On December 15, 2013 Target became aware of an access point security breach to their system, according to Gregg Steinhafel Chairman, President and CEO of Target, the access point the cyber criminals used to penetrate was discovered and closed. But not before customer credit and debit card numbers, expiration date and CVV was breached as well as the names, addresses, email addresses and phone numbers of its customers.
This initial statement disclosed that as many as forty million debit and credit card accounts may have been accessed by the hackers. Additionally, that authorities and all concerned banking institutions had been immediately notified and investigations begun, including a third party forensics firm to do an independent investigation. Target’s corporate website was referenced for more information and a phone number for Target for those who believed they had been affected with unauthorized charges.
On December 20, 2013 Gregg Steinhafel, the CEO of Target Corp. issued a follow up message to it’s “guests” acknowledging “as you have likely heard by now” that Target had been the victim of a cyber attack to it’s U.S. Target stores. Steinhafel expressed the company’s regrets for the “stress and anxiety” the breach has created and how serious Target is taking the crime, both against the store and its guests.
This second message went on to say that the breach and its cause had been addressed and that Target shoppers could rest assured in shopping at Target with confidence again. The statement said the breach had occurred during the period of November 27 to December 15, 2013 in their U.S. stores only and that PIN numbers had not been compromised. It also offered free credit monitoring services for all who have been affected by the breach, stating they would be “in touch with you soon” as to where and how they could sign up for the credit protection services. In the closing the message directed customers to the various web links and sites customers could rely on for information in the coming weeks.
However, it has been learned that Target hired a third party forensics expert, Verizon, to conduct an extensive analysis and test Target’s networks for other vulnerabilities in their systems, but kept the results of the probe confidential. The fact that the results of the Verizon analysis of Target’s network was kept confidential led to much speculation amid the cyber security community, namely that the breach was much more extensive than Target Corp. was acknowledging.
Cyber security expert Brian Krebs of KrebsonSecurity was able to obtain an internal corporate report which showed that Target had initiated the Verizon probe for weaknesses in the Target network “in anticipation of litigation” of class action lawsuits that may result from the breach. In the corporate report it was revealed that the probe by Verizon was conducted during December 21, 2013 to March 1, 2014, six days after the Target breach was discovered.
The Verizon analysis found “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.” This information came as no surprise to the security experts in the field as it was long suspected that the hackers were able to gain access to any Target location and all of Target’s cash registers, which the Verizon probe proved to be the case.
During the probe, at one point in the investigation Verizon was able to communicate with the point of sale registers in one store after breaching a deli meat scale located in a different store. This led investigators to zero in on the point of access, Fazio Mechanical; a small company that worked with Target and had recently had a cyber breach delivered by an email containing malware. From the implanted malware at Fazio the hackers were able to steal the network credentials needed to access Target’s network and insert malicious software down to the Target registers in more than 1,800 of its stores in the United States.
Target would not confirm Brian Krebs’s report and instead offered a rather coarse e-mail statement response from Target spokesperson Molly Snyder who stated:
We’ve brought in new leaders, built teams, and opened a state-of-the-art cyber fusion center. We are proud of where we stand as a company and will be absolutely committed to being a leader on cybersecurity going forward. Sharing accurate and actionable information with consumers, policy makers, and even other companies and industries will help make all of us safer and stronger. Sometimes that means providing information directly to consumers, other times that means sharing information about possible industry threats with other companies or through our participation in the Financial Services and Retail Information Sharing and Analysis Centers (ISACs), and sometimes that means working with law enforcement. What we don’t think it means is continuing to rehash a narrative that is nearly two years old.
Target has never shared the results of the Verizon probe with its “guests” instead only saying on January 10, 2014 that the breach was much worse than anticipated 70 million instead of 40 million cards breached and that the cyber breach did in fact include the PIN data embedded in customer’s credit cards.
According to Brian Krebs report the Verizon assessment found numerous instances where Target was not following proper cyber protection protocol. As the investigation continued and more damning information came out regarding Target’s responsibility for the breach more law suits were filed. In all fairness to the company, it is likely on the advice of legal counsel not to comment or release information from the “confidential” Verizon report. Especially in light of the fact that numerous lawsuits have been filed and a federal judge has cleared those claims to go forward in a class action suit.
Target is said to have at least $100 million dollars in combined cyber insurance policies as well as $65 million dollars in combined policies to protect against directors and officers liability, but again Target would not comment on its cyber and D&O insurance coverage. While this may seem like a lot of coverage, with the extent of the possible law suits and those already pending this may not be nearly enough to get Target Corp. out of trouble.
Follow Up –
The “anticipated” litigation that Target was expecting has come to fruition; banks that lost millions when they had to reimburse customers whose accounts were compromised in the Target breach filed a class action lawsuit against Target to recoup their losses. Banks who service MasterCard, Visa and a customer class action suit have all settled with Target in recent months. Target paid $39 million to banks servicing MasterCard, $67 million to Visa and paid $10 million in the class action suit brought by customers. Target can thank their lucky stars for that $100 million in cyber insurance protection.