What SMBs Can Learn From The Target Corporation Data Breach

Proactive Dark Web monitoring is important.

On December 19, 2013, in the midst of the holiday shopping season, Target informed customers that they had been hacked.  Anyone who had shopped from November 27 to December 15 was at risk of having had their credit or debit card information stolen.

This breach eventually cost Target over $28.5M in settlement costs and $202M in legal fees.  What happened and what can you learn from it to reduce your exposure?

The Attack

On November 12, 2013, hackers accessed Target’s internal system via an HVAC vendor who had fallen victim to a phishing attack.  The phishing attack uploaded malware, called Citadel, able to capture the payment card data when the card was swiped, before the data was encrypted.

Alerts from Target’s internal IT security system were overlooked. This resulted in the malware being undetected for several weeks. During this period, information from over 40 million credit and debit cards were stolen, and up to 70 million customer records were compromised. These records contained PII (personal identifiable information) such as home addresses, email addresses, names, and more.

The Aftermath

The FBI alerted Target on December 12, 2013 of a potential breach.  The FBI and Secret Service noticed an increase in credit cards for sale associated with Target on the black market.

If not for the FBI and Secret Service notifying Target, the malware would have been allowed to continue lurking in Target’s network longer.  Target informed the public on December 19, 1013.  That was 7 days after they were informed by the FBI.

What Went Wrong

There are 3 main things that when wrong.

  1.  Poorly designed network
  2. Network security was weak
  3. Inadequate Critical Incident Response Plan

Poorly Designed Network

The network design did not have the right kinds of firewalls.  A vendor should not be able to access the payment system or information.  Once the malware was in, it was able to access other parts of Target’s network.  Insufficient separation and safeguards were in place making Target more vulnerable.

Network Security Weak

The malware was timed to execute during one of the busiest shopping days, Black Friday. For some reason, “a lot of the malware detection and deletion functions in their software seem to have been turned off. A lot of alerts that they were getting from their security protection system were not heeded at that point.”1  Multi-factor authentication for payment system access is part of the payment card industry data security standards.  This appeared to have not been fully implemented throughout Target.

Organizational Structure and Accountability

There were organizational and cultural factors.  Organizational silos, internal control problems, and communication breakdowns existed.  The CEO is not informed for 3 days that the FBI had alerted Target.  The board of directors was not informed until an additional 3 days after the CEO was informed.  At this point the impact of a prominent blogger, talking about it in the media, was intensifying the pressure to inform the public.

Target continued to operate their between December 12 and 19, leaving their customers at risk.  No one person was accountable for Cyber Security at Target.  Responsibility was diluted across the CFO (Chief Financial Officer) office, the general counsel’s office, and the CIO (Chief Information Officer) office.

Takeaways for Small Business Owners

Small business owners can see that even with a large team and sophisticated solutions, things can still go wrong.  Here are your takeaways:

  1. Audit Your Network Security.  Is your networking equipment updated with the latest patches?  Is your network equipment correctly configured?  If you have a security solution from 5 years ago, it is not sufficient for the sophisticated threats that exist today.
    Ensure you have an updated security solution with hardware, software, and services to provide the protection you require.
  2. Culture Welcomes Bad News. Does your culture welcome bad news or punish it?  You need to have a culture where bad news is surfaced quickly to leaders for informed decision making.  Do you have critical incident plan?
    Do you understand your organization responsibilities for protecting personal information obligations under Alberta’s PIPA  (Personal Information Protection Act)?
    Your breach could end up on the Breach Notification Decisions listing from the Office of the Information and Privacy Commissioner of Alberta.
  3. Dark Web Monitoring.  The FBI and Secret Service monitoring allowed them to inform Target of the breach.  How do you know if you have been breached or if credentials are for sale on the dark web?  Our Dark Web Monitoring solution using a combination of AI, machine learning, and human intelligence to identify and validate compromised credentials.
    Our Dark Web Monitoring solution means that you will be alerted immediately when your compromised credentials are found online so you can take action.  Without a Dark Web monitoring system you don’t know who could have access to your network, or how employees may be personally compromised.

More details are available by downloading our in-depth Case Study.

Sources: 

  1. Sirinivasan, Suraj. “Target’s Expensive Cybersecurity Mistake.” HBS Working Knowledge, Harvard Business School, 21 Dec. 2016,
    https://hbswk.hbs.edu/item/target-s-expensive-cybersecurity-mistake. Accessed 6 Aug. 2019
  2. Cold Call Podcast – Harvard Business School. 21 Dec. 2016, https://hbr.org/podcast/2016/12/targets-expensive-cybersecurity-mistake. Accessed 6 Aug. 2019
  3. Abrams, Rachel. “Target to Pay $18.5 Million to 47 States in Security Breach Settlement.” New York Times, 23 May 2017, https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html.
  4. Settlement Administrator. “Commonly Asked Questions.” Target Breach Settlement, 16 July 2019, https://targetbreachsettlement.com/mainpage/CommonlyAskedQuestions.aspx.