.”29

29. Symantec, “Internet Security Threat Report 2014,” ISTR 19 (April 2014), http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf (accessed January 14, 2018).

Direct theft of funds from online business bank accounts was a huge problem. “Each week, I reach out to or am contacted by organizations that are losing hundreds of thousands of dollars via cyber heists,” wrote Krebs in late 2012.

In nearly every case, the sequence of events is virtually the same: The organization’s controller opens a malware-laced email attachment, and infects his or her PC with a Trojan that lets the attackers control the system from afar. The attackers then log in to the victim’s bank accounts, check the account balances—and assuming there are funds to be plundered—add dozens of money mules to the victim organization’s payroll. The money mules are then instructed to visit their banks and withdraw the fraudulent transfers in cash, and wire the money in smaller chunks via a combination of nearby MoneyGram and Western Union locations.30

30. Brian Krebs, “MoneyGram Fined $100 Million for Wire Fraud,” Krebs on Security (blog), November 19, 2012, https://krebsonsecurity.com/2012/11/moneygram-fined-100-million-for-wire-fraud.

Table 7-1 shows just a sample of the small businesses that fell victim to these cyberheists, which Krebs wrote about between 2009–13. As you can see, attackers weren’t just targeting financial institutions or large organizations. Many of the businesses compromised were in manufacturing, services and other industries that might not immediately seem high risk for cybercrime. Fazio Mechanical, a refrigeration and HVAC company, fit right in.

Table 7-1 Example: Small Businesses That Fell Victim to Cyberheists

Amount Stolen

Business Name

Type

Location

$63,00031

Green Ford Sales, Inc.

car dealership

Abilene, KS

$75,00032

Slack Auto Parts

automotive

Gainesville, GA

$100,00033

JM Test Systems

electronics

Baton Rouge, LA

$180,00034

Primary Systems Inc.

building security and maintenance

St. Louis, MO

$200,000+35

Downeast Energy & Building Supply

heating and hardware

Brunswick, ME

$223,50036

Oregon Hay Products Inc.

hay compressing

Boardman, OR

$560,00037

Experi-Metal Inc.

custom metals

Sterling Heights, MI

$588,00038

Patco Construction

construction

Sanford, ME

$800,00039

J.T. Alexander & Son Inc.

fuel distribution

Mooresville, NC

$801,49540

Hillary Machinery, Inc.

machine tool dealer

Plano, TX

$3.5 million41

TRC Operating Co.

oil production

Taft, CA

31. Brian Krebs, “Sold a Lemon in Internet Banking,” Krebs on Security (blog), February 23, 2011, https://krebsonsecurity.com/2011/02/sold-a-lemon-in-internet-banking.

32. Brian Krebs, “Businesses Reluctant to Report Online Banking Fraud,” Washington Post, August 25, 2009, http://voices.washingtonpost.com/securityfix/2009/08/businesses_reluctant_to_report.html.

33. Krebs, “Businesses Reluctant.”

34. Brian Krebs, “Cyberheists ‘a Helluva Wake-up Call’ to Small Biz,” Krebs on Security (blog), November 6, 2012, http://krebsonsecurity.com/2012/11/cyberheists-a-helluva-wake-up-call-to-small-biz.

35. Brian Krebs, “Data Breach Highlights Role of ‘Money Mules,’” Washington Post, September 16, 2009, http://voices.washingtonpost.com/securityfix/2009/09/money_mules_carry_loot_for_org.html.

36. Brian Krebs, “Hay Maker Seeks Cyberheist Bale Out,” Krebs on Security (blog), April 11, 2013, https://krebsonsecurity.com/2013/04/hay-maker-seeks-cyberheist-bale-out.

37. Brian Krebs, “Court Favors Small Business in eBanking Fraud Case,” Krebs on Security (blog), June 17, 2011, https://krebsonsecurity.com/2011/06/court-favors-small-business-in-ebanking-fraud-case (accessed January 14, 2018).

38. Brian Krebs, “Maine Firm Sues Bank After $588,000 Cyber Heist,” Washington Post, September 23, 2009, http://voices.washingtonpost.com/securityfix/2009/09/construction_firm_sues_bank_af.html.

39. Brian Krebs, “NC Fuel Distributor Hit by $800,000 Cyberheist,” Krebs on Security (blog), May 23, 2013, https://krebsonsecurity.com/2013/05/nc-fuel-distributor-hit-by-800000-cyberheist.

40. Brian Krebs, “Texas Bank Sues Customer Hit by $800,000 Cyber Heist,” Krebs on Security (blog), January 26, 2010, https://krebsonsecurity.com/2010/01/texas-bank-sues-customer-hit-by-800000-cyber-heist.

41. Brian Krebs, “Cyberheist Victim Trades Smokes for Cash,” Krebs on Security (blog), August 14, 2015, https://krebsonsecurity.com/category/smallbizvictims.

Small businesses were also increasingly used “as pawns in more sophisticated attacks.”42 For example, in 2012 “watering hole” attacks became prevalent. Cybercriminals would hijack a vulnerable website and use it to host malware that would infect visitors. By compromising the “watering hole,” criminals could spread malware through a group of users that visited the site, even if they were wise enough to avoid clicking on links in phishing emails. Small businesses often had vulnerable websites since they typically had very limited resources to devote to IT.

42. Symantec, “Internet Security Threat Report 2014,” ISTR 19 (April 2014), http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf.

“[T]he lack of adequate security practices by small businesses threatens all of us,” declared Symantec in the 2013 Internet Security Threat Report.43

43. Symantec, “Internet Security Threat Report 2014.”

Was Target Targeted?

Many people assume that the Target breach was the result of an intentional attack to break into the retailer and steal credit card numbers. After all, stealing 40 million card numbers seems like a pretty huge accomplishment for a criminal! Clearly it must have been the result of a carefully planned and executed attack—like the team in Ocean’s 11, but in cyberspace!

In reality, no evidence has been published that indicates that attackers broke into Fazio Mechanical with the intent of accessing Target’s systems. It is possible, of course, but based on common attack patterns of the time, it’s more likely that the attackers sent out a mass phishing email that happened to snare a user at Fazio Mechanical. Once inside, the criminals installed software that automatically stole passwords. Upon finding a password for Target in their loot, they naturally would have set their sights on a bigger prize.

“Many readers have questioned why the attackers would have picked on an HVAC firm as a conduit for hacking Target,” said Krebs, in a follow-up to his initial exposé. “The answer is that they probably didn’t, at least at first. Many of these email malware attacks start with shotgun attacks that blast out email far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff.”44

44. Krebs, “Email Attack on Vendor.”

7.1.3 Attacker Tools and Techniques

The Target breach illustrates key developments in attacker tools and techniques that had emerged over the years and converged. These included maturation of:

  • Commercial exploit kits used to compromise endpoints and install arbitrary malware

  • Credential theft and commercial credential-stealing tools such as ZeuS and Citadel

  • RAM-scraping malware designed to steal payment card numbers from the memory of POS systems

  • Carder shops with e-commerce features, as previously discussed in §5.3.6, “Modern Dark Data Brokers.”

In this section, we will dissect the attack on Fazio Mechanical and subsequent compromise of Target. As we will see, each of these key technical developments contributed to the sequence of events, which enabled a click on a phishing email to lead to the compromise of 40 million payment card numbers and 110 million peoples’ personal information.

7.1.3.1 Commercial Exploit Kits

The epidemic of small business breaches was possible only because of the development of exploit kits. An exploit kit is software designed to help criminals efficiently and effectively distribute malware and manage botnets of infected computers. Modern exploit kits are user friendly, with point-and-click interfaces and dashboards that display statistics. MPack, an early commercial exploit kit, was developed by Russian programmers in 2006 and sold on the underground for $700 to $1000. The developers offered one year of support, as well as extra modules with new exploits that ranged in price from $50 to $150.45

45. Robert Lemos, “MPack Developer on Automated Infection Kit,” Register, July 23, 2007, https://www.theregister.co.uk/2007/07/23/mpack_developer_interview; Robert Lemos, “Newsmaker: DCT, MPack Developer,” Security Focus, July 20, 2007, http://www.securityfocus.com/news/11476/2.

MPack consisted of a collection of PHP scripts with a database backend. Customers (i.e., cybercriminals) installed the MPack exploit kit onto a server and then found ways to drive traffic to their malicious site. Often, this was accomplished by sending spam to a large number of email addresses. Another method was to hack legitimate websites and inject code that would load malware from the criminal’s server. When users visited the legitimate site, their web browsers would also run the malicious code.46 By May 2007, researchers at PandaLabs reported that they had detected more than 10,000 compromised websites that inclued links to an MPack server.47

46. Hon Lau, “MPack, Packed Full of Badness,” Symantec Connect, May 26, 2007, https://www.symantec.com/connect/blogs/mpack-packed-full-badness.

47. Websense Security Labs, “Large Scale European Web Attack,” Websense Alerts, June 18, 2007, https://web.archive.org/web/20080618075317/http://securitylabs.websense.com/content/Alerts/1398.aspx.

In 2010, the Blackhole exploit kit emerged, introducing groundbreaking new features. Most important, it offered a software-as-a-service (SaaS) rental model. Instead of setting up their own servers, customers could license Blackhole in the cloud. This made it far more accessible to less technical users. The exploit kit also featured a handy management console for users, which provided a statistical breakdown of infections by victim operating system, browser software, country, exploit type, and more. Customers could rent the kit for $50/day, $500/month, or $1,500/year.48

48. Fraser Howard, “Exploring the Blackhole Exploit Kit,” Naked Security by Sophos, March 2012, https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-3/.

“Blackhole is now the world’s most popular and notorious malware exploit kit,” reported Sophos in its 2013 Annual Threat Report. “It combines remarkable technical dexterity with a business model that could have come straight from a Harvard Business School MBA case study.”49 At its peak in 2012, the Blackhole exploit kit was responsible for a whopping 27% of all exploit sites and infected redirects.50

49. Sophos, Security Threat Report 2013, https://www.sophos.com/en-us/medialibrary/pdfs/other/sophossecuritythreatreport2013.pdf.

50. Sophos, Security Threat Report 2013, 7.

Waves of spam campaigns flooded inboxes around the world. In response to the sharp rise in spam volumes during 2012, Trend Micro conducted an investigation of more than 245 spam campaigns to determine the cause. It found that the vast majority of the spam emails linked to websites infected with the Blackhole exploit kit. While the authors pointed out that the techniques used were nothing new, “the Blackhole Exploit Kit spam campaign poses a considerable challenge to conventional techniques because of the skill with which the attacks are conducted as well as the mechanics used that overwhelm conventional methods of detection and blocking by sheer number.”51

51. Jon Oliver et al., “Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs” (research paper, Trend Micro Inc., July 2012), 5, https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_blackhole-exploit-kit.pdf.

Seeing the massive success of Blackhole, in late 2012 the kit’s authors (led by a Russian developer named “Paunch”) announced a new exploit framework. The Cool Exploit Kit rented for $10,000/month. Why so pricey? The authors announced that they had “[set] aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public.” In other words, Cool Exploit Kit was packed full of zero-day vulnerabilities, which were virtually guaranteed to be unpatched.52

52. Brian Krebs, “Crimeware Author Funds Exploit Buying Spree,” Krebs on Security (blog), January 7, 2013, https://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree.

The Cool Exploit Kit quickly became popular. At the same time, the Blackhole exploit kit rapidly declined.53 By the fall of 2013, new kits such as Neutrino, Sweet Orange, and Redkit had taken over, with Blackhole accounting for just a tiny percentage of attacks. Its fate was sealed when Paunch, the Russian developer behind the Blackhole exploit kit, was arrested in late 2013 (and ultimately sentenced by a Russian court to seven years of imprisonment in a Russian penal colony).54

53. MSS Global Threat Response, “Six Months after Blackhole: Passing the Exploit Kit Torch,” Symantec Connect, April 7, 2014, https://www.symantec.com/connect/blogs/six-months-after-blackhole-passing-exploit-kit-torch.

54. Brian Krebs, “‘Blackhole’ Exploit Kit Author Gets 7 Years,” Krebs on Security (blog), April 14, 2016, https://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-years.

The attacks on Fazio Mechanical (and subsequently Target) represent that time period perfectly. According to news reports, the breach at Fazio Mechanical began with a “malware-laden phishing email” sent “at least two months before thieves started stealing card data from thousands of Target cash registers.”55 This means the initial compromise at Fazio started in September 2013, or earlier. A Fazio Mechanical employee could easily have been hit with one of the many spam campaigns that flooded the globe during 2012, clicked on a link, and been infected by a website infected with the Blackhole exploit kit or a similar tool. From there, criminals would have had free rein to install the payload of their choice.

55. Krebs, “Email Attack on Vendor.”

7.1.3.2 Credential Theft

How did criminals leap from Fazio Mechanical’s network all the way to Target’s POS systems? This was the big topic of discussion in the months following the Target breach. In late January 2014, a Target spokesperson confirmed that the breach had been traced back to stolen vendor credentials. The following week, Krebs revealed that the credentials were stolen specifically from Fazio Mechanical Services.56

56. D. Yadron, P. Ziobro, and C. Levinson, “Target Hackers Used Stolen Vendor Credentials,” Wall Street Journal, January 29, 2014, https://www.wsj.com/articles/holder-confirms-doj-is-investigating-target-data-breach-1391012641; Krebs, “Target Hackers Broke In.”

Many security professionals speculated that Fazio Mechanical had a dedicated connection to Target’s internal network for the purposes of maintaining refrigeration or HVAC systems that they deployed. However, the company’s owner, Ross E. Fazio, put such speculation to rest in a February 2014 press release. “Fazio Mechanical does not perform remote monitoring or control of heating, cooling or refrigeration systems for Target,” he wrote. “Our data connection with Target was exclusively for electronic billing, contract submission and project management.”57

57. Fazio Mechanical Services, “Statement.”

Former Target employees squealed to the media. One unnamed source told Krebs that “nearly all Target contractors access an external billing system called Ariba, as well as a Target project management and contract submissions portal called Partners Online.”58

58. Krebs, “Email Attack on Vendor.”

The Ariba system, which facilitates online invoicing and payment between suppliers and their customers, seemed to be a likely target for criminals. Krebs’s article drilled into it. He interviewed a former member of Target’s security team, who explained that “internal applications at Target used Active Directory (AD) credentials and I’m sure the Ariba system was no exception. . . . This would mean the server had access to the rest of the corporate network in some form or another.” In other words, criminals could have logged into the Ariba system using stolen vendor credentials, exploited a vulnerability in the underlying server, and then leveraged that access to leap into Target’s internal network. It was a solid theory.

7.1.3.3 Password-Stealing Trojans

By late 2013, criminals had long since recognized that passwords were the keys to the kingdom. Banking credentials, of course, were highly prized by criminals, but other credentials were valuable as well. “Logins for everything from Amazon.com to Walmart.com often are resold—either in bulk, or separately by retailer name—on underground crime forums,” reported Krebs in late 2012. “A miscreant who operates a . . . botnet of respectable size (a few thousand bots, e.g.) can expect to quickly accumulate huge volumes of ‘logs,’ records of user credentials and browsing history from victim PCs.”59

59. Brian Krebs, “Exploring the Market for Stolen Passwords,” Krebs on Security (blog), December 26, 2012, https://web.archive.org/web/20140628170043/ http://krebsonsecurity.com/2012/12/exploring-the-market-for-stolen-passwords.

Krebs reported that Fazio Mechanical had been infected with Citadel banking Trojan (this was based on statements from two sources, but he was not able to confirm this detail).60 Citadel is a variant of the ZeuS banking Trojan, which was designed to steal users’ web and banking credentials.

60. Krebs, “Email Attack on Vendor.”

ZeuS—also known as Zbot—was “the mother of banking Trojans,” according to Trend Micro. It first was observed in late 2006 and quickly grew to become the world’s largest botnet.61 By 2009, one security company estimated that 3.6 million computers in the United States were infected with ZeuS.62

61. SecureWorks Counter Threat Unit, “Evolution of the GOLD EVERGREEN Threat Group,” SecureWorks, May 15, 2017, https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group.

62. Dune Lawrence, “The Hunt for the Financial Industry’s Most-Wanted Hacker,” Bloomberg, June 18, 2015, https://www.bloomberg.com/news/features/2015-06-18/the-hunt-for-the-financial-industry-s-most-wanted-hacker.

ZeuS offered criminals an effective way to capture not only banking passwords, but also answers to secret questions, callback numbers, and any arbitrary information that the criminal wanted to steal. According to SecureWorks, “The transition to information-stealing malware was pragmatic because stolen credentials resulted in fewer successful fraudulent transactions as banks increased their fraud controls. New solutions were needed for criminals to bypass challenge questions and fraud detection based on IP addresses in specific geographic locations.”63

63. SecureWorks, “Evolution.”

To combat the epidemic of password theft, bank regulators urged financial institutions to use “out-of-band” authentication methods, such as mobile transaction authentication numbers (mTANs) sent to users’ mobile phones.64 By then, ZeuS authors had already released the “ZeuS-in-the-mobile” (ZitMo) function, which presents victims with a web form requesting their cell-phone number, and then sends the user a link to install the ZitMo malware (typically disguised as a security update or utility). Once infected, the user’s phone would send a copy of any text messages with mTANs to the criminals, who combined these with the user’s stolen banking credentials to remotely log into their account.65

64. Federal Financial Institutions Examination Council, Supplement to Authentication in an Internet Banking Environment, 2011, https://www.ffiec.gov/pdf/authentication_guidance.pdf.

65. Denis Maslennikov, “ZeuS-in-the-Mobile: Facts and Theories,” SecureList.com, October 6, 2011, https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424.

According to a 2012 Trend Micro report, 66% of the malware distributed by the Blackhole exploit kit was a ZeuS variant, and another 29% was the Cridex malware, another bot often used to steal banking credentials. That meant that 95% of the malware distributed by the Blackhole exploit kit in early 2012 was designed to steal credentials.66

66. Oliver et al., “Blackhole Exploit Kit.”

In a game-changing development, the full source code of ZeuS was leaked to the world in the spring of 2011. “Now What?” wrote Trend Micro. “With the ZeuS source code in our hands, we will know how [it] . . . was engineered, thus helping us improve our existing solutions.”67

67. Roland Dela Paz, “ZeuS Source Code Leaked, Now What?” Trend Micro (blog), May 16, 2011, https://blog.trendmicro.com/trendlabs-security-intelligence/the-zeus-source-code-leaked-now-what/.

Cybercriminals, however, also leveraged the newly available code base. “With the release and leakage of the source code the ZeuS/Zbot could easily become even more widespread and an even bigger threat than it already is today,” wrote security analyst Peter Kruse, who first announced the leak.68

68. Peter Kruse, “Complete ZeuS Sourcecode has Been Leaked to the Masses,” CSIS, May 9, 2011, https://web.archive.org/web/20110720042610/ https://www.csis.dk/en/csis/blog/3229.

Citadel, which was implicated in the Fazio/Target attack, was one such variant that became popular in early 2012. Like the Blackhole exploit kit, Citadel used a SaaS model. Customers rented it for a $2,399 base fee plus $125/month. Users could purchase additional software modules such as antivirus evasion tools and more. But what really set Citadel apart was its customer support systems, which included a web-based trouble ticket service, chat rooms, and social forums where users could exchange ideas and even fund new developments.69 In 2017, Mark Vartanyan, a Russian crimeware developer linked to Citadel, was sentenced to five years in prison by a U.S. district court. According to prosecutors, Citadel malware was responsible for more than $500 million in financial losses.

69. Brian Krebs, “‘Citadel’ Trojan Touts Trouble-Ticket System,” Krebs on Security (blog), January 23, 2012, https://krebsonsecurity.com/2012/01/citadel-trojan-touts-trouble-ticket-system.

Once criminals installed Citadel on Fazio Mechanical’s systems, they would have had the ability to capture the user’s web application passwords, as well as stored passwords and any other data submitted in web forms. The criminals might have used these passwords themselves—or they might have packaged them up and sold them in an online credential shop.70 Many people assume that the same criminals who hacked Fazio Mechanical also stole Target’s credit card numbers—but there is no evidence that this was the case. More than two months elapsed between the time that Fazio Mechanical was first hacked and the time that Target’s credit card numbers were stolen. This is more than enough time for an initial hacker to capture credentials and sell them on the dark web to another criminal group that deliberately targeted retailers.

70. Brian Krebs, “Exploring the Market for Stolen Passwords,” Krebs on Security (blog), December 26, 2012, https://web.archive.org/web/20140628170043/ http://krebsonsecurity.com/2012/12/exploring-the-market-for-stolen-passwords.

7.1.3.4 POS Malware

Target rocked the industry in December 2013 with the theft of 40 million payment card numbers. This was made possible by the BlackPOS malware (also known as Kaptoxa), a memory-scraping tool that criminals installed on Target’s POS systems. The BlackPOS malware is not, by anyone’s estimation, a “sophisticated” tool. Rather, it is a straightforward utility that criminals installed on a retailer’s POS system. It snatches payment card numbers from the memory (RAM) of the POS system. As the customer swipes a card, the POS device reads the card data into RAM. BlackPOS then copies the data to a file, where it is stored in plain text files and ultimately exported to an FTP server.71

71. IntelCrawler, “The Teenager Is the Author of BlackPOS/Kaptoxa Malware (Target), Several Other Breaches May Be Revealed Soon,” January 17, 2014, https://web.archive.org/web/20140809015838/ http://intelcrawler.com/about/press08.

Researchers at IntelCrawler, a cybersecurity intelligence company, identified a 17-year-old Russian teenager with the nickname “ree[4]” as the author of the BlackPOS malware. The researchers were quick to point out that ree[4] did not himself hack Target. Instead, he sold “more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ‘.rescator’, ‘Track2.name’, ‘Privateservices.biz’ and many others.”72 The going price for the malware was $2,000 or 50% of any sales from captured payment card data.

72. IntelCrawler, “Teenager.”

For criminals, memory-scraping POS malware was a smashing success. Many variants emerged and were peddled on the dark web. The Backoff malware, which reportedly was seen in multiple forensic investigations, was capable of scraping memory for card data and logging keystrokes. It had advanced persistence capabilities and a built-in command-and-control channel used for issuing commands and updates. Reportedly, Backoff variants had “low to zero percent anti-virus detection rates,” meaning that even organizations with mature, updated antivirus and patch management processes could unwittingly fall victim.

Essentially, malware authors had picked up where Albert Gonzalez left off (see Chapter 6). Toward the end of his cybercriminal career, Gonzalez had pushed to find new and better ways to tap into sources of “fresh” cardholder data, ultimately leading his team to steal and analyze POS systems. From there, Albert and his cohorts hacked into POS servers and scraped card data from network traffic as it was sent in real time. In the years since the TJX breach, retailers had increased their use of network encryption, and so sniffing cardholder data from network traffic was clearly a losing battle. Better to capture cardholder data from the source: the POS devices themselves.

Throughout 2013, retailers quietly uncovered data breaches, typically after being alerted by law enforcement and banks that had identified them as the common points of purchase. These were rarely reported in the media, but the problem became a major priority for card brands, retail security professionals, and investigators. Memory-scraping POS malware became so pervasive that in the spring of 2013, Visa released a “data security alert,” as follows:73

73. Visa Data Security Alert, “Preventing Memory-Parsing Malware Attacks on Grocery Merchants,” Visa, April 11, 2013, https://web.archive.org/web/20130512105230/ https://usa.visa.com/download/merchants/alert-prevent-grocer-malware-attacks-04112013.pdf.

Visa has seen an increase in network intrusions involving grocery merchants. Once inside a merchant’s network, hackers install memory-parsing malware on Windows-based cash register systems or back-of-house (BOH) servers to extract full magnetic-stripe data.

The Visa alert came shortly after Schnuck Markets announced a breach of 2.4 million card numbers.74 Visa included “recommended mitigation strategies,” which included network security measures, cash register/POS security, administrative access controls (including a reminder to “[u]se two-factor authentication when accessing payment processing networks”), and incident response tips.

74. Judy Greenwald, “Data Breach Case against Schnuck Markets Dismissed,” Business Insurance, May 3, 2017, http://www.businessinsurance.com/article/20170503/NEWS06/912313250/Schnuck-Markets-data-breach-lawsuit.

Over the next year, it became painfully clear that retailers did not heed its advice.

7.2 An Ounce of Prevention

There were many ways that Target could have prevented its data breach from occurring. Afterwards, U.S. Senator John Rockefeller, chair of the Senate Committee on Commerce, Science, and Transportation, commissioned a report entitled A “Kill Chain” Analysis of the 2013 Target Data Breach. The authors of the report used a “kill chain framework” (first developed at Lockheed Martin) to analyze the Target breach and determine how the disaster could have been prevented. Lockheed’s cyber “kill chain” describes the different phases of an attack:

  • Reconnaisance - Gather information about the target, such as IP addresses, email addresses, etc.

  • Weaponization - Prepare for exploitation, for example, by crafting a phishing email payload or malware-laden USB drive.

  • Delivery - Deliver the “weaponized” content to the target (ie. send the email, drop the USB nearby, etc.

  • Exploitation - Take advantage of a vulnerability, enabling malicious code to run on the target’s system.

  • Installation - Load malicious software onto the target system.

  • Command and Control - Remotely control the target system through a channel that facilitates software updates, data exfiltration, and attacker commands.

  • Actions on Objectives - Accomplish ultimate goals.

The Senate concluded that “Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.”75

75. S. Comm. on Commerce, Science, and Transportation, A “Kill Chain” Analysis of the 2013 Target Data Breach (Washington DC: U.S. Senate, March 26, 2014), https://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-a3a67f183883/23E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf.

7.2.1 Two-Factor Authentication

If, as the evidence suggests, criminals stole a vendor password and used it to log in to a Target application, then in theory the attack could have been nipped in the bud through the use of strong two-factor authentication.76 For example, had Target distributed a hardware token that generates one-time PINs for vendors to use when logging in, then the attackers would have been unable to log in remotely at their leisure.

76. S. Comm. on Commerce, Science, and Transportation, “Kill Chain” Analysis.

According to a “source who managed Target vendors,” Target rarely required vendors to use two-factor authentication. It was reserved for vendors in “the highest security group—those required to directly access confidential information.”77 Fazio Mechanical’s access was intended to be very, very limited.

77. Krebs, “Email Attack on Vendor.”

Two-factor authentication is required by the Payment Card Industry Data Security Standards (PCI DSS) for all remote access to systems within the scope of the PCI DSS requirements. However, Target did not expect that its vendor-facing application was within the scope of PCI DSS (see §7.2.3 on segmentation). “In fairness to Target, if they thought their network was properly segmented, they wouldn’t have needed to have two-factor access for everyone,” commented Gartner analyst Avivah Litan.78

78. Krebs, “Email Attack on Vendor.”

Tip: Deploy Two-Factor Authentication

Two-factor authentication is the solution for a myriad of cybersecurity problems. Many organizations are loathe to deploy it because of the cost and setup time involved. Even when it is deployed, many organizations use it only for “high-risk” accounts, forgetting that any account can be an access point into the network.

Fortunately, two-factor authentication (2FA) is becoming increasingly accessible as the technology matures. In 2013, when Target was hacked, strong 2FA was expensive and annoying for both IT staff and vendors. Today, tools make 2FA easy to deploy and simple to use. Mobile apps designed to implement 2FA have proliferated, raising the bar for attackers and giving vendors an easy, hardware-free solution.

No security measure is a silver bullet, but in many cases, 2FA is the ounce of prevention that obviates the need for a pound of cure.

7.2.2 Vulnerability Management

According to former employees, Target’s security team expressed concerns about vulnerabilities in the retailer’s POS infrastructure months before the massive breach began. “At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off.” reported the Wall Street Journal.79

79. D. Yadron, P. Ziobro, and D. Barrett, “Target Warned of Vulnerabilities Before Data Breach,” Wall Street Journal, February 14, 2014, https://www.wsj.com/articles/target-warned-of-vulnerabilities-before-data-breach-1392402039.

Law enforcement, the federal government, and card brands such as Visa had issued several memos during the spring and summer of 2013, warning retailers about new attacks on POS systems. However, Target’s security team apparently did not have enough staff to handle the number of issues reported. According to the Wall Street Journal, which interviewed a former employee, Target’s security team received “numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings.”80

80. Yadron, Ziobro, and Barrett, “Target Warned of Vulnerabilities.”

Shortly after the breach, Target hired Verizon to conduct an internal penetration test. According to the report, which was later leaked and published by Brian Krebs, “the Verizon consultants found systems missing critical Microsoft patches, or running outdated [web server] software such as Apache, IBM WebSphere, and PHP. These services were hosted on web servers, databases, and other critical infrastructure. . . . In several of these instances where Verizon discovered these outdated services or unpatched systems, they were able to gain access to the affected systems without needing to know any authentication credentials.”81

81. Krebs, “Inside Target Corp.”

Importantly, the issue wasn’t that Target security staff didn’t know about the vulnerabilities. The Verizon consultants actually found that Target had a “comprehensive” vulnerability scanning program—they simply weren’t remediating the vulnerabilties that were reported.

This common problem typically results from issues with staffing, internal audit, and security management functions. Lack of human resources is perhaps the most common challenge underlying security problems. Like many institutions, Target had clearly invested in expensive, enterprise-quality security tools, but (based on public reports) probably did not have enough staff to monitor the output of those tools or resolve the issues that were reported. This imbalance is all too common.

Ideally, Target would have had enough staff and resources to fix all of the vulnerabilities that were reported on their scans in a timely manner. A healthy audit program should ensure that chronic vulnerability remediation issues are detected and escalated. For example, many organizations hire third-party auditors to conduct an annual vulnerability scan and report to upper management or have an internal audit function that periodically reviews scan output and escalates systemic concerns. Cybersecurity teams can also provide regular monthly or quarterly summary reports to management for review. If vulnerabilities are not quickly remediated, this should trigger the organization’s leadership to review the team’s processes and evaluate whether additional resources should be allocated.

Unfortunately, many organizations do not devote sufficient resources to properly manage their cybersecurity programs, or they make the mistake of spending money on tools rather than people. This can happen for many reasons. Quite often, executive management teams or financial officers do not understand the importance of cybersecurity and choose not to invest in it. In some cases, there is budget for tools but not labor to support them because executive teams are more comfortable making a one-time software purchase than creating a position. Other times, the organization as a whole may be budget-constrained, and as a cost center, cybersecurity is among the first programs to be cut.

For most retailers in 2013, cybersecurity was not a priority, and security budgets were tight throughout the industry. This led to systemic issues such as lack of timely vulnerability remediation.

Tip: Staffing and Auditing

Based on public reports, Target’s internal network was riddled with vulnerabilities—and the security team knew about it. However, the team was apparently stretched too thin to address the issues.

Organizations can reduce the risk of a data breach by ensuring that the cybersecurity team has enough resources to detect and remediate vulnerabilities. All too often, organizations spend money purchasing expensive cybersecurity tools such as vulnerability scanners, but fail to budget for the human resources needed to review and remediate the output.

Any request for an equipment or a software purchase should be accompanied by an estimate of the labor needed to effectively use the tool. Budget needs to be allocated not just for the tool itself, but also the manpower to leverage it.

Effective auditing is also critical. Whether you choose to use an internal or external auditor (or both), the cybersecurity team’s activities should be documented, reviewed, and reported to upper management. Upper management, in turn, needs to be committed to appropriately funding cybersecurity. In tough times, budgets can be thin, and cybersecurity resources may be constrained. At all times, funding for tools and human resources should be appropriately balanced. Decisions should be made on the basis of an informed risk assessment rather than ignorance.

7.2.3 Segmentation

Network segmentation refers to the process of dividing a network into separate sections, typically based on risk or function. Effective network segmentation blocks the flow of traffic between segments, thereby reducing the risk of data breaches and containing incidents to specific segments. In 2013, network segmentation was not required by PCI DSS, but it was explicitly recommended as a way of reducing risk. “[A]dequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not.”82

82. Payment Card Industry Data Security Standard, v.3.0, November 2013, p. 11, https://www.pcisecuritystandards.org/minisite/en/docs/PA-DSS_v3.pdf.

In the Target breach, attackers were able to leap from a vendor-accessible server all the way into the bowels of Target’s cardholder data environment. Evidence suggests that Target attempted to segment the network, but the attackers may have leveraged server management accounts and interfaces to hop from one segment to another.

Tip: Effective Network Segmentation

The Target breach was only possible because criminals were successfully able to move from a vendor-accessible system to the network segment which contained highly sensitive POS systems. Effective network segmentation could have contained the breach and prevented the criminals from ever accessing the POS systems.

Network segmentation isn’t flashy, and it requires an organized, methodical approach. When done properly, organizations start off by classifying data and categorizing systems based on risk and function. The network is then divided into segments, and network engineers configure firewalls and virtual LANs (VLANs) to restrict the flow of traffic between segments. Any exceptions should be carefully tracked and monitored.

It’s important to test the effectiveness of your network segmentation because networks continually evolve. A first step is to conduct routine port scans to verify that network segmentation processes are effective. Ideally, organizations should conduct periodic penetration tests, in which a skilled human poses as an attacker and attempts to bypass segmentation. This will uncover more subtle flaws in segmentation implementations.

Segmentation has parallels in other industries. In the beef industry, for example, producers use a variation of segmentation to reduce the risk of E. coli outbreaks. Heidi DeArment, a financial executive who formerly worked for two organic beef producers, described how producers divide ground meat into lots for testing. “If you kill an animal, and then grind its meat, and then test its blood, you are 100% sure that the animal does or does not have E. coli,” she explained. “If you kill 10,000 of them, you may or may not get enough sample that’s representative of the whole lot.”83 The larger the lot size, the greater the risk that E. coli will remain undetected and spread throughout the lot. By breaking the lot into smaller sections, producers can more effectively detect problems and control risk.

83. Personal conversation with the author, March 2018.

Consumer-facing brands such as Target must take special precautions to protect their image. A data breach can hit their bottom line harder and faster than with companies that rely less on consumer brand recognition. Again, there are parallels in other industries. DeArment points out that the risk a producer takes is often aligned with the importance of their brand. “If [an organic beef supplier] had an E. coli outbreak, everyone would remember that,” she said. “The further away you get from a commodity product, the more you expect a higher level of security—whether it’s a data breach or a bacterial outbreak.”

7.2.4 Account and Password Management

Target’s network was riddled with weak, default, and improperly stored passwords, according to the Verizon penetration testers that examined it shortly after the breach. “[W]hile Target has a password policy, the Verizon security consultants discovered that it was not being followed,” stated the report. “The Verizon consultants discovered a file containing valid network credentials being stored on several servers. The Verizon consultants also discovered systems and services utilizing either weak or default passwords. Utilizing these weak passwords the consultants were able to instantly gain access to the affected systems.”84

84. Krebs, “Inside Target Corp.”

An attacker could certainly have leveraged default or weak credentials to move laterally throughout Target’s network or to gain access to servers and POS systems. In February 2014, shortly after Retailgeddon was in full swing, the FBI issued a memo to retailers, warning that “it may be a ‘vulnerability’ to connect credit and debit card readers to remote management software, which makes it easier to manage and monitor internal networks from afar, when combined with weak password selection.”85 The FBI’s warning implies that weak passwords may have been a factor in one or all of the retail breaches that occurred in that time frame.

85. Yadron, Ziobro, and Barrett, “Target Warned of Vulnerabilities.”

All told, the Verizon penetration testers reportedly cracked 86% of Target’s passwords. Their report indicated that 17.3% of the passwords were only 7 characters. The top 10 passwords included “t@rget7,” “summer#1” and “sto$res1”—passwords that superficially might seem complex, but in reality are easy to crack for an attacker using automated tools. Moreover, the presence of files containing stored passwords would have been very helpful for criminals seeking to expand their access to Target’s most sensitive resources.

Researchers from Dell Secureworks who analyzed reports of the malware used in the Target attacks determined that the hackers used “an improperly secured service account” to exfiltrate the data. “Organizations should ensure that service accounts, including default credentials provided with third-party software, are properly secured and provided only to those who need them to perform their job function,” they advised.86

86. Keith Jarvis and Jason Milletary, “Inside a Targeted Point-of-Sale Data Breach,” Dell Secureworks, January 24, 2014, https://krebsonsecurity.com/wp-content/uploads/2014/01/Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf.

Tip: Account and Password Management

Passwords and accounts are surprisingly difficult to manage, particularly in large, complex environments. An important first step is to centralize accounts to the greatest extent possible, using Active Directory or a similar tool. Then, you can implement password length or complexity rules centrally.

Things start to get tricky when you consider the myriad of application accounts that exist, often hosted in the cloud or on third-party systems. Technical staff often need access to shared administrator accounts or service accounts. This leads to weak passwords and files with passwords that are stored in shared folders—a treasure trove for hackers.

Vendor equipment and software poses a special challenge for account management. Often, vendor equipment comes preconfigured with accounts that cannot be changed by local IT staff or that local IT aren’t aware exist. POS systems frequently fall into this category. The result is that attackers can simply look up default equipment passwords, or reuse credentials that they discovered on a previous victim’s network.

“Audit early, audit often” is a smart rule of thumb. When systems are installed and configured, they should be checked for default or weak credentials. IT staff or third-party auditors can audit files of encrypted passwords to determine how “crackable” they are, as the Verizon team did at Target.

What makes a strong password? Today, experts agree that password length is the most important fact. At the time of this writing, 14 characters is considered an effective minimum length for a strong password. This number will only increase in the future.

Humans are not naturally good at remembering passwords (or pass phrases), particularly long or complex ones. In order to prevent passwords from being stored in files throughout the network, you need to deploy a password management solution. This is especially important for IT administrators, who typically have many passwords and accounts to manage, and who may need to share account credentials (shared accounts are not ideal, but there are times when they are necessary). It’s wise to routinely search the network for files containing passwords, so that they are uncovered quickly and do not fall into the wrong hands.

7.2.5 Encryption/Tokenization

In the Target breach, criminals stole credit card numbers from the memory of POS systems that they had hacked. As we learned in Chapter 2, “Hazardous Material,” data is akin to hazardous material. An effective way to reduce risk would have been to prevent Target’s POS systems from ever processing cleartext payment card numbers in the first place. Far from being a pipe dream, the technology to support this was readily available.

After the 2009 Heartland breach (see § 6.6), CEO Robert Carr set out to build a secure payment processing system. Heartland announced the launch of its E3 terminals in 2010. The E3 POS systems use hardware to encrypt the card data as it is swiped or entered. That means payment card numbers are never stored unencrypted, even in the device memory. “If the bad guys are intercepting transactions on the way to CPU, if you don’t encrypt those and get that data out of the clear, you don’t have a solution,” said Carr. Heartland also supports tokenization (the replacement of card numbers with nonsensitive data) for card-on-file and other purposes.87,88

87. “Tokenization,” Heartland, accessed January 14, 2018, https://developer.heartlandpaymentsystems.com/DataSecurity/Tokenization.

88. “Heartland Payment Systems® Installs E3™ Terminals at 1,020 Merchants since May 24 Launch of Its End-to-End Encryption Solution,” Business Wire, June 24, 2010, http://www.businesswire.com/news/home/20100624005625/en/Heartland-Payment-Systems-Installs-E3-Terminals-1020.

When asked why retailers continued to suffer from data breaches, Carr said that companies simply weren’t investing in effective solutions such as end-to-end encryption and tokenization. “[E]ven though solutions are being introduced, encryption being one we [adopted] . . . a lot of companies haven’t implemented the basics, and they are paying the price for it.”89

89. Kelly Jackson Higgins, “Heartland CEO On Why Retailers Keep Getting Breached,” Dark Reading, October 6, 2014, https://www.darkreading.com/attacks-breaches/heartland-ceo-on-why-retailers-keep-getting-breached/d/did/1316388.

It didn’t help that the most effective solutions, end-to-end encryption and tokenization, were not advertised or required by the card brands. It was up to individual retailers to go “above and beyond” and purchase POS systems that included these effective technologies.

Tip: End-to-End Encryption

Encryption is a powerful tool for preventing data breaches, especially when deployed “end to end.” “End-to-end” encryption is different from “encryption in transit.” With encryption in transit, data is wrapped up in an encrypted “envelope” as it is sent across a network. When it arrives at the other end, the receiving device unwraps the data and it is unencrypted again.

With end-to-end encryption, the data is encrypted even before it is transmitted across the network. In the context of payment card breaches, this means the card data can be encrypted using hardware built into the magnetic stripe reader, keypad, or other form of entry. The data is stored encrypted in memory and on any device hard drive.

End-to-end encryption reduces the opportunities that an attacker has to access sensitive data. In the modern world, endpoint devices and user accounts are compromised all the time. End-to-end encryption adds an extra layer of protection, so that when a device or account is compromised, the attacker does not have instantaneous access to the data in memory or on the hard drive.

Deploy end-to-end encryption wherever you can: on POS systems, in email accounts, and in the cloud. By doing so, you can make sure that a hacked device is not equivalent to a breach.

7.3 Target’s Response

“I am convinced that life is 10% what happens to me and 90% how I react to it,” said radio pastor Charles Swindoll. In the same vein, data breach crises are typically only 10% about what happens and 90% how the organization reacts. This was very clear in the case of Target.

The Target breach marked a paradigm shift in breach response best practices. This was largely due to the rise of investigative journalist Brian Krebs, as we will see. Before the Target breach, retailers worked quietly with law enforcement for weeks or months until they were ready to disclose. TJX, Heartland, and similar companies responded to their breaches in this manner. This is not to say that breached retailers could take all the time in the world, but typically they had time to prepare their response, arrange for public notification, craft public statements, and so on. Quite often, the breached retailer was never publicly named, and consumers simply received a generic letter notifying them that their debit card numbers would be replaced.

The Target breach didn’t happen that way. Target was outed—suddenly and deliberately—by Krebs.

Krebs, himself, represented a new development in high-tech investigative journalism. He knew how to access the dark web and could see when payment card numbers suddenly flooded the market, indicating a large breach. He also had strong ties in the banking industry and happily traded information with bankers, who were desperate to find ways to cut their losses due to fraud. As a result, Krebs had the ability to detect payment card breaches and find out the source—and his goal was to publish this information.

Not only did Krebs unexpectedly break the story of the Target breach, he kept digging. He found out what happened in the early days of the breach and revealed that Target hadn’t detected it. He inspired others to dig for details, too, from researchers at Dell Secureworks to colleagues at Bloomberg News.

Taken by surprise, Target spun its wheels. The company failed to react effectively to the ensuing media uproar. Even worse, the onslaught of investigative news reports exposed all the mistakes they had made earlier in their breach response. Target’s crisis communications (or lack thereof) only served to inflame the situation. While the loss of 40 million card numbers was undoubtedly huge, it was the company’s response that turned its breach into a full-scale corporate disaster.

In this section, we’ll dissect Target’s initial response to the breach and then step through its crisis communications tactics, identifying lessons that other organizations can employ to minimize the negative impacts of a breach. We will analyze the impacts of the Target breach on the wider community, including banks, credit unions, and consumers. Finally, we will show how the Target breach, and others like it, spurred the rollout of “chip” cards—a development that did not actually reduce the risk of large-scale cardholder data breaches.

7.3.1 Realize

By all accounts, Target had invested significant funds into its security infrastructure—more than most retailers. A Bloomberg Businessweek investigative report revealed that “[s]ix months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye. . . . Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.”90

90. Riley, Elgin, Lawrence, and Matlock, “Missed Alarms.”

Yes, despite its fancy equipment and army of analysts, Target didn’t notice when hackers broke into its network. Target didn’t notice when the criminals hunted through its systems and ultimately gained access to the POS devices and customer databases. Target didn’t notice when the criminals installed malware on its POS systems or when they returned again and again to install updates and hack into other servers. Target didn’t notice when the criminals exported the card numbers to servers outside the network, where they were eventually sold on the black market.

Recall the DRAMA model of data breach response (Develop, Realize, Act, Maintain, Adapt) from Chapter 4. As discussed in § 4.3, during the prodromal phase of a breach, organizations must “realize” than a potential breach has occurred. This typically includes the following actions:

  • Recognize the prodromes of a data breach.

  • Escalate to the data breach response team.

  • Investigate by preserving and analyzing available evidence.

  • Scope the breach.

It wasn’t that Target’s staff didn’t care that criminals were siphoning off millions of card numbers. It was that the organization didn’t realize that this was happening. As reporters later discovered, there were plenty of signs—such as repeated IDS alerts—which were never escalated to appropriate staff members and therefore not properly investigated in a timely manner.

How could Target have missed such seemingly obvious signals? In this section, we will dive into the issues that occurred during Target’s “realize” phase and provide cost-effective tips for better protecting your organization.

7.3.1.1 Missed Alerts

One of the most damning revelations about the Target breach was that staff had received alerts—many alerts—about the criminals’ activities as they installed and fine-tuned their mal-ware. The FireEye system alerted Target’s Bangalore team to suspicious activity on November 30, as the attackers installed exfiltration malware designed to export the stolen credit card numbers. Target’s antivirus software, Symantec Endpoint Protection, had also alerted days earlier when suspicious activity was detected on the same server. “Bangalore got an alert and flagged the security team in Minneapolis,” Bloomberg revealed. “And then . . . Nothing happened. For some reason, Minneapolis didn’t react to the sirens.”91

91. Riley, Elgin, Lawrence, and Matlock, “Missed Alarms.”

Target’s FireEye system was capable of automatically blocking malware, reducing the load on human staff, but according to people who reviewed FireEye’s configuration after the breach, Target had disabled that functionality.

In the days that followed, the criminals continued to collect the credit card numbers and stage them on an internal system. On December 2, the criminals began exporting the card numbers. The criminals continued to siphon off payment card data until December 18—nearly a week after Target was first notified by law enforcement.92

92. Hearing on “Protecting Personal Consumer Information” (written testimony of John Mulligan).

In the meantime, the FireEye system continued to send alerts. Had Target’s team reacted to the alerts between November 30 and December 2, it could have stopped the card numbers from ever leaving Target’s network, thereby preventing one of the world’s biggest data breaches.

Target reportedly did not learn of the breach until the company was informed by the U.S. Department of Justice and the Secret Service on December 12. However, there is evidence that someone within Target had stumbled across the malware earlier. On December 11, a malware sample was uploaded to the public service, “VirusTotal,” where it was scanned for traces of malware. According to researchers from Dell Secureworks. “The submission was attributable to someone within Target because the malware was widely thought to be custom-made specifically for the Target intrusion.”93

93. Jarvis and Milletary, “Inside a Targeted.”

There is no indication that anyone within Target understood the significance of the malware until long afterwards—or if they did, they didn’t sound the alarm.

7.3.1.2 Reasons for Inaction

Why was Target “asleep at the wheel” (as one newscaster put it)?94 No one knows for sure. There are many reasons that security teams don’t respond to alerts. All too often, security teams are bombarded with far more IDS alerts than they can possibly handle. This frequently happens when new intrusion detection equipment is installed but not carefully “tuned.” A poorly tuned IDS can result in a flood of meaningless alerts that are triggered by perfectly normal activity—overwhelming analysts, who learn to ignore them.

94. Bloomberg, “How Target Could Have Prevented Customer Data Hack,” YouTube, 6:19 min, posted March 13, 2014, https://www.youtube.com/watch?v=G68hY3TsGYk.

Security tools such as FireEye are often configured with prevention capabilities disabled, at least at first. IT teams are concerned about false positives—legitimate traffic that should be allowed, but gets flagged as suspicious. This risk is especially high when human resources have not been allocated to carefully tune the system and minimize false positives.

Target may also have simply not had sufficient staff to handle its case load or perhaps been understaffed due to the Thanksgiving holiday. Many security teams respond quickly during normal business hours, but don’t have an effective monitoring or response process after normal business hours or on the weekends.

All of these issues stem from lack of effective management, training, and budgeting—not surprising, given that Target did not have a chief information security officer (CISO) prior to the breach, and therefore there was no executive whose primary responsibility was overseeing information security.95

95. Kristin Burnham, “Target Hires GM Exec As First CISO,” InformationWeek, June 11, 2014, https://www.informationweek.com/strategic-cio/team-building-and-stafing/target-hires-gm-exec-as-first-ciso/d/d-id/1269600.

Target: A Timeline of Missed Alerts

Target missed many opportunities to stop the intrusion before it became a disaster, a fact that impacted not only the breach itself, but also the public’s perception afterwards. Here is a summary of how the events and corresponding alerts unfolded.

  • 11/27/13 First day that customer credit card numbers may have been stolen, according to Chief Financial Officer (CFO) John Mulligan. “The theft of the payment card data affected guests who shopped at our U.S. stores from November 27 through December 18.”96

    96. Hearing on “Protecting Personal Consumer Information” (written testimony of John Mulligan).

  • 11/28/13 - Symantec antivirus software alerts on exfiltration server (approximate date).97

    97. Riley, Elgin, Lawrence, and Matlock, “Missed Alarms.”

  • 11/30/13 - By this date, attackers had deployed malware on most Target POS systems.98

    98. Krebs, “Target Hackers Broke In.”

  • 11/30/13 - Attackers install exfiltration malware on internal dump server; FireEye alerts; Target’s Bangalore monitoring team sends the alert to Minneapolis responders.99

    99. Jarvis and Milletary, “Inside a Targeted”; Riley, Elgin, Lawrence, and Matlock, “Missed Alarms.”

  • 12/2/13 - Credit card data is first transferred out of the Target network to an external server.100

    100. Riley, Elgin, Lawrence, and Matlock, “Missed Alarms.”

  • 12/2/13 - Attackers update exfiltration malware; FireEye alerts.101

    101. Riley, Elgin, Lawrence, and Matlock, “Missed Alarms”; Jarvis and Milletary, “Inside a Targeted Point-of-Sale.”

  • 12/2/13-12/18/13 - Attackers continue to exfiltrate credit card data. According to Dell Secureworks, data is sent from compromised POS systems to an internal file share. A compromised internal server then transfers the credit card data files out of the Target network via FTP between the hours of 10 a.m. and 6 p.m. local time.102

    102. Jarvis and Milletary, “Inside a Targeted.”

The Target case perfectly illustrates why “detect” and “realize” are not the same thing. It is not enough for an automated tool to “detect” malware and generate an alert, or even for a security staff member to notice it. The organization must become aware of the incident and understand its scope. In the case of Target, individual staff members saw the alerts, but the response was stillborn: The team failed to escalate, investigate, and scope the breach.

Tip: Invest in Human Resources

Many companies invest in expensive security equipment, only to find that they still miss important indicators of a breach. When you budget for security tools, make sure that you include a proportional investment for the human resources needed to monitor, tune, and react to alerts. This is not a one-time investment; people need ongoing training in order to recognize the latest threats, determine what to escalate, and how to respond.

7.3.1.3 Industry Standard

Target’s missed breach detection was in no way unusual. According to Verizon, 99% of payment card breaches in 2013 were detected by someone other than the victim. “[W]e continue to see notification by law enforcement and fraud detection as the most common discovery methods,” reported Verizon researchers in their 2014 Verizon Data Breach Investigations Report. “In many cases, investigations into breaches will uncover other victims, which explains why law enforcement is the top method of discovery and the top contributor of POS intrusions in our dataset.” Only 1% of POS intrusions were discovered within days; 85% took weeks (as in the case of Target), and the remainder took months or years. In short, Target’s detection and reaction times were utterly normal.103

103. 2014 Data Breach Investigations Report, Verizon Enterprise, 2014, 18, http://www.verizonenterprise.com/resources/reports/rp_Verizon-DBIR-2014_en_xg.pdf.

The early stages of a POS data breach response can last for weeks or even months, as the merchant conducts an internal review and decides whether to notify the public at all. Law enforcement is rarely interested in “outing” the merchant or forcing the merchant to disclose. They want merchants to feel comfortable notifying them and sharing evidence. Normally, in large breaches, law enforcement works quietly with the merchant and/or card brands to gather evidence and provide assistance when possible. Law enforcement tends to focus on tracking down the culprits responsible and ultimately bringing them to justice. Their investigation may involve piecing together information from many different breaches in order to take down a crime ring.

Alternatively, card brands or banks may discover the breach, by identifying that a merchant is a common point of purchase. Card brands are under no obligation to disclose which merchant was responsible, and they typically don’t. Instead, when fraud is detected, the card brands send banks a list of impacted cards, which the banks may choose to reissue. Banks can sometimes also identify common points of purchase, although their data set is typically much smaller, and so they often do not have enough information to identify the source of the compromise. Even in cases where it appears that a merchant is the source, banks have to be very careful because it is possible that the breach actually occurred further up in the chain (such as with the merchant’s payment processor).

Often, the public never learns that a particular merchant was breached. Affected consumers frequently receive generic letters from the card brands informing them that their card numbers were stolen. By state law, merchants may be required to report a breach—but many simply don’t.

In the case of Target, U.S. federal agents investigated and notified the company on December 12, 2013. According to Bloomberg, “[T]he authorities had more than just reports of fraudulent charges to go on, however: They had obtained the actual stolen data, which the hackers had carelessly left on their dump servers.”104

104. Riley, Elgin, Lawrence, and Matlock, “Missed Alarms.”

Based on past retail payment card breaches, it was reasonable for Target to expect that it could conduct an investigation spanning weeks or even months, with input and guidance from law enforcement. Once it understood the scope and had evalutated its options, it could determine next steps, prepare notifications if appropriate, and so on.

But the Target data breach was unprecedented. It wasn’t the way it was breached, or the missed alerts, or the vulnerable POS systems (although none of that helped). Contrary to popular opinion, Target’s detection capabilities and reaction times were completely normal (by many accounts, better than average) for its industry at that time.

Target’s data breach was different because its time was unexpectedly cut short—by reporter Brian Krebs.

7.3.2 The Krebs Factor

Krebs, by himself, represented a significant development in data breach response. A former Washington Post reporter, Krebs had left the newspaper in 2009 to strike out on his own. He had been obsessed with computer crime since 2001, when a computer worm infected his computer. “It felt like someone had broken into my home,” Krebs told the New York Times years later.105 In 2009, Krebs started his own blog, Krebs on Security. In 2010, he received the “Best Non-Technical Security Blog” award by Security Blogger Meeting, and had been named one of the top 10 cybersecurity journalists by the SANS Institute.

105. Nicole Perlroth, “Reporting from the Web’s Underbelly,” New York Times, February 16, 2014, https://www.nytimes.com/2014/02/17/technology/reporting-from-the-webs-underbelly.html.

Krebs broke stories—and hearts. Executive hearts, that is. He broke the Target story on December 18, 2013. “Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity,” he wrote. “The sources said the breach appears to have begun on or around Black Friday 2013—by far the busiest shopping day of the year.”106

106. Krebs, “Sources: Target Investigating.”

How did Krebs find out about the Target breach? According to the New York Times, in December 2013, Krebs had already been “poking around private, underground forums where criminals were bragging about a fresh haul of credit and debit cards.” Soon afterwards, a “source” in the banking industry called him to report that the bank was seeing high levels of payment card fraud. The bank had visited a carder shop, bought back a batch of its own cards, and found what appeared to be a common point of purchase: Target.107 Krebs confirmed with other sources and quickly published his scoop.

107. Perlroth, “Reporting from the Web’s Underbelly.”

The following day, after Target confirmed the theft, Krebs reached out to a colleague at a small New England bank to see whether the bank had received any notification from Visa or Mastercard. His contact there said that the bank hadn’t officially been told anything but was “anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers.” Krebs struck a deal: He would show the bank’s staff how to purchase a batch of its own cards from a carder shop, in exchange for permission to write about the bank’s story. The bank agreed.108

108. Brian Krebs, “Cards Stolen in Target Breach Flood Underground Markets,” Krebs on Security (blog), December 20, 2013, https://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets.

Krebs was successful for two reasons: First, he had infiltrated the dark web and gained a reputation for knowing his way around carder shops and darknet markets. “Over the past year, I’ve spent a great deal of time trolling a variety of underground stores that sell ‘dumps’—street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash,” Krebs wrote in the summer of 2014.109 This familiarity meant that he knew when a major breach had taken place because cards would start to flood the markets.

109. Brian Krebs, “Peek Inside a Professional Carding Shop,” Krebs on Security (blog), June 4, 2014, https://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop.

“When you see a single [black market] carding store start selling millions of cards out onto the market, something big just happened and so it’s time to get to work,” he explained.110

110. Jay MacDonald, “‘Spam Nation’ Author Brian Krebs Sheds Light on Card Data Black Market,” Credit-Cards.com, November 18, 2014, https://www.creditcards.com/credit-card-news/spam-nation-brian-krebs-data-black-market-1278.php.

Second, Krebs had built a relationship with bankers over the years and had become a one-man information clearinghouse. He had been reporting on developments in the darknet markets, fraudulent wire transfers, and payment card breaches for years, gaining contacts within the financial industry along the way. By 2013, smaller banks in particular were desperate for information that would help them respond quickly to suspected payment card breaches. Larger banks had teams of fraud analysts and, by virtue of their size, could identify breaches and common points of purchase relatively quickly.

“The smaller banks usually need to compare notes with other banks, and that’s sort of where I come in,” said Krebs. “I reach out to banks that I have a relationship with and say, “Hey, it looks like a whole bunch of your cards are for sale in this huge batch that just went online. Here’s how you can go get them. Just FYI, I’ve been really interested in whether you see any patterns.”111

111. MacDonald, “‘Spam Nation’ Author.”

After breaking the Target story and publishing his follow-up piece on the smaller bank, Krebs found himself awash in requests from bankers. “Over the last year in particular since the Target breach, I’ve just become sort of the ISAC [information sharing and analysis center] of the small banking industry,” Krebs said—clearly filling a much-needed gap. “I just say I’m happy to share information with you about what I’m seeing as long as you’re able to do the same.”112

112. MacDonald, “‘Spam Nation’ Author.”

Armed with access to the darknet markets and a loyal following of small banks that were happy to share details, Krebs broke story after story of retail payment card breaches. The Neiman Marcus and Michaels breaches were publicized within weeks of Target. Sally Beauty, P.F. Chang’s China Bistro, and many others were quickly outed due to Krebs’s reporting.113

113. Brian Krebs, “Hackers Steal Card Data from Neiman Marcus,” Krebs on Security (blog), January 10, 2014, https://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus; Brian Krebs, “Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security (blog), June 10, 2014, http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs.

Thanks to Krebs, as soon as stolen cards went up for sale on the dark web, news could quickly burst into the mainstream media. That meant that retailers could no longer expect to quietly handle the investigation behind the scenes and take weeks to craft press releases. Nor could they rely on the card brands to release a vague, anonymous letter on their behalf. Retailers had to be prepared for an immediate public response as soon as a payment card theft was detected. This pressure spurred the development of specialized third-party incident response teams run by cybersecurity firms, as well as prepackaged call center and credit monitoring services that could be activated quickly. It also fueled growth for insurers’ breach response services (as discussed in Chapter 12, “Cyber Insurance”).

Tip: Prepare to Make an Immediate Public Statement

Payment card breaches are easily detected by third parties, including banks and card associations that identify a common point of purchase—as well as anyone who monitors the dark web. Your first heads-up that your organization has been breached might come as a phone call from a reporter. Your first response matters. As soon as the media finds out about a payment card breach, the clock starts ticking—fast.

Prepare a statement and a plan in advance, so that you can respond immediately to a third party who discovers that you’ve been breached.

7.3.3 Communications Crisis

Getting “outed” by Krebs was bad. Target’s reaction, however, was far worse. Throughout the weeks that followed, Target’s team made critical errors that inflamed public response: at times stonewalling the press, and at other times launching heavy-handed attempts to win back the public’s trust. As we will see, Target:

  • Clammed up, which fueled suspicion and speculation

  • Released “cold” and uncaring statements

  • Failed to take responsibility

  • Avoided apologizing

  • Did not provide sufficient call center resources, frustrating consumers

  • Offered compensation that was then not available

  • Released a series of news stories with new information, generating intense media interest

  • Failed to control media communications, leading to multiple damning leaks

Ultimately, this communications catastrophe became an avalanche that took down the company’s leadership and badly damaged their bottom line.

7.3.3.1 Talk to the Hand

Target’s first PR mistake was stonewalling Krebs. Upon hearing of the potential Target breach, Krebs called the retailer for a statement—but Target clearly wasn’t ready to answer questions. Although the company’s spokesperson reportedly returned his call hours later,114 Target declined to comment. As a result, Target missed its first opportunity to tell its side of the story. Even worse, when the story ran that evening, it portrayed the company as uncooperative, stating that “Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment.”115

114. Perlroth, “Reporting from the Web’s Underbelly.”

115. Krebs, “Sources: Target Investigating.”

The company stuck to its “minimal disclosure” strategy throughout the ensuing weeks. Its initial public notification shared few details and no offer of compensation or credit monitoring. “We regret any inconvenience that this may cause,” said CEO Gregg Steinhafel, in a terse statement that came across as cold and uncaring.

Consumers were furious. In the days that followed, many were hit with fraudulent charges or were notified that they had to wait for reissued cards—far more than an “inconvenience” in the days leading up to Christmas. One shopper, whose bank account was drained of $850, said, “I had to borrow money for the Christmas dinner and from my brother and I also had to borrow money for my rent.”116

116. Michael Finney, “Woman’s Debit Card Suspended Due to Target Breach,” abc7 News, January 14, 2014, http://abc7news.com/archive/9393709.

“Why did Target take so long to report data security breach?” asked one NBC News reporter.117 There were no good answers.

117. Kelli Grant, “Why Did Target Take So Long to Report Data Security Breach?” NBC News, December 20, 2013, https://www.nbcnews.com/business/why-did-target-take-so-long-report-data-security-breach-2D11783300.

“I won’t shop at Target again,” exclaimed one angry “guest,” who suffered fraud just days before Christmas.118

118. Alexandra Klausner, “‘I Won’t Shop at Target Again’: Angry Fraud Victims Condemn Store after Details of up to 40 MILLION Credit Cards are Stolen by Hackers,” Mail Online, December 19, 2013, http://www.dailymail.co.uk/news/article-2526235/Over-1-MILLION-Target-customers-account-information-stolen-Black-Friday-weekend-in.html.

Customers called the company’s hotline with questions, only to experience long waiting times. As Target struggled to handle the onslaught of angry calls, customers got angrier. “Customers seeing red over Target’s hacking response,” screamed one headline.119

119. Aimee Picchi, “Customers Seeing Red Over Target’s Hacking Response,” CBS News, December 20, 2013, https://www.cbsnews.com/news/customers-seeing-red-over-targets-hacking-response.

In response, Target sent out an email that discouraged consumers from calling. “We continue to experience a high volume of calls to our call center and have more than doubled the number of team members taking calls around the clock to help them resolve any issues they may have. We have communicated to 17 million guests via email and reminded them that unless they have seen fraudulent activity on their account, there is no urgent need to call.”120

120. Target, “Target Data Security Media Update #2,” press release, December 23, 2013, https://corporate.target.com/press/releases/2013/12/target-data-security-media-update-2.

The media, like consumers themselves, were rebuffed. “Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred,” reported Krebs, nearly a month after the breach was first announced. Lacking responses from Target, consumers speculated, and journalists turned to investigative reporting.

Tip: Two-Way Communication

When a breach happens, it’s natural for an organization to freeze up. Executives and PR teams are afraid to say the wrong thing, and as a result, they often say nothing at all. To make matters worse, lawyers often advise executives to stay mum. Unfortunately, silence can very quickly erode trust, and the void of communication will be filled by angry stakeholders.

As the “Act” imperative in our “DRAMA” model implies, it’s important to say something, and quickly. Remember the following crisis communications tips, which were introduced in § 3.3.5:

  • Tell It Early, Tell It Yourself. Maintain a congenial relationship with the media. By providing a quote when contacted by the press, you send the message that you are not trying to hide.

  • Apologize Clearly and Quickly. A sincere apology diffuses anger and shows respect for your stakeholders.

  • Listen! Prepare your staff to listen to stakeholders. For example, you might consider opening a call center in response to the breach, so that members of the public can quickly speak with a real human. Likewise, shareholders, regulators, and other stakeholders need a point of contact who can listen to their concerns and diffuse strong emotions.

Target learned the hard way that communication—from the beginning—is the foundation of an effective breach response.

7.3.3.2 Victimization

“Evasion of responsibility” appeared to be Target’s primary image repair strategy from the beginning—and it backfired. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice,” said the company in its initial notification letter.121

121. Target, “Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores,” press release, December 19, 2013, https://corporate.target.com/press/releases/2013/12/target-confirms-unauthorized-access-to-payment-car.

Clearly, Target was a victim, like consumers themselves. “It was a crime against Target, our team members, and most importantly, our guests,” said CEO Gregg Steinhafel.122

122. Target, “A Message from CEO Gregg Steinhafel about Target’s Payment Card Issues,” Bullseye View, December 20, 2013, https://corporate.target.com/article/2013/12/target-ceo-gregg-steinhafel-message.

The public didn’t buy it. “Consumers are frustrated when a company doesn’t do a good job either protecting their info or informing them of any problems,” said Ed Mierzwinski, consumer program director U.S. PIRG.123

123. Beth Pinsker, “Consumers Vent Frustration and Anger at Target Data Breach,” Reuters, January 14, 2014, http://www.reuters.com/article/us-target-consumers/consumers-vent-frustration-and-anger-at-target-data-breach-idUSBREA0D01Z20140114.

“Don’t play the victim,” urged Visa, in a guide for merchants released in 2008. “[Y]ears ago, when announcing a data breach, it may have been possible for companies to successfully portray themselves simply as fellow victims. Today, this is a flawed and dangerous strategy. Although you may have had a crime committed against you, the public and business press will still hold you accountable and will not consider you a co-victim.”124

124. Visa, Responding to a Data Breach: Communications Guidelines for Merchants, 2008, 8, https://usa.visa.com/dam/VCOM/global/support-legal/documents/responding-to-a-data-breach.pdf.

If only Target had heeded Visa’s advice. The problem with the “victim” strategy is that it did not give Target room to take responsibility, which ultimately led to questions of competence and character, and led to the downfall of the company’s senior management team.

Tip: Take Responsibility

Target’s claim that the company was a “victim” rang hollow. Consumers felt that Target had a duty to protect their data but fell down on the job. While “victimization” can be a successful image repair tactic in other contexts, it doesn’t usually work well for data breach response. This is particularly true when the organization had obvious gaps in its cybersecurity program, as was the case with Target.

The “victimization” strategy can also backfire by eroding confidence in an organization’s leadership team. Recall the 3 C’s of Trust from § 3.2.3: Competence, Character, and Caring. If the organization’s leadership doesn’t take responsibility for the breach and provide an adequate explanation for what went wrong, stakeholders will typically blame lack of competence, character, or caring. In the case of Target, this contributed to the downfall of its CEO.

Only by taking responsibility can leadership have a chance of maintaining confidence and righting the ship.

7.3.3.3 Trust Us—Before Christmas, Please

As the countdown to Christmas wound down, Target’s executive team was clearly panicked. For retailers, a tarnished image can quickly impact sales. They released a web-based “Message from CEO Gregg Steinhafel about Target’s Payment Card Issues” with a series of YouTube embedded videos (since deleted). The message incorporated several image repair strategies:125

125. Target, “Message from CEO Gregg Steinhafel.”

  • The title of the first video, Target CEO Expresses Gratitude, was clearly an attempt to humanize the company and capitalize on the general tendency toward goodwill during the holiday season (bolstering).

  • Target attempted to minimize the injury with statements such as: “We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud.”

  • Evasion of responsibility continued, with the assertion that “[i]t was a crime against Target, our team members, and most importantly, our guests.”

  • Target made a weak attempt at demonstrating corrective action (“The issue has been identified and eliminated”), but the lack of details and questions regarding the management team’s competence rendered the statement unconvincing.

  • A promise of credit monitoring (compensation/corrective action) was buried midway through the page: “[T]o provide guests with extra assurance, we will be offering free credit monitoring services,” said Target. However, there was no way for consumers to actually sign up for credit monitoring, fueling frustration and the growing perception of incompetence. Indeed, it wasn’t until mid-January that affected Target customers could actually sign up for the service. Also, credit monitoring is of limited use in payment card breaches since it doesn’t stop anyone from fraudulently using a stolen card number.

  • Target offered consumers a special deal: “We’re in this together, and in that spirit, we are extending a 10% discount—the same amount our team members receive—to guests who shop in U.S. stores on Dec. 21 and 22.” It concluded with a hearty, “Valid in store only. Limit one offer per guest to be used in a single transaction. Void if prohibited by law. Not valid in Canada. No cash value.” The discount, which may have been intended as a form of compensation, instead reinforced the impersonal and transactional nature of Target’s relationship with its “guests.”

It didn’t work. Target’s fourth-quarter profits dropped 46% in 2013, a precipitous decline largely attributed to the data breach.126 Shares fell 11% in the two months following the breach, and only made strong gains after a conference call in which CFO John Mulligan “reassured investors that customers were beginning to return to its U.S. stores.”127

126. Maggie McGrath, “Target Profit Falls 46% on Credit Card Breach and the Hits Could Keep Coming,” Forbes, February 26, 2014, https://www.forbes.com/sites/maggiemcgrath/2014/02/26/target-profit-falls-46-on-credit-card-breach-and-says-the-hits-could-keep-on-coming.

127. Dhanya Skariachan and Jim Finkle, “Target Shares Recover after Reassurance on Data Breach Impact,” Reuters, February 26, 2014, https://www.reuters.com/article/us-target-results/target-shares-recover-after-reassurance-on-data-breach-impact-idUSBREA1P0WC20140226; Yahoo! Finance, Target Corporation (TGT), 2014, https://finance.yahoo.com/quote/TGT/history?period1=1357023600&period2=1420009200&interval=1d&filter=history&frequency=1d.

Tip: Offer Real Value

When developing compensation or corrective action strategies, think about what will genuinely be valuable for your stakeholders or help to correct the issue. Offers that simultaneously benefit the breached organization (such as Target’s 10% discount) can seem like a cheap bribe to consumers when the trust relationship has been damaged. Instead, choose offers that clearly and unequivocally benefit the wronged party, with no possibility of an ulterior motive. This may be more expensive in the short term, but it will undoubtedly be the most effective way to repair relationships.

7.3.3.4 Nonapologizing Profusely

Missing from Target’s crisis communications messages was a clear apology. The absence was striking. For example, in Steinhafel’s written “message” published on December 20, he apologized only for the difficulty that “guests” experienced when attempting to reach Target’s customer service representatives. “We apologize and want you to understand that we are experiencing unprecedented call volume.” The CEO’s message did not include an apology for the breach itself or for Target’s delayed notification, which had the public up in arms.

Apologies are a critical element of relationships, both for individuals and organizations. “It is an important social ritual, a way of showing respect and empathy for the wronged person,” writes psychotherapist Beverly Engel. “It is also a way of acknowledging an act that, if otherwise left unnoticed, might compromise the relationship. Apology has the ability to disarm others of their anger and to prevent further misunderstandings. While an apology cannot undo harmful past actions, if done sincerely and effectively, it can undo the negative effects of those actions.”128

128. Beverly Engel, The Power of Apology: Healing Steps to Transform All Your Relationships (Hoboken, NJ: Wiley & Sons, 2002), 12.

In many data breach cases, organizations refrain from apologizing because they fear this will increase their liability. However, as we will see in Chapter 9, a clear apology can quickly diffuse anger and actually help to reduce lawsuits. (See § 9.6.4 for details.)

According to researchers from Ohio State University’s Fisher College of Business, there are six key elements of an apology:129

129. Jeff Grabmeier, “The 6 Elements of an Effective Apology, According to Science,” Ohio State University News, April 12, 2016, https://news.osu.edu/news/2016/04/12/effective-apology.

  1. Expression of regret

  2. Explanation of what went wrong

  3. Acknowledgment of responsibility

  4. Declaration of repentance

  5. Offer of repair

  6. Request for forgiveness

“Our findings showed that the most important component is an acknowledgement of responsibility,” said Roy Lewicki, professor emeritus of management and human resources at the college. “Say it is your fault, that you made a mistake.”130

130. Grabmeier, “6 Elements.”

The longer Target waited, the more the public’s resentment and anger boiled. The company said things that implied it felt badly: “we recognize this issue has been confusing and disruptive,”131 “[t]he privacy and protection of our guests’ information is a matter we take very seriously.”132 But the key elements of an apology were missing. Target did not accept responsibility, and as a result, it couldn’t effectively explain what went wrong, declare repentence, or request forgiveness.

131. Target, “Message from CEO Gregg Steinhafel.”

132. Target, “Message from CEO Gregg Steinhafel.”

Tip: Apologize

When a data breach happens, an apology is often the first step on the path to image repair. The longer you wait, the more anger builds.

Apologize clearly, quickly, and earnestly to affected stakeholders. Remember the key elements of an apology, as describe by Ohio State University researchers:133

133. Grabmeier, “6 Elements.”

  1. Expression of regret

  2. Explanation of what went wrong

  3. Acknowledgment of responsibility

  4. Declaration of repentance

  5. Offer of repair

  6. Request for forgiveness

Apologizing enables you and your stakeholders to begin the repair process and move forward.

7.3.3.5 Getting Personal

Starting on December 20, Target’s breach communications became noticeably, and strangely, personal. Clearly someone had informed company executives that their initial communications were terse and impersonal. Suddenly, Target sent new emails to “guests” that were “signed” by the CEO (never mind the oddities of including a scribbled signature on an email).

Subsequently, the company released an article called “Behind the Scenes of the Recent Target Data Breach,” which featured photographs and videos of uncomfortable and sad-looking executives. One could almost see the PR consultants coaching Target’s executives, telling them to “humanize” their response. And they did—but the results were not confidence-inspiring.

By January, Target was desperate to repair its image. Steinhafel gave a much-touted, exclusive interview to CNBC. Unfortunately, the results were unflattering. The CEO appeared nervous, frequently spoke too quickly, and fell back on “canned” generic phrases such as “safe and secure,” which he repeated no less than nine times:134

134. “CNBC Exclusive: CNBC Transcript: Target Chairman & CEO Gregg Steinhafel Speaks with Becky Quick Today on CNBC,” press release, January 13, 2014, https://www.cnbc.com/2014/01/13/cnbc-exclusive-cnbc-transcript-target-chairman-ceo-gregg-steinhafel-speaks-with-becky-quick-today-on-cnbc.html.

[I]t was about making our environment safe and secure.

[B]y 6:00 at night, our environment was safe and secure.

I can tell you that we are highly confident that Target’s environment is safe and secure.

[W]e really want to assure them that Target’s environment is safe and secure.

We removed that malware so that we could provide a safe and secure shopping environment.

We’re very confident that our . . . environment is safe and secure.

We know in our heart of hearts, our environment is safe and secure.

We think it’s really important that we have safe and secure environment.

I can tell you that we are highly confident that Target’s environment is safe and secure.

“[T]here was this singular focus on the ‘guest’ and this constant repetition of the ‘guest,’” pointed out Paul Argenti, professor of corporate communication at Dartmouth. “[H]e bridged to a canned response.”135

135. Jena McGregor, “Target CEO Opens Up about Data Breach,” Washington Post, January 13, 2014, https://www.washingtonpost.com/news/on-leadership/wp/2014/01/13/target-ceo-opens-up-about-data-breach.

Throughout the CNBC interview, Steinhafel gave the strong impression that he had something to hide. He dodged requests for details, changed the topic, and at one point said outright, “we’re in the middle of a criminal investigation, as you can appreciate. And we can only share so much.” (Host Becky Quick did not appear to appreciate.)136 Reuters reported, “the No. 3 U.S. retailer was vague in providing details about what it knew and when.”137

136. Becky Quick, “Target CEO Defends 4-Day Wait to Disclose Massive Data Hack,” CNBC, January 12, 2014, https://www.cnbc.com/2014/01/12/target-ceo-defends-4-day-wait-to-disclose-massive-data-hack.html.

137. R. Kerber, P. Wahba, and J. Finkle, “Target Apologizes for Data Breach, Retailers Embrace Security Upgrade,” Reuters, January 13, 2014, https://www.reuters.com/article/us-target-databreach-retailers/target-apologizes-for-data-breach-retailers-embrace-security-upgrade-idUSBREA0B01720140113.

No wonder Steinhafel was nervous: he was actively misleading the public. “Sunday [December 15] was really day one,” he said. “[T]hat was the day that we confirmed that we had an issue. . . . Monday . . . day two was really about—initiating the investigation work and the forensic work. . . . Day three was about preparation. We wanted to make sure our stores and our call centers could be as prepared as possible. And day four was notification. So, throughout that four-day process, to some people it probably felt longer than that, we worked around the clock to try and do the right thing, to be transparent, truthful, and then share what we knew as quickly as we could.”

But Sunday, December 15, wasn’t “day one,” and the investigation had been initiated well before Monday. Journalists later discovered that the Department of Justice and the Secret Service had informed Target on December 12, three days earlier. Steinhafel was quick to emphasize that “day one” was the day the breach was “confirmed”—but the reality was that Target had been informed days earlier, and the “four-day process” was really a week. Fearful of even more public backlash, Target chose to mislead people rather than disclose the truth.

Steinhafel did finally clearly apologize and take responsibility—a refreshing step forward that earned him kudos in the media. Unfortunately, these statements did not make it into many of the clips, such as the NBC Business Report evening segment—a powerful reminder that news outlets will choose the juiciest snippets to run, and not necessarily those that the breached organization would like to see featured.

Steinhafel also successfully humanized the story, sharing that he found out about the breach while having coffee with his wife Sunday morning—an “everyday Joe” experience that many could relate to. Shareholders, however, did not want to hear that the CEO was as surprised as consumers. Throughout the interview, Steinhafel worked hard to seem caring, but provided little reassurance that the company was competently managing cybersecurity—a mistake that would ultimately cost him his job.

Tip: Be Genuine and Confident

Strong leaders are invaluable in a crisis, in part because personal statements work best when they are genuine. This is particularly true with video and audio messages. You can have teams of PR staff write carefully crafted statements for the CEO to read on a teleprompter, and they will often come across looking just like that: overproduced.

The most effective statements are true and come from the heart. Consider involving your spokesperson (such as the CEO) intimately when crafting personal statements, and make sure that the content truly resonates for him or her.

7.3.3.6 Phishing the Victims

Adding insult to injury, cybercriminals copied Target’s notification emails and website design and sent mass phishing emails that looked like they came from Target—but in fact, they contained links to scam websites that stole victims’ personal information.138 Unfortunately, Target had used a scammy, non-Target email address to send its official notifications, which contributed to the perception that they either did not understand good cybersecurity practices or did not care. After Target released its early notifications, a Forbes contributor pointed out the “beautifully horrible” address, which consisted of a 50-character alphanumeric string at the domain target.bfi0.com. “Many users would decide this is a scam e-mail (or wouldn’t even notice any of this which is more concerning given how often true scammers behave nearly identically).”139

138. Catey Hill, “Email ‘from Target’ to Customers is a Phishing Scam,” MarketWatch, December 20, 2013, https://www.marketwatch.com/story/scammers-pounce-on-target-fiasco-2013-12-20.

139. James Lyne, “Target’s Latest Failure and How to Spot a Scam,” Forbes, January 7, 2014, https://www.forbes.com/sites/jameslyne/2014/01/07/targets-latest-failure-and-how-to-spot-a-scam.

To alleviate the damage, Target released a series of updates and warnings. On the day before Christmas, Target issued an update, which said that “[w]e are aware of limited incidents of phishing or scam communications. To help our guests feel confident that what they are hearing from Target is really from us, we are in the process of setting up a dedicated resource on our corporate website where we will post pdfs of all official communications that Target sends to our guests.”140

140. Lyne, “Target’s Latest Failure.”

Tip: Plan for Phishing Attacks

Cybercriminals will take any opportunity to get people to click on a link or visit a malicious website. After a major data breach, it’s common to see a flood of scam messages and websites targeting victims, which often mimic real notifications or offers of compensation. In addition to Target, this was the case in the Equifax and Anthem breaches, and countless others.

Protect your stakeholders by taking precautions from the very beginning. Post web pages and send emails using a well-known, widely trusted domain whenever possible. Educate recipients so they know how to tell the difference between real and fake communications from your team. To the greatest extent that you can, design your communications plan with cybersecurity in mind, so that victims don’t have to suffer twice.

7.3.3.7 A Bad News Campaign

Target didn’t just ignite a media frenzy—it stoked the flames over a period of several months, by fueling ongoing news stories and releasing new updates regularly. The Target breach essentially grew into a bad multimedia marketing campaign, complete with regular email, social media, and television and magazine spotlights. This was the exact opposite of Visa’s sage advice for handling a breach, which it had distributed to merchants for years: “Make it a one-day story. By communicating early and delivering on promised updates, the company reduces the chances the media may make more of the story than it might deserve.”141

141. Visa, Responding to a Data Breach.

As the crisis wore on, Target unintentionally gave reporters incentives to investigate, by obviously hiding information and repeatedly making misleading or even false statements. For example, on December 24, Reuters reported that the “hackers who attacked Target Corp. . . . also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.” This contradicted Target’s earlier statement that there was “no indication that debit card PINs were impacted.”142

142. Jayne O’Donnell, “Target: PINs not Part of Stolen Credit Card Info,” USA Today, December 19, 2013, https://www.usatoday.com/story/money/personalfinance/2013/12/19/target-credit-debit-card-data-breach/4125231.

Upon hearing Reuters’ claim, Target dug its heels in, insisting that “no unencrypted PIN data was accessed” and that PIN data had not been “compromised.”143 Then, three days later, the company issued another press release, admitting that “strongly encrypted PIN data was removed” from its network, in addition to the card numbers themselves.144 The reversal set off another media frenzy and added to widespread mistrust and the perception that Target was either incompetent or dishonest.

143. Jim Finkle and David Henry, “Exclusive: Target Hackers Stole Encrypted Bank PINs - Source,” Reuters, December 25, 2013, https://www.reuters.com/article/us-target-databreach/exclusive-target-hackers-stole-encrypted-bank-pins-source-idUSBRE9BN0L220131225.

144. David Goldman, “Target Confirms PIN Data was Stolen in Breach,” CNN Tech, December 27, 2013, http://money.cnn.com/2013/12/27/technology/target-pin/index.html.

“The harder a journalist has to work to dig up the information about your breach, the more value the reporter and his/her editors will place on the story—and this will be reflected in where it is played and how long it is considered newsworthy,” explained the Visa guide for merchants.145 The stolen PIN announcement was newsworthy because of the new information, but it became scandalous because Target apparently tried to cover it up.

145. Visa, Responding to a Data Breach.

Let’s take a look at how Target’s breach developed into multiple storylines during the first few weeks following the breach:

  • Target’s initial lack of response to Brian Krebs ensured that he would publish his article without their input. Target then fumbled its original announcement the next day and followed up with multiple multimedia communications in the subsequent days, unnecessarily giving reporters more fodder, spread out over time.

  • By late December, several states—including New York, Connecticut, South Dakota, and Massachusetts—had all issued public statements regarding the data breach and opened investigations. In response, Target’s general counsel, Tim Baer, held a conference call with attorneys general from several states. The state investigations themselves were considered newsworthy. The Wall Street Journal reported on the call, including that a follow-up call was scheduled for the beginning of January, after the holidays.146 Legislators (such as U.S. Senator Chuck Schumer) held press conferences in response to massive public outcry regarding the breach.

    146. Sara Germano and Robin Sidel, “Target Discusses Breach with State Attorneys,” Wall Street Journal, December 23, 2013, https://www.wsj.com/articles/target-discusses-breach-with-state-attorneys-1387842976?mg=prod/accounts-wsj.

  • Days before the new year, Target revealed that encrypted PINs had also been stolen, reversing earlier statements. This fueled a general lack of trust and incentivized reporters to dig even more.

  • On January 10, 2014, Target revealed that in addition to the 40 million payment card numbers, personal information (name, address, phone, email address) for up to 70 million customers had also been exposed.147 According to Target, a range of 70 million to 110 million people were affected, in total.148 The news sent another round of shock waves across the nation. Stock prices, which had been fairly steady since the new year, dropped—leading to even more news stories.

    147. Target, “Target Provides Update on Data Breach and Financial Performance,” press release, January 10, 2014, https://corporate.target.com/press/releases/2014/01/target-provides-update-on-data-breach-and-financia.

    148. Elizabeth A. Harris and Nicole Perlroth, “For Target, the Breach Numbers Grow,” New York Times, January 10, 2014, https://www.nytimes.com/2014/01/11/business/target-breach-affected-70-million-customers.html

  • In an effort to repair Target’s image, CEO Gregg Steinhafel gave a much-touted, exclusive interview to CNBC. Excerpts from the 30-minute interview ran throughout the day on Monday, January 13, 2014, from the 6 a.m. “Squawk Box” all the way through the Nightly Business Report.149

    149. CNBC, “CNBC Exclusive.”

  • In response to widespread anger and distrust, Congress held multiple hearings on the Target breach, including testimony from CFO John Mulligan. The FTC likewise opened an investigation.

Bad news continued to leak out, drop by drop, into a torrent of media activity.

Tip: Be Boring

Major data breaches can turn into major news campaigns if you’re not careful. By hiding information, and even reversing statements, Target gave journalists the impression that there was dirt to dig up if they put in the effort. Then, conversely, Target flooded the press with statements, updates, and videos that all came out at different times, feeding the media frenzy.

Reduce media interest in your data breach story by publishing information all at once (at least, to the greatest extent possible). Consider disclosing information that might otherwise be found by investigative journalists, so as to not leave any incentive for reporters to dig for a scoop. In this way, you can minimize the risk that your data breach will turn into a bad news campaign.

7.3.3.8 Media Leaks

Smelling a juicy story, major news outlets responded by putting together investigative teams. Target’s employees (past and present), vendors, law enforcement, and contractors seemed all too happy to squeal.

Investigative journalists from Bloomberg’s Businessweek reportedly “spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials.” These sources revealed a series of unflattering details, which Bloomberg’s staff leveraged to put together their “Missed Alarms” exposé. “The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”150

150. Riley, Elgin, Lawrence, and Matlock, “Missed Alarms.”

Similarly, the Wall Street Journal seemed to have no problem lining up sources to get the inside scoop on the Target breach. “The new details, culled from interviews with former Target employees, people with knowledge of the post-breach investigation and others who work with large corporate networks, show that the breach wasn’t entirely a bolt from the blue, but instead a sophisticated attack on a known point of vulnerability,” the newspaper wrote in its February 2014 report.151

151. Yadron, Ziobro, and Barrett, “Target Warned of Vulnerabilities.”

Even worse, Krebs was able to get a copy of Target’s highly confidential internal penetration testing report, produced by Verizon in the weeks following the breach, and used it to produce a damning takedown. “The results of that confidential investigation—until now never publicly revealed—confirm what pundits have long suspected: Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store,” Krebs revealed. “Target commissioned the study ‘in anticipation of litigation’ from banks that might join together to sue the retailer in a bid to recoup the costs of reissuing cards to their customers.”152

152. Krebs, “Inside Target Corp.”

Target, it was clear, did not have control over its media communications. It is normal for the media to come knocking when a major PR incident occurs. While leaks do happen, it’s rare for so many individuals to willingly share ugly details with reporters. This behavior indicates a lack of loyalty to the company and can also stem from a lack of training and weak “security culture”—issues that also may have contributed to the breach itself. Human resources are an essential part of every organization’s information security program. The evidence suggests that at Target, this fact was overlooked.

Tip: Control Your Media Communications

It is absolutely critical to control your organization’s communications in the aftermath of a breach. When there’s a story of interest, journalists may target any person in the organization for details, from the low-level IT staff to your highest-paid executives.

Before a crisis hits, make sure to train your staff. Have a designated point of contact for the media, and make sure everyone knows who it is. Consider printing small cards or posters to hang throughout the building with key contact information in the event of a crisis. Make sure everyone knows not to speak to the media and to refer callers to the designated contact. Include key information in regular employee training.

The time to have these conversations is before the crisis hits. Afterwards, all bets are off.

7.3.3.9 Malware Leaks

Target didn’t know it, but its technical staff accidentally leaked highly sensitive information to the public, even before the breach was publicly announced. This would later come back to haunt the company.

On December 11, someone uploaded a sample of malware from a Target server to the VirusTotal analysis service. Users around the world upload malware to VirusTotal, which runs automated threat analysis tools and then provides reports of the results. In all likelihood, one of Target’s technical staff (or a third-party analyst) discovered the infected “exfiltration” server and uploaded the malware to see what it was. VirusTotal maintains vast libraries of malware and reports, which security professionals can leverage to diagnose issues on their own networks.

The problem is that VirusTotal does not keep uploaded malware samples confidential. Instead, the organization shares its databases of malware with many organizations—and malware can contain very revealing information. Dell Secureworks researchers obtained a copy of the malware uploaded from Target and found that it was used to transfer batches of stolen payment card numbers from the criminals’ internal staging server to a system outside Target’s network. The malware contained the internal Target server IP address, a key process name, and various other details that enabled the researchers to pinpoint installation dates and likely times of exfiltration.

Similarly, responders within Target apparently uploaded the POS malware to ThreatExpert on December 18, 2013. ThreatExpert, like VirusTotal, is a third-party service that analyzes mal-ware samples and provides information to responders. ThreatExpert, too, shares its database with others. Researchers from Dell Secureworks obtained a copy of the Target POS malware, which was designed to scrape card numbers from memory and then periodically move them to an internal Target server. The researchers found that the malware contained the hard-coded IP address of Target’s internal server, as well as the Windows domain name, user account credentials, and even a file containing a stolen credit card number. It is not clear precisely where the researchers obtained their sample of the malware, but the internal IP address and user account credentials were published in ThreatExpert’s report on the malware.153

153. Threat Expert, Submission Summary, January 8, 2014, https://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf.

On January 14, 2014, Krebs blogged about the malware, having been tipped off by “a source close to the investigation.”154 Ten days later, Dell Secureworks published an in-depth analysis, revealing further technical details of the breach and further fanning the flames of media attention. Later, its whitepaper was cited by the Congress during that body’s investigations into the Target breach.155

154. Brian Krebs, “A First Look at the Target Intrusion, Malware,” Krebs on Security (blog), January 15, 2014, https://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware (accessed January 16, 2018).

155. U.S. Comm. on Commerce, Science, and Transportation, “Kill Chain” Analysis; Jarvis and Milletary, “Inside a Targeted.”

The moral of the story is that malware can be very revealing. Malware samples can contain sensitive information regarding a hacked organization’s internal network configuration, accounts, and even snippets of stolen data. By analyzing timestamps from compiled malware samples, researchers can make educated guesses about precisely when and how an organization was compromised. By viewing the upload time, they can tell when defenders might have discovered the malware and calcuate the length of time between detection and disclosure.

Tip: Carefully Evaluate Malware Analysis Services

Services such as VirusTotal and ThreatExpert can be very useful, but the information they provide comes at a price. Often, they share malware samples that users upload with third parties. In some cases, this can reveal sensitive information about when and how an organization was compromised.

All staff members who detect and analyze malware—including system administrators, security team members, and forensic investigators—should be trained to understand the tradeoffs of using third-party malware analysis services. It’s important to consider what information you may be revealing when you share a malware sample with any third party. You may uncover details about the criminals who installed it, but you may also be sharing confidential or even damaging information about the organization you serve.

Carefully examine the terms of service for any malware analysis tools you use, and make sure you understand the potential for disclosure. Establish a clear written policy for malware analysis at your organization. Educate your investigators. By taking these precautions, you can reduce your risk of an unexpected media scandal.

7.3.3.10 Image of Incompetence

Throughout the Target breach, many stakeholders were left with the following negative perceptions:

  • Incompetence - Target did not competently manage or oversee the company’s cybersecurity program.

  • Lack of Character - Target lacked courage and integrity.

  • Uncaring - Target did not genuinely care about the welfare of the consumer more than its own profit margins and pocketbooks.

These things were not necessarily true, but throughout Target’s response, its actions (or lack thereof) contributed to negative perceptions in all three of these categories. These perceptions undermined trust that stakeholders had in the organization. With the release of Steinhafel’s videos and a concerted effort by the company’s public relations team, some of these negative perceptions were corrected, but not all.

In March 2014, when Bloomberg released its exposé, consumers were still struggling to make sense of Target’s reaction. Bloomberg’s Businessweek editor John Tyrangiel went on television to analyze Target’s breach response, in a segment that perfectly captured consumer sentiment.156

156. Bloomberg, “How Target.”

“Incredible, the amount of time it took between the time that hack actually happened and when Target actually made a statement,” opened the host. “Do we know why they were asleep at the wheel here?”

“Well, that’s really the big mystery,” responded Tyrangiel. The commentators reviewed the facts: Target had clearly invested a lot of money in cutting-edge security tools, far more than most retailers at the time. The company appeared to care about cybersecurity, and there were signs that it had the best intentions. “We found no one who said there was any kind of cover-up,” emphasized Tyrangial.

The attack itself was nothing special; the host described it as “a very run-of-the-mill operation.” The tools effectively alerted, and Target’s team had multiple opportunities to stop the breach. After analyzing the facts, Tyrangial concluded:

“It’s just gross incompetence.” That was that. It was a verdict that was widely accepted. Yes, stakeholders expressed concerns about all three C’s, including caring and character, but by March the overwhelming sentiment was that Target’s team was simply not competent with respect to cybersecurity.

Unwittingly, Target had helped to create this image of incompetence through its bumbled public response. It wasn’t the worst mistake for a retailer to make, but it did mean that to repair its image, a change of management would ultimately be required.

On May 5, 2014, Steinhafel “resigned” after 35 years with Target, in what was perhaps the earliest case in which the CEO of a major company was ousted in large part due to a data breach.157 After fumbling the breach response out of the gate, Target’s subsequent communications only inflamed the public and ignited negative media attention for months. By “humanizing” Target’s breach communications with Steinhafel’s image, he became a symbol of Target’s cybersecurity failures. As a result, Steinhafel’s resignation became the company’s only path to recovery.

157. The Street, “Target CEO Gregg Steinhafel Resigns Post-Customer Data Breach,” YouTube, 1:45 min, posted May 5, 2014, https://www.youtube.com/watch?v=bKxyETHsdvc.

7.3.4 Home Depot Did a Better Job

In September 2014, just nine months after the Target breach, Krebs announced that Home Depot was investigating a breach—one that might have started in April or May and might be far larger than the Target breach. This time, Krebs’ announcement included screenshots of a carding forum, rescator[dot]cc, where the Home Depot credit card numbers were being sold. Two weeks later, Home Depot revealed that 56 million payment cards had been compromised.158

158. Kate Vinton, “With 56 Million Cards Compromised, Home Depot’s Breach Is Bigger Than Target’s,” Forbes, September 18, 2014, https://www.forbes.com/sites/katevinton/2014/09/18/with-56-million-cards-compromised-home-depots-breach-is-bigger-than-targets.

Yet despite the massive scale of the breach, Home Depot largely preserved its reputation. The company’s sales actually grew that quarter, exceeding analysts’ expectations. Not only did CEO Frank Blake’s reputation sustain the megabreach, he retired shortly thereafter and was lauded for his handling of the tough situation.159

159. John Kell, “Home Depot Shrugs Off Data Breach with Sales Growth,” Fortune, November 18, 2014, http://fortune.com/2014/11/18/home-depot-earnings-breach.

“Home Depot’s data breach is worse than Target’s, so where’s the outrage?” queried MarketWatch.160

160. Catey Hill, “Home Depot’s Data Breach is Worse than Target’s, so Where’s the Outrage?” MarketWatch, September 25, 2014, https://www.marketwatch.com/story/yawn-who-cares-about-home-depots-data-breach-2014-09-24.

The Target and Home Depot breaches were similar in many ways: Both were large retailers unexpectedly outed by Krebs. In both cases, tens of millions of payment card numbers were exposed (40 million and 56 million, respectively). But while Target’s reputation—and sales—plummeted, Home Depot’s did not.

To be sure, Home Depot had a leg up in a couple ways. First, the company’s breach was announced in September—not December like Target, when holiday sales added an enormous urgency to the breach response. Second, by the time the Home Depot breach occurred, retail breaches were a dime a dozen. Many people had “breach fatigue.”

Even so, there were other factors that likely had an even greater impact.

Home Depot launched a proactive consumer response. When Krebs contacted Home Depot about the breach, the company provided a straightforward statement. “I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” said spokesperson Paula Drake, who read from a statement (already prepared!) “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further—but we will provide further information as soon as possible.”161

161. Brian Krebs, “Banks: Credit Card Breach at Home Depot,” Krebs on Security (blog), September 2, 2014, https://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/.

Hours later, Home Depot released a public message on its website, which was “mercifully free of mealy-mouthed corporate jargon,” as Fortune magazine put it. Where Target referred obliquely to its “payment card issues” in its early messages, Home Depot shot straight from the beginning by disclosing a “possible payment data breach.”162 No doubt Target’s lawyers believed they were protecting the company from harm by withholding details and carefully crafting each word, but as a result Target lost badly in the court of public opinion—a mistake that Home Depot did not repeat.

162. Target, “Message from CEO Gregg Steinhafel”; Home Depot, “Message to our Customers about News Reports of a Possible Payment Data Breach,” Home Depot Media Center, September 3, 2014, https://web.archive.org/web/20140903143546/ https://corporate.homedepot.com/MediaCenter/Pages/Statement1.aspx.

Home Depot also included an apology and immediate reassurance of credit monitoring in its very first press release, even before the breach was confirmed. “We know that this news may be concerning and we apologize for the worry this can create. . . . If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers.”163

163. Home Depot, “Message to our Customers.”

Even more important, Home Depot immediately engaged a call center that was capable of handling 50,000 calls a day. According to news reports, the call volume never rose above 25% of the center’s capacity, but CEO Frank Blake “preferred to be safe.”164 That meant that concerned customers could pick up the phone and talk to a human being, without the added frustration of long wait times experienced by Target customers.

164. Jennifer Reingold, “How Home Depot CEO Frank Blake Kept His Legacy from Being Hacked,” Fortune, October 29, 2014, http://fortune.com/2014/10/29/home-depot-cybersecurity-reputation-frank-blake.

“[Blake] took full responsibility, empowered his team to fix the problem, and kept the focus where it needed to be, squarely on the customer,” reported Fortune magazine in an article entitled “How Home Depot CEO Frank Blake Kept His Legacy from Being Hacked.”165 By taking reponsibility, Home Depot was also able to issue a genuine apology, and take corrective action. Within weeks, Home Depot announced that it had “rolled out enhanced encryption of payment data” and was planning on completing its deployment of EMV card readers by the end of 2014.166

165. Home Depot, “Message to our Customers.”

166. Vinton, “56 Million Cards Compromised.”

The Home Depot breach caused significant ripple effects that impacted banks and credit unions. For example, a study conducted by the Independent Community Bankers of America indicated that “the nation’s community banks reissued nearly 7.5 million credit and debit cards at a total reissuance cost of more than $90 million as a result of the Home Depot data breach.”167

167. CBInsight, “Community Banks Reissue Nearly 7.5 Million Payment Cards Following Home Depot Data Breach,” press release, December 18, 2014, http://do1.cbinsight.com/press-release/community-banks-reissue-nearly-7-5-million-payment-cards-following-home-depot-data-breach.

Despite the impact, there was noticeably less consumer outrage during the Home Depot breach response compared with the Target breach. Why? Home Depot effectively preserved the 3 C’s (Competence, Character, and Caring), told its story early and proactively, took responsibility, apologized, effectively listened, responded to customers seamlessly, and made amends. The result? Increased sales, and an even-more-respected CEO.

7.4 Ripple Effects

The Target data breach had ripple effects throughout the financial and retail sectors (indeed, throughout the world) that still reverbrate today.

7.4.1 Banks and Credit Unions

Financial institutions suffered immediate losses. In closed-door meetings throughout the United States, bankers grumbled about costs and exchanged notes on fraud.

Two months after the breach, the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA) jointly reported that their members’ combined costs for card replacement exceeded $200 million.168 This included replacement of 21.8 million cards, which represented only 54.5% of the 40 million card numbers stolen in the Target breach.

168. Consumer Bankers Association (CBA), “Cost of Target Data Breach Exceeds $200 Million,” National Journal, February 18, 2014, https://web.archive.org/web/20140306224523/ http://www.nationaljournal.com/library/113696.

These numbers do not include the cost of fraud or even the full cost of issuing cards through the end of the breach response. “Credit unions have replaced or will replace 85% of their cards affected by the Target breach at no cost to their members,” said Bill Cheney, CEO of CUNA.

While some costs are easy to track and quantify (such as those for card replacement and fraud), others are more nebulous. For example, costs for increased customer support following a megabreach rarely get reported. A perfect example is J.P. Morgan Chase, which announced days after the Target breach that it would open some branches an extra day, a Sunday, to “assist customers through the last few days of holiday shopping.” Undoubtedly, the bank had to pay additional labor costs and overtime fees to keep bank branches open an extra day (not to mention the loss of employee goodwill involved with suddenly requiring staff to work on the Sunday before Christmas).169

169. Sara Germano, “Target’s Data-Breach Timeline,” Corporate Intelligence (blog), Wall Street Journal, September 25, 2014, https://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline.

Here are some of the costs that financial institutions bore due to the Target breach:170

170. Smart Card Alliance Payments Council, The True Cost of Data Breaches in the Payments Industry (White Paper PC-15001, Smart Cards Alliance, March 2015), http://www.emv-connection.com/downloads/2015/03/The-Cost-of-Data-Breaches.pdf.

  • Card replacement costs

  • Member notification

  • Losses due to fraudulent transactions

  • Increased customer service costs

  • Fraud monitoring

  • Loss of customers / decline of new customers

  • Promotional campaigns to rebuild trust

Where did the money come from? Target’s settlements with issuing banks eventually totaled $67 million (Visa) and $39.3 million (Mastercard)—not even enough to cover the cost of reissuing the cards, let alone fraudulent transactions and other fees. A significant chunk of the settlement funds went to the card brands themselves. Also, financial institutions did not receive their share of the settlement funds for years after the breach occurred.

While card brands touted the “zero-liability” policy, the banks paid the price. As one banker wrote: “Most people do not realize that it is NOT Target or any other businesses that has endured the losses of this compromise or any compromise or fraud losses, but rather their bank that issued them the card that suffers the loss and stands behind our customers!”171 Ultimately, banks and credit unions recouped those costs in the only way they could: by raising fees for consumers.

171. Benchmarking & Survey Research/ABA, Target Breach Impact Survey (American Banker’s Association, July 2014), 14, https://www.aba.com/Tools/Function/Payments/Documents/TargetBreachBankImpact.pdf.

7.4.2 Widespread Card Fraud

Once card numbers were stolen from Target, they quickly appeared on a carder shop, rescator[dot]la, run by Russian cybercriminal “Rescator,” who has been traced to Ukranian resident Andrey Hodirevski.172 In 2010, Hodirevski’s personal web page listed his future goals, which included “World Domination ($ will probably have to rob all the banks in the world).”173

172. Brian Krebs, “Who’s Selling Credit Cards from Target?” Krebs on Security (blog), December 24, 2013, https://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target.

173. Krebs, “Who’s Selling Credit Cards.”

Financial institutions scrambled to stop the bleeding. Days after the Target breach was announced, Krebs teamed up with a local bank to explore the black market store, with the goal of finding and purchasing the bank’s own cards. According to Krebs, Rescator’s forum was “remarkably efficient and customer-friendly.” The duo created an account on the site and funded it with $450 via wire transfer (other options included Bitcoin, Litecoin, WebMoney, and PerfectMoney, in addition to the more mainstream Western Union and MoneyGram).174

174. Krebs, “Cards Stolen in Target Breach.”

Card shops typically assigned “base names” to groups of card numbers stolen from the same merchant and often advertised the “valid rate” (i.e., the percentage of cards that had not been canceled by the banks). In December 2014, the Target cards had been uploaded under the base name “Tortuga” (tortoise), with a 100% valid rate. These “fresh” cards fetched a premium. Krebs and his colleague found that the prices for bank cards ranged from $26.60 to $44.80. Many of the Tortuga cards included a money-back guarantee, meaning that if the card was not valid at the time of purchase, it would be replaced or refunded.175

175. Krebs, “Cards Stolen in Target Breach.”

Importantly, the Target dumps were sold along with the city, state, ZIP code, and country of the store where the card number was stolen. This information was very helpful for fraudsters since banks often placed fraud alerts on cards limiting their use outside the cardholder’s typical geographic region. With geographic information, criminals could monetize the data by creating cloned cards and using them in the cardholder’s area, dramatically reducing the likelihood that the cards would be blocked.176

176. Krebs, “Cards Stolen in Target Breach.”

One thing the Target dumps did not include were CVV numbers, meaning the data was unlikely to be used for fraudulent purchases online.

Over time, the valid rate of the Target cards declined. The cards were sold under new base names, advertised with different valid rates. By mid-February 2014, Target cards (sold under the base name “Beaver Cage”) advertised a mere 60% valid rate and sold for only $8 to $28. Figure 7-1 illustrates the falling validity rate for the Target cards over time. Note that this chart produced by Krebs is based on numbers advertised by the Rescator criminals. As Krebs himself pointed out, “[C]ertainly Rescator has a vested interest in fudging the numbers.”177

177. Brian Krebs, “Fire Sale on Cards Stolen in Target Breach,” Krebs on Security (blog), February 19, 2014, https://krebsonsecurity.com/2014/02/fire-sale-on-cards-stolen-in-target-breach.

Figure 7-1. The valid rate of Target card dumps over time, advertised under different “base names” on the Rescator card forum. Source: Krebs, “Fire Sale on Cards.”

7.4.3 To Reissue or Not to Reissue?

Many people are surprised to learn that banks and credit unions don’t immediately reissue cards as soon as they’re suspected stolen. The reason, of course, is that banks weigh the risk of fraud with the cost and hassle of reissuing.

According to an American Bankers Association survey, the average cost to reissue a debit card in the Target breach was $9.72, and the average cost to reissue a credit card was $8.11. This includes the cost of the card stock, postage, customer support, among other expenses. Small banks and credit unions paid the most ($11 to $13 per card); larger banks were able to leverage economies of scale and paid approximately $2 to $3 per card.178

178. Benchmarking & Survey Research/ABA, Target Breach Impact Survey.

Merchants, too, take a hit when cards are reissued—particularly those that rely on recurring autopays. One business owner complained, “At my gym, the most popular and profitable payment plan relies on customers signing up and paying monthly through automatic credit card payments. With each credit card breach, I’m losing customers and money.”179

179. Elaine Pofeldt, “Keeping Customers on Contracts Amid Credit Card Churn,” CreditCards.com, June 30, 2014, https://www.creditcards.com/credit-card-news/keeping-customers-contracts-amid-churn-1585.php.

Consumers, too, are frustrated when their cards are canceled and have to be reissued. Larger banks are able to invest in on-site card printers, but many smaller ones can’t afford that, and their customers have to wait for new cards to arrive in the mail. This gives larger banks a leg up on customer service in the event of a breach. After the Target breach, so many cards were reissued that there was a global shortage of card stock, further adding to the delays.

All of these factors create strong pressures for banks and credit unions not to reissue cards. Added to this is the fact that many cards stolen in a breach will never be used, particularly in a breach as large as Target where criminals have a massive number of cards to pick from.

For many banks and credit unions in the Northwest United States, Target wasn’t their biggest headache in late 2013. It was a company called URM, which processed payments for hundreds of stores in the region. Suddenly, on the week of Thanksgiving, customers got in line at the grocery store and were told to pay by cash or check. The payment processor had been breached, and POS systems for hundreds of stores were shut down on some of the busiest shopping days of the year.

“We didn’t take many losses from Target even though there were way more compromised cards. The losses were from URM, because they were using that information right away,” said Jason Kolberg, director of ERM and data management at Missoula Federal Credit Union. According to Kolberg, the smaller, more localized URM attack resulted in quicker fraud that hit local financial institutions especially hard.

There are ways to reduce the risk of fraud besides PIN changes, of course. Financial institutions and payment processors monitor cards for signs of fraud, such as sudden use outside the cardholder’s region or other unusual patterns of behavior. These methods, of course, are not bullet-proof, but banks must weigh the uncertain risks of fraud if they do not reissue the card with the definite costs and hassle for the consumer if they do.

7.5 Chip and Scam

After the Target breach, there was widespread public anger. Consumers were upset. Merchants were upset. Banks and credit unions were upset.

Retailgeddon triggered widespread scrutiny of payment card system security. Recall that the payment card system is fundamentally insecure: You have a long number that you’re supposed to keep very secret, but then you have to give it to lots of people in order to use it. The problem is obvious. For years, fraud had skyrocketed, and the card brands had continually pushed responsibility (and liability) down to banks and merchants, using the PCI DSS and contractual obligations.

At the same time, alternate payment solutions were taking off. PayPal was rapidly expanding its merchant services offerings, enabling consumers to pay at brick-and-mortar stores using their phones.180 Less than a year after the Target breach, ApplePay was publicly launched, followed quickly by Samsung Pay and Android Pay. These solutions used tokenization and therefore removed the need for merchants to process payment card numbers. That meant that if alternate payment solutions were widely implemented, payment card breaches could become a thing of the past—at least, for merchants—and so would PCI DSS compliance.

180. Verne G. Kopytoff, “PayPal Prepares to Expand Offline,” Bits (blog) New York Times, September 15, 2011, https://bits.blogs.nytimes.com/2011/09/15/paypal-prepares-for-a-move-offline.

The card brands moved swiftly to establish a different dialogue. In the aftermath of the Target breach, Visa and Mastercard proclaimed vehemently that the problem was that the United States was not using chip-and-PIN (EMV) cards like Europe. However, as we will see, EMV technology would not actually have helped Target or other retailers avoid a data breach. The card brands owned the EMV technology and many patents related to it, and so they benefited from widespread adoption of “the chip.”

Merchants poured their money into new POS terminals that supported EMV, instead of focusing on PayPal, ApplePay, and other alternative solutions that actually would reduce their risk of a breach (not to mention their compliance requirements).

To this day, the effects of the post-Target EMV push still linger. In this section, we will show how Retailgeddon led to the mass adoption of EMV technology, which in turn redirected funds that might otherwise have gone towards alternate payment solutions. As a result, payment card data breaches remain a widespread problem.

7.5.1 Alternate Payment Solutions

The best way to prevent payment card data breaches from occurring is to get rid of payment card data in the first place. Far from being a pipe dream, this was already being put into practice by PayPal and others at the time that Target was breached. Apple was preparing for the global rollout of ApplePay, which was poised to change the game.

When ApplePay launched in September 2014 (just weeks after the giant Home Depot breach), CEO Tim Cook called attention to the security benefits, saying: “We’re totally reliant on the exposed numbers, and the outdated and vulnerable magnetic interface—which by the way is five decades old—and the security codes which all of us know aren’t so secure.”181

181. Shirley Li, “Apple Pay Might Just Make Mobile Wallets Finally Happen,” Atlantic, September 9, 2014, https://www.theatlantic.com/technology/archive/2014/09/apple-pay-coin-softcard-google-wallet-might-just-make-mobile-wallets-finally-happen/379899/.

ApplePay and similar products allow consumers to pay by tapping their phone to the merchant’s POS system. The phone and POS system communicate wirelessly via near-field communication (NFC). There is no need for the cardholder to swipe a terribly insecure magnetic stripe or hold up the line by waiting for a long EMV transaction. The merchant never receives the card number at all, so there is nothing to be stolen from the local POS system.

Logically, a mass migration to mobile payment systems that leveraged tokenization would have been smart. Merchants would no longer have to bear the risk of processing credit card numbers since they would never receive them. Consumers could even be protected by biometric authentication (such as TouchID on the iPhone), and conveniently they could use their phones to pay with any number of accounts.

7.5.2 Card Brands Push Back

The card associations had a different plan. Instead, they pushed harder for the world to adopt EMV (widely known as “the chip”).

EMV cards are a type of “smart card” used to provide increased security and additional feature options for credit card transactions, such as improved support for offline transactions. “Smart cards” are what they sound like: cards that are “smarter” than old-fashioned magnetic stripe cards. They have a small computer chip built in. When used with a reader, the smart card can perform complex processes, such as cryptographic authentication.

Traditionally, in the United States credit cards included a magnetic stripe with encoded information. Magnetic stripe cards are quite easy to copy, and criminals routinely steal data from the stripe and copy it onto new cards. This is particularly easy in restaurants, where the server can walk into a different room with the customer’s card and copy it onto a machine. Criminals can also install credit card “skimmers” on top of the normal credit card slot at gas stations and other endpoint purchase devices.

EMV is widely used throughout Europe and has recently been more widely adopted in the United States. There are two common ways that users authenticate themselves with EMV cards: “chip-and-PIN” or “chip-and-signature.”

  • Chip-and-PIN: When a smart card is configured to use “chip-and-PIN,” the user has to enter a PIN in addition to swiping the card at the time of purchase. The card cryptographically checks that the PIN is correct.

  • Chip-and-Signature: With the “chip-and-signature” system, users do not have a PIN. They verify their identity (in theory) using a signature. However, since most merchants do not check the validity of the user’s signature, this is a less secure method of authentication compared with chip-and-PIN.

7.5.3 Changing the Conversation

Just a few weeks after the Target breach was announced, Mastercard executive Chris McWilton released a statement:

“In the wake of the recent reported merchant data breach, chip technology has gained even greater interest and rightfully so. . . . Mastercard continues to believe that now is the time to migrate to EMV in the U.S.”182

182. Chris McWilton, “Customer Letter,” Mastercard, January 8, 2014, https://newsroom.mastercard.com/wp-content/uploads/2014/01/C-McWilton-Customer-Letter-01-07-14.pdf.

Visa, too, chimed in. “Visa is committed to ensuring our network operates at the highest level of security available and will continue to move the industry toward the adoption of new safeguards including EMV chip technology,” said Visa’s CEO, Charlie Scharf.

The card brands had already announced an October 1, 2015, deadline for U.S. merchants to switch to EMV-capable POS devices. After the Target breach, they advertised it with renewed vigor. The “liability shift,” they emphasized, was not a mandate. Rather, any merchant that had not switched to using EMV would find themselves liable for certain types of fraud.

For example, if a criminal copied a card number to the magnetic stripe of a new card and swiped it in a merchant’s non-chip-enabled terminal, the merchant would be liable for the fraud—not the banks. The rationale was that if there was fraud that EMV terminals could protect against, then the merchant would be left holding the bag since he or she chose not to use the available technology to prevent it.

7.5.4 Preventing Data Breaches . . . Or Not

EMV cards are far more difficult to clone than magnetic stripe cards because they contain a tiny computer chip. As a result, they can help to reduce certain types of fraud in which criminals make fake copies of cards and use them for in-store purchases.

However, EMV does not reduce the risk of a data breach. Criminals can still steal payment card information from the memory of a POS system, as was the case for Target and Home Depot. Once the card data is stolen, the number can be used for card-not-present purchases, and the data can still be copied onto a non-EMV card and used to make fraudulent purchases at retailers that accept magnetic stripe cards (which they all do).

As Krebs bluntly put it: Zero is “[t]he number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).”183

183. Brian Krebs, “The Target Breach, By the Numbers,” Krebs on Security (blog), May 6, 2014, https://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/.

Studies have shown that EMV does not reduce fraud in general. In European countries, card-present fraud declined after EMV deployment—but card-not-present fraud went up.184 Criminals simply used stolen card data to make online purchases instead of committing in-person fraud.

184. Benjamin Dean, “What You Will Pay for a More Secure Credit Card,” Fortune, October 1, 2015, http://fortune.com/2015/10/01/pay-secure-credit-card.

“EMV doesn’t really help in any way regarding a data breach,”said Greg Buzek, president of IHL Group, a technology research firm that focuses on retail and hospitality. “EMV also does nothing to help keep online transactions secure.”185

185. Glenn Taylor, “EMV ‘Money Pit’ Set to Cost Retailers $35 Billion,” Retail Touch Points, July 24, 2015, https://www.retailtouchpoints.com/topics/pos-payments-emv/emv-money-pit-set-to-cost-retailers-35-billion.

This begs the question: If EMV doesn’t actually prevent data breaches or reduce fraud overall, then why did the card associations want it to be adopted after the Target breach?

7.5.5 Who Owns the Chip?

The card brands had another reason to push merchants to EMV: They owned it. The acronym itself stands for “Europay, Mastercard, and Visa,” which were the three card brands that originally developed the standard. The brands formed a company, EMVCo, LLC (registered in the state of Delaware), to develop and manage the EMV standards. Today, EMVCo is owned by American Express, JCB, Mastercard, Discover, UnionPay and Visa. According to EMVCo’s website, “EMV is a registered trademark or trademark of EMVCo, LLC in the United States and other countries around the world. Dating back to 1999, EMV refers to all of the specifications administered by EMVCo.”186

186. “The Trademark Centre,” EMVCo, accessed January 17, 2018, https://www.emvco.com/about/trademark-centre.

According to a study published by IPWatchdog, as of 2015 Mastercard held the most EMV-related patents (22.3%). Visa held 4.5%. These card brands had a vested interest in forcing a mass deployment of EMV in the United States.

7.5.6 Public Opinion

Visa’s and Mastercard’s statements following the Target breach left the public with the mistaken impression that EMV would have helped prevent the breach and that Target was remiss by not having deployed it. “Consumers are also looking to EMV for renewed confidence in the payments system,” reported CreditCards.com after the Target breach.187

187. Tamara E. Holmes, “Data Breaches Turn Spotlight on EMV Cards,” CreditCards.com, February 7, 2014, https://www.creditcards.com/credit-card-news/data_breaches-spotlight-EMV_chip_cards-1273.php.

Target itself was quick to perpetuate the EMV myth, spinning it as a nationwide failing. “I think what we’ve seen is vulnerability in our system,” said the company’s CEO, in his first interview following the breach. “In the United States, we’re using mag-stripe technology. And that’s old technology . . . there’s a better way and it’s called EMV technology. . . . And we think it’s time for America to make that commitment to get to that standard.”188

188. CNBC, “CNBC Exclusive.”

Under fire, Target quickly reacted by announcing that it would spend $100 million upgrading its POS systems to support EMV. “Still pushing to right itself after an enormous data breach by cybercriminals, Target announced on Tuesday that it would switch its debit and credit cards over to a more secure technology by early next year, most likely making it the first major retailer in the country to do so.”189

189. Elizabeth A. Harris, “After Data Breach, Target Plans to Issue More Secure Chip-and-PIN Cards,” New York Times, April 29, 2014, https://www.nytimes.com/2014/04/30/business/after-data-breach-target-replaces-its-head-of-technology.html.

Even though EMV wasn’t an effective remedy for data breaches, the public bought the card associations’ story hook, line, and sinker. This gave Target a straightforward way to proclaim its infrastructure “secure,” thereby regaining the public’s trust. It jumped on the bandwagon, spent the money, and “upgraded” to EMV.

7.5.7 Worth It?

Many observers questioned whether the shift to EMV was worth the cost. The National Retail Foundation estimated that the total cost to the industry would be $30 to $35 billion.190 This included the costs of new equipment, software, certification fees, installation, and training, as well as the cost of $1.2 billion for new chip cards.191

190. David French, “Hearing on the EMV Deadline and What it Means for Small Businesses,” NRF, October 7, 2015, https://nrf.com/sites/default/files/ChipAndPin-2015-SmallBusiness-HearingStatement.pdf.

191. “Retail’s $35 Billion ‘Money Pit’: Product Overview,” IHL Group, accessed January 17, 2018, http://www.ihlservices.com/product/emv.

EMV also hit merchants in the wallet in other ways. It took longer for consumers to pay using an EMV card, slowing the checkout process. “On average, it takes between seven to 10 seconds to pay using a chip card versus two to three seconds to pay using a traditional swipe credit card,” explained Jared Isaacman, founder and CEO of Harbortouch, a POS system vendor.192

192. Stacey Wescoe, “EMV Cards Could Slow Holiday Shopping Lines,” LVB.com, accessed January 17, 2018, November 30, 2015, http://www.lvb.com/article/20151130/LVB01/311259997/emv-cards-could-slow-holiday-shopping-lines.

Merchants pushed back at the whole prospect of transitioning from magstripe to EMV, fearing longer lines and loss of sales. At ADA Bar in Chicago, server Michelle Szot broke down the numbers. “At a 300 [customers] a night blues bar, that’s gonna suck . . . every four cards adds up to a minute,” she said. “Every couple of seconds that gets tacked on is another drink you can’t get served. . . . It’s money that you could’ve made—it’s money the bar could’ve made.”193

193. Matthew Sedacca, “Chip Cards are Going to Ruin Your Night Out at the Bar,” VinePair, August 17, 2016, https://vinepair.com/articles/the-new-credit-card-chips-are-a-disaster-for-bartenders-and-customers.

Retailers were wary, to the point where many purposefully disabled chip readers during peak shopping times. The week before Christmas in 2015, just two months after the liability shift deadline, CVS disabled its EMV systems during checkout. “CVS probably wasn’t the only retailer to do that,” reported Quartz magazine. “[T]he solution for longer lines wasn’t to make checkouts faster but to completely bypass the new security feature during the busiest shopping season of the year.”194

194. Ian Kar, “The Chip Card Transition in the US Has Been a Disaster,” Quartz, July 29, 2016, https://qz.com/717876/the-chip-card-transition-in-the-us-has-been-a-disaster.

PIN vs. Signature

Chip-and-PIN cards are very effective at reducing fraud because two-factor authentication is required for purchases. Criminals may steal the card data, but if they don’t have users’ PINs, they’re out of luck. However, many U.S. businesses have valid concerns about implementing chip-and-PIN.

Many consumers find the added PIN annoying, particularly given that the average card owner has about three cards in his or her wallet, and many have multiple PINs to track.195 More critically, at restaurants the gratuity has to be added to the total before the chip-and-PIN card is run, utterly changing the United States’ long-standing dining custom. “With a traditional EMV device, the server will generally need to ask for the gratuity to be entered in advance of the card transaction,” said Dave Miller, senior vice president of marketing at Buzztime. “This process eliminates the fraud potential of the server entering a higher tip amount after the patron signs their check, but can also be uncomfortable for the server and patron, diminishing the guest experience.”196

195. Stefani Wendel, “State of Credit: 10 Year Lookback,” Experian (blog), May 20, 2019, https://www.experian.com/blogs/insights/2019/05/state-of-credit-2018-2/.

196. Sedacca, “Chip Cards.”

The result is that most EMV cards issued in the United States are chip-and-signature, not chip-and-PIN—and as famously illustrated by writer John Hargave in 2006, a signature isn’t good for much. Hargrave (co-creator of the early Internet humor site Zug.com) decided to test whether anyone was actually looking at his signature. Hargrave turned the signature block on this credit card receipt into a series of art projects, including Shamu the whale, a detailed picture of human intestines, and the phrase “I stole this card” (all of which were accepted, until a visit to Circuit City when he tried to buy a $16,800 television and signed in large letters, “NOT AUTHORIZED”).197

197. John Hargrave, “How Crazy Would I Have to Make My Signature Before Someone Would Actually Notice?” Zug.com, April 28, 2007, https://web.archive.org/web/20070428090930/ http://www.zug.com:80/pranks/credit.

Chip-and-signature is about as effective as just “chip” alone—essentially single-factor authentication (something you have), whereas chip-and-PIN provides two-factor authentication (something you have and something you know). Fraud rates will always be higher on chip-and-signature as a result—but in the United States, the customer experience is more important.

7.5.8 No Chip, Please Swipe

Consumers watched in confusion as retailers across the nation purchased new POS systems that sat on their counters, with little cards in the EMV slot that read “No Chip” or “Please Swipe.” In many cases, these new devices sat, dysfunctional, for months or years.

This was especially perplexing because the new POS systems were expensive. Deploying a new POS infrastructure required investing in new equipment and labor. There was also apparently a shortage of equipment; retailers that ordered new POS devices in advance of the deadline found that there was a four-month wait simply to receive the devices.198 Once the liability deadline passed, merchants were liable for certain fraudulent transactions that were conducted without EMV, and so they had strong incentive to immediately put the new features to use.

198. Kar, “Chip Card Transition.”

Mysteriously, thousands of new POS devices still sat on counters, with their EMV capabilities unused. They sat for so long that a new industry sprang up: manufacturers peddled cards to fit into EMV reader slots that said “Chip reader coming soon,” and “Please swipe card instead!” These were touted as a “[s]imple reminder to customers that the chip reader is not functional.”199 Some vendors even offered customized cards featuring the merchant’s logo.

199. Chip Reader Messages, “Chip Reader Messages - 20 Card Set,” Amazon, accessed October 1, 2018, https://www.amazon.com/Chip-Reader-Messages-Card-Set/dp/B01HSUF5Y0/.

Why?

7.5.8.1 EMV Certification Bottleneck

It turned out that upgrading to EMV systems wasn’t so simple because every POS system had to be certified by EMVCo—which, not coincidentally, was owned by six major card brands. There were three levels of certification, the first two of which could be completed by the manufacterer of the POS device. Many merchants with more complex setups needed to be “level 3” certified, in which each of the card brands tests the integrated setup.

Certification itself could be an expensive process. “Usually, EMV certification involves an administrative fee (charged by acquirers), ranging between $2,000 and $3,000 for every formal test script run,” explains online payment blog Paylosophy. “An average cost of EMV toolkit (which is used in every EMV certification) ranges from $10,000 to $30,000 per user license.”200 Each acquirer that processes cards charges its own fees and accepts only certain toolkits, so merchants can end up paying these fees multiple times.

200. “EMV Certification in a Nutshell,” Paylosophy, accessed January 17, 2018, http://paylosophy.com/emv-certification-nutshell.

All of the POS manufacturers and software providers had to get their terminals certified, and the only company that did the certification was EMVCo. The result was a widespread backlog of certification requests. Providers also had to pay hefty fees to EMVCo just to start the process—fees that undoubtedly were passed along to merchants in the price of the products. The provider must also pay additional “renewal” fees to EMVCo regularly. The fee structures are listed in obscure PDF “bulletins” buried within EMVCo’s website. As an example, currently the approval and renewal fees range from $5,500 to $6,000.201

201. EMVCo, “Card Approval Fee Change Notification,” EMVCard Type Approval Bulletin 26, 4th ed., (October 2018), https://www.emvco.com/wp-content/uploads/documents/CTA_Bulletin_No_26_4th_Ed_-_CA_ApprovalFeeChangeNotification_20181005.pdf (accessed July 31, 2019).

After the devices themselves were certified, merchants then had to apply for their own level 3 certifications. In this complex process, merchants negotiate with each card brand and acquirer. The cost of level 3 certification varies depending on the size and complexity of each merchant’s infrastructure, but reportedly can range from hundreds up to tens of thousands of dollars.202

202. “EMV Costs, Certifications and More: What You Need to Know Before the Migration,” QuickBooks, accessed January 17, 2018, https://quickbooks.intuit.com/r/emv-migration/emv-costs-certifications-and-more-what-you-need-to-know-before-the-migration.

Fuming about Gas Pumps

The EMV transition was tough enough for stores with checkout counters, but for businesses that had invested in more expensive devices such as ATMs or gas pumps, the price was exhorbitant. The deadline for ATM upgrades was eventually pushed to October 2016, and gas pumps to October 2017.

Many security professionals expressed concerns about the extension: “Because gas pumps are outside, exposed, and unattended, it’s easy for criminals to attach card skimming devices and unobtrusively collect cardholder data. . . . Postponing the use of more secure EMV technology will allow fraudsters to continue victimizing consumers.”203

203. “Delayed EMV Liability Shift Brings More Harm Than Help,” Chargeback911.com, December 9, 2016, https://chargebacks911.com/delayed-emv-liability-shift-brings-more-harm-than-help.

7.5.8.2 Time Takes Its Toll

As merchants waited for EMVCo, card brands, and acquirers to slowly process the large volume of certification requests, the EMV liability shift deadline came and went. In California, two retailers filed a lawsuit against the card brands, claiming that “[c]ard fraud continued as merchants awaited certification. But because the EMV deadline shifted liability to the noncompliant party, that means that any fraudulent transaction in which a chip card was swiped because of a non-activated terminal fell on the shoulders of the merchants. The two plaintiffs complained they faced 88 chargebacks worth over $9,000 on top of a $5-per-transaction fee—a significant financial burden.”204

204. BI Intelligence, “Small Businesses are Moving Ahead with an EMV Lawsuit,” Business Insider, October 10, 2016, http://www.businessinsider.com/small-businesses-are-moving-ahead-with-an-emv-lawsuit-2016-10.

In the spring of 2016, U.S. Senator Richard Durbin wrote a scathing letter to EMVCo, saying that “[t]he 2015 transition to EMV in the United States has been plagued by problems that have burdened retailers and consumers and hampered EMVCo’s goal of reducing fraud. For example, many merchants that have purchased EMV card reader technology have been unable to use it because of backlogs in the EMV software certification process. Also, many consumers have been discouraged from using EMV cards because of the long amount of time the transactions take at the retail counter.”

Senator Durbin cited the lack of “diverse stakeholder representation” in EMVCo’s leadership as the underlying issue. “[C]onsumers, financial institutions, merchants, processors, technology companies, and smaller payment networks . . . do not have a meaningful vote in any EMVCo decisions,” he wrote. In fact, in order for diverse stakeholders to have any representation at all, they have to sign up for the EMVCo subscriber service, which costs $750 for individuals or $2,500 for companies.205

205. “EMVCo Subscriber Programme,” EMVCo, accessed January 17, 2018, https://www.emvco.com/get-involved/subscribers.

“It appears that EMVCo is currently run by the big card networks for the big card networks,” Durbin concluded.206

206. Dick Durbin, “Durbin Questions Whether Credit/Debit Card Chip Technology Rollout Is Adequately Protecting Competition & Consumers,” Dick Durbin, U.S. Senator, Illinois (website), press release, March 17, 2016, https://www.durbin.senate.gov/newsroom/press-releases/durbin-questions-whether-credit-/-debit-card-chip-technology-rollout-is-adequately-protecting-competition-and-consumers; Dick Durbin, “Letter from Senator Durbin to Director of Operations Brian Byrne,” Dick Durbin, U.S. Senator, Illinois (website), May 11, 2016, https://www.durbin.senate.gov/imo/media/doc/Letter%20from%20Senator%20Durbin%20to%20EMVCo%20Director%20of%20Operations%20Brian%20Byrne%20-%20May%2011,%202016.pdf.

7.5.8.3 Draining Resources

A long-term effect of Retailgeddon was to spur the adoption of EMV technology. Ironically, the EMV rollout actually did little to reduce the risk of payment card data breaches. Instead, it redirected resources and attention away from technologies that might have actually helped.

“[Twelve] years ago when EMV was introduced into Europe it made tremendous sense,” said Greg Buzek, founder of research firm IHL Group. “Today, it stands in the way of real data security by stealing critical budget away from focusing on the risks that retailers face from online hackers.”207

207. “EMV: Retail’s $35 Billion ‘Money Pit,’” BusinessWire, June 3, 2015, http://www.businesswire.com/news/home/20150603006366/en/EMV-Retails-35-Billion-Money-Pit (accessed January 17, 2018).

By moving quickly and forcefully to push the adoption of EMV, the card brands successfully shifted public attention (and dollars) away from the alternative payment solutions. “Mobile commerce provides merchants with the opportunity to communicate with their customers and target and serve their most profitable and desirable consumers better with a solution that is potentially more secure than what exists today at the physical point of sale,” observed Karen Webster, CEO of Market Platform Dynamics. “The deployment of EMV only forces them to divert attention and resources away from something that adds value to the consumer as well as the merchant and the overall payments system.”208

208. Karen Webster, “6 Reasons to Call an EMV ‘Time Out,’” PYMNTS.com, March 23, 2014, https://www.pymnts.com/news/2014/6-reasons-to-call-an-emv-time-out.

In October 2015, on the threshold of the EMV liability shift deadline, the National Retail Federation submitted a blistering statement to Congress, calling attention to the fact that the transition financially benefited the card brands and threatened their competitors:209

209. French, “Hearing on the EMV Deadline.”

If businesses can be forced to quickly install, at significant expense, the kinds of equipment that is most compatible with EMV Co.’s and the card companies’ future business plans (EMV Card Personalization; Chip-based contact specifications—near field communications technology, etc.) then competitive alternatives, such as new mobile platforms (e.g. Starbucks-style payment programs) may effectively be locked out of the market.

It was clear that there was a conflict of interest within the payment card governance system that at times may have caused profits to supercede security.

7.6 Legislation and Standards

Retailgeddon spurred a flurry of legislative activity. Six congressional committees held hearings on ata security and data breaches in the months following the Target breach. Due in part to the intense public scrutiny of Target’s notification delay, there was a great deal of discussion regarding the lack of a national data breach notification law in the United States, which had resulted in a confusing patchwork of state laws. Several bills were introduced in the U.S. House and Senate that sought to establish proactive security standards, as well as a national data breach notification regulation.

Attorney General Eric Holder gave Congress a big push, publishing a video statement in which he called for national legislators to act.210 The Federal Trade Commission, which opened an investigation of the Target breach, took the opportunity to push for an expansion of its authority to regulate cybersecurity. In March 2014, Chair Edith Ramirez testified before the Senate Committee on Commerce, Science, and Transportation. “Legislation in both areas—data security and breach notification—should give the FTC the ability to seek civil penalties to help deter unlawful conduct, jurisdiction over non-profits, and rulemaking authority under the Administrative Procedure Act,” said Ramirez.211

210. Tom Risen, “FTC Investigates Target Data Breach,” US News, March 26, 2014, https://www.usnews.com/news/articles/2014/03/26/ftc-investigates-target-data-breach.

211. Federal Trade Commission, Data Breach on the Rise: Protecting Personal Information From Harm (Washington, DC: U.S. Senate, April 2, 2014), https://www.ftc.gov/system/files/documents/public_statements/296011/140402datasecurity.pdf.

None of the proposed federal legislation passed. Cybersecurity regulation had the potential to significantly increase risks and costs for businesses. While there was widespread support from consumers, businesses were tepid about the prospect. A federal breach notification standard could have greatly simplified breach response, but there were many questions about conflicts with existing state laws.212

212. N. Eric Weiss and Rena S. Miller, The Target and Other Financial Data Breaches: Frequently Asked Questions (Report R3496, Congressional Research Service, February 4, 2015), https://fas.org/sgp/crs/misc/R43496.pdf.

The National Retail Federation, which was in a delicate position, reiterated its support for a national data breach notification standard213 but cautioned that it was “wary of legislation that would create ‘over-notification’ standards that could desensitize the public from the most significant threats.”214

213. Alina Selyukh, “New Hopes for U.S. Data Breach Law Collide with Old Reality,” Reuters, February 11, 2014, https://www.reuters.com/article/us-usa-security-congress/new-hopes-for-u-s-data-breach-law-collide-with-old-reality-idUSBREA1A20O20140211.

214. Risen, “FTC Investigates Target Data Breach.”

Still, the move toward a national cybersecurity standard inched forward. In February 2014, the Obama administration announced the release of the Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST).215 The new framework was the result of a year-long initiative, which was launched a year prior with Obama’s Executive Order on Improving Critical Infrastructure Security.216

215. National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cyber-security v.1.0 (Framework Paper, NIST, Washington, DC, February 12, 2014), https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf.

216. Office of the Press Secretary, “Executive Order Improving Critical Infrastructure Cybersecurity,” The White House, President Barack Obama (website), February 12, 2013, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.

The framework was not a federal regulation. It was not mandatory for any organization. Rather, it was an act of leadership that established a “common language to address and manage cybersecurity risk in a cost-effective way based on business needs.”217

217. NIST, Framework.

While the new NIST Cybersecurity Framework (as it was commonly referred to) had been “in the works” long before the Target breach was announced, its release in February 2014 could not have been better timed. There was widespread public support for cybersecurity initiatives and a clear need for a national standard. Over the next few years, many entities—from regulatory bodies such as the Securities and Exchange Commission and the Federal Financial Institutions Examination Council, to private businesses and nonprofits—began referring to the NIST Cybersecurity Framework and encouraging their communities to leverage it.

7.7 Conclusion

The Target breach represented a turning point for payment card data breaches. Whereas once merchants could expect their breaches to remain under wraps for weeks, months, or more, now they could be publicly exposed by the mainstream media even before they themselves knew what had happened. This shift was driven in large part by investigative journalist Brian Krebs, who paved the way for reporting based on dark web research and tips from a cadre of banks and credit unions. This new model drove savvy retailers to adopt stronger crisis communications programs and invest in data breach prevention and response. Those that did not often paid a heavy price.

The massive fraud and card replacement costs caused by the Retailgeddon breaches triggered a widespread public outcry. The card brands quickly pushed the adoption of EMV as a solution, even though there was no evidence that it reduced the risk of large-scale data breaches. Instead, EMV drained resources from merchants who otherwise might have invested in newer payment technologies that were genuinely more secure. As a result, payment card data breaches remain an epidemic today. Ultimately, consumers paid the price and businesses suffered.

On the plus side, Retailgeddon brought cybersecurity to the forefront of public dialogue and spurred support for initiatives such as the NIST Cybersecurity Framework. It also brought to light the risks posed by supplier vulnerabilities and breaches, which we will discuss further in the next chapter.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.19.251