Editor’s Note: This blog is the second in a series examining the causes and effects of high-profile, third-party related data breaches over the past decade. Be sure to keep watching the Risk Register blog for future installments in the series!
In 2013, attackers used a third-party vendor’s access to compromise Target’s network and steal sensitive customer information. This blog reviews the Target breach’s background, the methods the attackers used, what happened to the data, the breach’s impact on Target, and what today’s third-party risk management practitioners are still learning from this breach.
During the 2013 holiday shopping season, hackers infiltrated Target’s network and compromised the account information of 70 million customers. The hackers stole data including full names, phone numbers, email addresses, payment card numbers, and credit card verification codes – the veritable Holy Grail of PII!
The attackers used a spear phishing attack against Target’s third-party HVAC company, Fazio Mechanical Services, to steal user credentials. The hackers then used the stolen credentials and to access Target’s corporate network and install malware on Target’s POS devices. The installed malware collected sensitive customer data between November and December of 2013.
The stolen credit card information was later found for sale on the dark web. However, it is unclear if the sellers were the perpetrators of the crime.
Because the breach was disclosed during the Christmas season, a pivotal time for retailers, Target suffered significant financial losses. The company’s profits fell almost 50% in Q4 of 2013 compared to the prior year and its stock price fell 9% over a period of two months following the breach’s disclosure. Additionally, Target settled a $10 million class-action lawsuit in 2015 and agreed topay up to $10,000 to customers who suffered losses as a result of the data breach. And in 2017, Target paid another $18.5 million in settlements.
Moreover, the widespread negative publicity damaged Target’s reputation and led to unwanted attention. The Department of Justice launched a probe in 2014, and lawmakers lobbied federal regulators to examine the breach. In 2014, multiple Senate committees used the breach as talking points for potential regulations regarding data security. As part of Target’s 2017 settlement, Target was required to adhere to the business best practices published by the California Department of Justice in the California Attorney General’s Data Breach Reports.
Although there are many lessons that risk management professionals can learn from the Target breach, this case is the poster child for conducting a deep, internal controls-based assessment – especially around two areas: identity and access management, and user training and education. And although the assessment itself wouldn’t have guaranteed that the breach wouldn’t have happened, the visibility into the lack of internal control over these critical security processes would have shined a light on what would become material weaknesses.
Prevalent is unique in that we combine these automated vendor assessments with continuous threat monitoring into a single platform for a 360-degree view of vendors. The outcome is the visibility you need to reveal, interpret, and alleviate risk.
Remember, just because you outsource critical functions to a third party, it doesn’t mean you outsource the risk. You own it, and you need to manage it accordingly. If you don’t, you have to be prepared for class-action lawsuits, damage to reputation and brand, and financial loss.
For more on how Prevalent can help your organization build or mature its third-party risk management program and gain visibility on third-party weaknesses, contact us today.