Team Inspiration

TGMT 4342-P80
Supply Chain Security

Jason Santiago
Anna Longoria
Rick Gomez
Anabel Garza
Sandra deVries
Jessica Bernal

Target Corporation
Security Breach

What happened?
Late 2013 Target Corporation was the
target of what has come to be
known as the second largest data
theft in U.S. History.
Hackers used software known as
malware to steal personal data
from Point of Sale (POS) stations in
Target retail stores across the country.

Easy Target
Shortly before Thanksgiving
2013 hackers installed malware
in Targets security & payments
system
Credit/Debit card numbers and
PINs for every cards swiped at
every location between Nov.
27-Dec. 15 were stolen (19
days)

The malware infected Targets POS terminals where

it scraped credit card numbers and other
personal data undetected for six days before
beginning to transmit that data to an external FTP
server through an additional infected computer
somewhere on Targets network.

Easy Target
On December 2, the malware began transmitting
payloads of stolen data to a File Transfer Protocol
(FTP) server of what appears to be a hijacked
website. These transmissions occurred several
times a day over a 2 week period.
Also on December 2, the cyber criminals behind
the attack used a virtual private server (VPS)
located in Russia to download the stolen data
from the FTP. They continued to download the
data over 2 weeks for a total of 11 GBS of stolen
sensitive customer information.
Information and transaction history dated as far
back as 10 years ago was collected

References:
Riley, Michael, Ben Elgin, Dune Lawrence, and Carol
Matlack. "Missed Alarms and 40 Million Stolen Credit Card
Numbers: How Target Blew It." Bloomberg.com. Bloomberg, 13
Mar. 2014. Web. 11 July 2015.
<http://www.bloomberg.com/bw/articles/2014-03-13/targetmissed-alarms-in-epic-hack-of-credit-card-data>.
Kosner, Anthony Wing. "Researchers Report Exact
Timeline Of Massive Target Data Breach." Forbes. Forbes
Magazine, 17 Jan. 2014. Web. 12 July 2015.
<http://www.forbes.com/sites/anthonykosner/2014/01/17/rese
archers-report-exact-timeline-of-massive-target-databreach/>.

Target: Critical Controls

Before 2013 breach
Targets interaction with vendors: Target uses
Microsoft virtualization software, centralized
name resolution and Microsoft System Center
Configuration Manager (SCCM), to deploy
security patches and system updates. They
also have vendor portals to conduct business.
Six months before breach, Malware detection
tool was installed to alert Target of any
suspicious activity to its computer network.
Cost of Malware was $1.6 million.
Employees were to monitor software security

Target: Critical Controls

Before 2013 breach
Target passed Payment Card Industry (PCI)
compliance audits prior to this breach,
indicating they had implemented security
required by the credit card processing
industry
POS Terminals used encryption at time of
transaction.
After swipe of card is done at Point-of-Sale
(POS) Terminal, data is stored in memory, but
is not recommended PCI report stated this
practice should be a consideration for

Process of
Payment
terminals
Payment

implemented correctly
already encrypt the PIN
data on the cards but
often not the data on
the magnetic strip.
When the PIN is
received an encrypted
PINBLOCK is created
immediately at entry.
The cryptogram is sent
over the network to a
payment HSM that
unencrypts and then reencrypts the PIN to the
processor or issuer that
can verify them.
The retailer should
never store the PIN
data.

Target: POS Terminals

Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks.

Sources
Dell Secure Works. (2014). The 20 critical security controls. Retrieved
from Dell Secure
Works:
http://www.secureworks.com/resources/articles/other_articles/the-20critical-security-controls/
Elgin, B. (2014, March 13). Missed alarms and 40 million stolen credit
card numbers:
How target blew It. Retrieved from Bloomberg
Businessweek:http://
www.businessweek.com/articles/2014-0313/target-missed-alarms-in-epichack- of-credit-card-data
Krebs, B. (2014e, January 14). New clues in the Target breach.
Retrieved from Krebs on
Security: http://krebsonsecurity.com/2014/01/new-clues-in-thetarget-breach/
Krebs, B. (2014d, 02). Email Attack on Vendor Set Up Breach at
Target. Retrieved from

Risk Factors
Their business is subject to many risks. Set forth below are the most significant risks that they
face.
If Target is unable to positively differentiate themselves from other retailers, Their results of
operations could be adversely affected.
The retail business is highly competitive. In the past they have been able to compete
successfully by differentiating their guests shopping experience by creating an attractive
value proposition through a careful combination of price, merchandise assortment,
convenience, guest service, loyalty programs and marketing efforts. their ability to create a
personalized guest experience through the collection and use of guest data is increasingly
important to their ability to differentiate from other retailers. Guest perceptions regarding the
cleanliness and safety of the stores, the functionality and reliability of their digital channels,
their in-stock levels and other factors also affect there ability to compete. No single
competitive factor is dominant, and actions by their competitors on any of these factors could
have an adverse effect on their sales, gross margins and expenses.

Target said Friday that the thieves who stole massive amounts of credit and
debit card information during the holiday season also swept up names,
addresses and phone numbers of 70 million customers, information that could
put victims at greater risk for identity theft.
Every bit of added data helps criminals develop more sophisticated tactics for
either impersonating victims or luring them to give up more sensitive
information, according to security experts.
These criminals are building up dossiers on individuals, said Avivah Litan, a
fraud and security analyst at Gartner, a Tighter Supply Chain Security was
recommended.

Fridays announcement is the result of an ongoing investigation into the security breach,
Target said. The company is working with the Secret Service and the Department of Justice to
determine who was behind the attack. Spokesmen at the Secret Service and the Justice
Department declined to comment on the investigation.
Targets problems reflect a crisis in how customer data is protected, analysts said.
Its a little frightening. These bad guys are getting into some of the most secure retailers
networks, and Im sure its not going to stop at Target, Litan said. We need a fundamentally
different paradigm here for how we manage security. A tighter Supply Chain Security was
started right away.

Cited sources
By Jia Lynn Yang and Amrita Jayakumar January 10, 2014
Follow @jialynnyang Follow @ajbombay
www.forbes.com/.../target-data-breach-spilled-infoon-as-many-as...CachedSimilar
www.washingtonpost.com/.../target.../0ada102679...SimilarThe Washington Post
Target breach has triggered at least two class-action lawsuits,
drawn state and federal investigations, and damaged Targets
bottom line. (Reuters, JAN 10No-Data-Available, JAN
10/Reuters)
Target Data Breach Spilled Info On As Many As 7
0 Million ...

Using Social Media in Effective Crisis

Communication
In the digital age, even the most prepared companies
are at risk for having data leaked or stolen. When this
happens, companies need to have a plan in place to
not only fix the security loophole, but also reassure
customers so they feel its safe to spend their money
again. Using social media crisis communication
strategies is one of the many ways that companies
can rebuild trust with consumers after a data breach.
Target has been able to avoid some potential losses
due to a quick response, which included direct and
constant communication with customers. Here are
the steps any business needs to be prepared to take
in the event its data is stolen next.

Targets Action Plan

Find the Leak and Plug it
Once Target learned that
credit card numbers and
other important
information was
compromised it did the
right thing by immediately
starting an investigation,
finding the source of the
problem and closing the
loophole

Create a Plan to protect

Customers
Target immediately worked
out a deal with credit reporting
agencies to allow for
compromised customers to have
free credit monitoring, made
sure banks were alert for
fraudulent charges and
contacted the Secret Service to
assist in the investigation.

Communicate the Plan

Directly with Customers
Target decided on a plan
on action for communicating
the issue directly to
consumers and it included
being open and honest
about what happened

Target opened a link

in their website for
payment card issue
FAQ

Reward Loyalty and regain Trust

Target immediately offered customers
even ones who werent compromised
an extra 10 percent off the same as
the employee discount for the
weekend after the news came out.
The promotional sale on top of already
discounted items due to the holiday
helped bring people back.

Adoption of chip-enabled smartcards

Target is accelerating their plans to
put chip-enabled technology in their
stores and on their Target RED cards
by early 2015, six months ahead of
our previous plan.

References:
https://corporate.target.com/about/s
hopping-experience/payment-card-issu
e-faq
http://blog.newscred.com/article/socia
l-media-crisis-communication-lessonsfrom-targets-databreach/f3568a27345ecac5ea5154da8
6d90343

What Can Companies Do?

According to the House of Representatives hearing, Can
data breaches be prevented?, (which ran 3 1/2 hours) the
short answer was: No. Thats despite the hundreds of
millions Target spent trying to update prevention software.
Again and again, company executives described how very
sophisticated cyber thieves are. They use a malware
program that deletes itself and cleans up all traces that it
was ever there.
For now, there are no federal standards on cybersecurity or
on how customers must be informed in the event of a
breach.
Companies that do not use strong passwords, encrypt data
or update security patches will remain vulnerable to attacks.

What Can Consumers Do With RFID?

Consumers with the new RFID cads must understand that the
chip is not a fail-safe.
Chips need to be protected from scanners using radio frequency
readers.
There are new wallets and DIY projects that can help prevent
scanning your information right out of your purse or pocket.

References
Henneberger, M. (2014, February 5). Can data breaches be
prevented? Congresss and companies answer for now: No.,
http://www.washingtonpost.com/business/economy/can-databreaches-be-prevented-congresss-and-companies-answer-for
-now-no/2014/02/05/94d607ae-8e9d-11e3-b46a-5a3d0d2130da_
story.html
Staff Writer (2011, June). Newer Cards Can Be Hijacked Too.,
http://
www.consumerreports.org/cro/magazine-archive/2011/june/money
/credit-card-fraud/rfid-credit-cards/index.htm

Wrap up of incident
40 million number of credit and debit cards were
stolen from thieves from Nov. 27 to Dec.15 2013.
70 million number records have been stolen
including name, address, email address, and
phone numbers.
46% drop down in profits compared to previous
year.
$100 million Target is spending upgrading payment
terminals to support Chip-PIN enabled cards.
$53.7 million hackers likely generated from the
sale of 2 million cards that were stolen.

Protocol
Access point that criminals used was closed
when the breach was discovered in Dec. 2015.
Target is investing in the internal processes
and systems needed to reduce the likelihood
of this happening again.
Fraud alerts have been placed and Target is
actively monitoring REDcard accounts that
may have been impacted.
Plans to put chip-enabled technology in stores
and REDcards are being accelerated.

Our Team Suggestions

Even though affected customers have zero liability for any
charges they didnt make and no action is required by them,
unless they see charges they did not make, some suggestions
for customers are to be aware of:
Any unrecognized or unauthorized charges, it is highly
recommended for them to check their statements.
Set up alerts on your credit or debit cards.

Calls or email scams that may appear to offer protection

and asking for personal information.
Strangers who ask for money using wire transfers or checks.

References
"Data Breach FAQ."Target Corporate.
Bullseye View, n.d. Web. 11 July 2015.
<https://corporate.target.com/about/shoppi
ng-experience/payment-card-issue-faq>.
Krebs, Brian. "The Target Breach, By the
Numbers."Krebs on Security RSS. Krebs on
Security, 14 May na. Web. 11 July 2015.
<http://krebsonsecurity.com/2014/05/thetarget-breach-by-the-numbers/>.