In September 2013, employees at Fazio Mechanical, an HVAC company, were doing their usual work. They had a contract with Target, giving them access to Target’s web applications for billing, contracts, and project management. But one phishing email changed everything. It started a chain of events that led to one of the biggest data breaches ever.
The Attack Begins
A Fazio employee downloaded a PDF that seemed safe. Instead, it unleashed the Citadel trojan. This spyware was skilled at stealing login details. It recorded keystrokes, took screenshots, and even captured videos. It could add fake forms on real websites to trick users into giving sensitive information.
Fazio’s security was weak. They only used the free version of Malwarebytes. Hackers obtained credentials to access Target’s contractor-only websites. Even without direct server access, an exploit allowed them to run code remotely. They installed a backdoor on Target’s servers.
How the Breach Happened
Similar to the Heartland breach, the hackers likely used SQL injection or uploaded malicious scripts through a document upload feature. This let them execute code on the server and gain entry into Target’s network. Over two months, they infiltrated the network and took control of a web server. Their goal was to steal credit card data from point-of-sale (POS) systems.
Gaining Unauthorized Access
The hackers exploited weak passwords, missing security updates, and flaws in Active Directory to escalate their privileges. They accessed high-level user accounts, including the Domain Administrator. Target lacked proper network segmentation and firewalls between corporate and payment devices, leaving POS systems exposed.
Stealing Credit Card Data
The attackers installed BlackPOS malware on POS systems. This malware collected credit card data from memory. They encrypted and stored the data, periodically transferring it to a compromised internal server and then to a Russian FTP server. The breach went unnoticed for weeks. They stole 40 million credit and debit cards and 70 million records of customer data.
Security Failures and Aftermath
Target’s malware detection system identified the exfiltration malware but dismissed the alerts as false positives. Only when the Department of Justice alerted them did Target begin an internal investigation. They regained control by December 15.
The breach severely impacted Target’s finances, with net profits dropping 46% in the fourth quarter. Customer trust was damaged. The CEO resigned, partly due to the breach, receiving a $61 million severance package.
Lessons Learned
The main issue was poor network segmentation. Implementing a zero-trust security model is crucial. This means assuming internal breaches can happen and designing systems to minimize damage.
By February of the following year, Target significantly improved its security. They conducted a penetration test and invested in a cyber fusion center. Modern POS systems now use EMV cards, reducing the effectiveness of similar attacks.
Conclusion
The Target data breach highlights the importance of strong cybersecurity measures. For CEOs and CTOs, the key takeaways are:
- Implement zero-trust security to minimize the impact of internal breaches.
- Ensure strong network segmentation and robust firewalling.
- Keep security patches up to date and avoid weak or default passwords.
- Invest in advanced threat detection and response systems.
By learning from past breaches, organizations can better protect themselves against sophisticated cyber threats and maintain customer trust.