Report on the news that matters to your community and don't let us miss a beat. Send in your stories and photos.
My Recent Comments
Last Friday, Target revealed details that its December breach was even worse than previously reported.
In addition to the 40 million credit and debit card records, there were also up to 70 million records of shoppers’ personally identifiable information stolen, including names, phone numbers, email and physical addresses. This revelation not only dramatically increases the severity of the breach, but also reveals enough to allow those of us outside the walls of Target to draw up a more informed hypothesis as to how such a breach may have taken place, and how it can be prevented in the future.
The initial report that included details that the magnetic stripe information from millions of credit cards were stolen led many to believe that the breach was based on a malware attack on POS systems, including cash registers and card swipe readers. However, it has become more apparent, due to the sheer number of personal records stolen, and the fact that such information is not stored on the payment card, that the breach more likely involved a database, if not a Hadoop cluster.
As Adrian Lane, Securosis CTO, put it, “You simply can’t harvest that many records listening on the wire unless you breached them years ago. Target is known for data mining and analytics, so it’s not too much of an inductive leap to say it was a database breach.”
This was a very sophisticated attack, committed by either an insider or using weak credentials of an employee, probably an administrator. It was committed over a long period of time – it was revealed that there were indications of an increase in malicious activity on Target’s and Neiman Marcus’ networks as early as November of last year. Beginning with malware applied on POS systems, the attack was probably designed to penetrate into a database or Hadoop cluster of personal information, possibly following the same path that customers’ purchase information is collected by Target.
The end result is a breach of up to 110 million records, and a steep cost to Target, credit and debit card companies, and the customers themselves. Even though the customers will not be on the hook for their credit or debit accounts, their personal information can be irreplaceable. Because of this, politicians have felt the heat from their constituents, and they’re passing it on to breached organizations in the form of lawsuits and stiffer penalties.
So what can companies do to prevent what happened to Target from happening to them?
First, they must recognize that all of their systems are connected, including the marketing database, transaction processing, and even employee records. The enterprise must be secured using a unified approach, to prevent “weakest link” issues relating to security gaps or vulnerable systems.
Apply enterprise-wide fine-grained de-identification of personally identifiable information to protect their customers’ privacy, while retaining the ability to mine and analyze their data.
Apply fine-grained tokenization of payment card information, to alleviate the need for cleartext data in payment authorization and exposure in-memory, two high-risk areas for a POS attack.
Implement policies requiring strong credentials, including password improvement and rotation, as well as implementing a separation of duties, to prevent privileged users, such as DBA’s, or system administrators, from accessing sensitive data.
Establish very granular, regular systems monitoring, auditing, and alerts. Even if they could not have prevented the breach, had they caught it earlier, they could have mitigated the damage.
It’s vital not only to follow PCI and privacy guidance, but to go beyond them, as they are just a baseline or minimum of acceptable security. All organizations, especially those in retail, would be well served to follow the best practices outlined above and take a proactive approach to protecting their customers’ information, rather than waiting for a breach that could cost hundreds of millions of dollars, and possibly affect their customers’ lives for years to come.2 months ago