Target Breach (2013)

Breach Summary

Target were breached in 2013. The story was initially broken by Brian Krebs in a post published on 18 December 2013 and titled “Sources: Target investigating Data Breach”^[1]. This was followed up by a statement from Target announcing the breach on 19 December^[16]. The target confirmation stated the breach lasted between November 27 and December 15.

The breach was achieved through first compromising Target’s HVAC vendor, Fazio Mechanical^{[4][9][11][14]}. This was achieved through a phishing email^[10] which deployed malware which targeted credentials. These credentials were then used to access Target’s network.

The statement from Target announced that approximately 40 million payment cards had been stolen^[16]. The next day (20 December), the CEO released a message titled “a message from CEO Gregg Steinhafel about Target’s payment card issues”^[2], stated that the stolen data included names, payment card number, expiration date, and CVV. It recommended customers consider contacting companies like Equifax to arrange a “security freeze” on their credit. In a press release of the same name^[3], Steinhafel offered customers a 10% discount if they shop in Target stores on December 21 or 22.

On the same day as the CEOs statement, Krebs released another article detailing that he believed payment cards were being sold in “card shops” online and that this had been confirmed by a fraud analyst at a major bank^[17]. Interestingly he added that “a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts”.

On December 27, it was announced^[5] that encrypted card PIN numbers were accessed by the attackers. On January 10 2014 Target announced that 70 million person records were accessed during the breach^[6][7], including names, mailing addresses, phones numbers, and email addresses. This was followed by layoffs of 475 employees on 22 January^[15].

26 March 2014, Target CFO John Mulligan is questioned in a Senate Hearing ^[13]. The hearing was to discuss a Senate Report^[12] titled “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach.” Which detailed information about the malware used, such as stating the McAfee Director of Threat Intelligence considered the malware “absolutely unsophisticated and uninteresting” whilst the Director of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, described the same malware as “incredibly sophisticated.”

On 5 May, in a statement from Target’s Board of Directors, it was announced that the CEO, Gregg Steinhafel, had resigned^[8]. Steinhafel was a 35-year veteran of the company. As an interim replacement the CFO, John Mulligan, took up the position of CEO. Mulligan held this position until August 2014 before taking the Chief Operating Officer position, handing the CEO position to Brian Cornell.

10 March 2015, Target lays off another 1,700 employees and left an additional 1,400 position vacant^[18].

Breach Timeline

That’s it!

References

1. https://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/
2. https://corporate.target.com/article/2013/12/important-notice-unauthorized-access-to-payment-ca
3. https://corporate.target.com/press/releases/2013/12/a-message-from-ceo-gregg-steinhafel-about-targets
4. https://www.wsj.com/articles/target-breach-began-with-contractor8217s-electronic-billing-link-1391731112
5. https://www.ft.com/content/51db6e2c-6f2f-11e3-9ac9-00144feabdc0
6. https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#6b73e0dbe795
7. https://corporate.target.com/press/releases/2014/01/target-provides-update-on-data-breach-and-financia
8. https://corporate.target.com/press/releases/2014/05/statement-from-targets-board-of-directors
9. https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
10. https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
11. https://web.archive.org/web/20160925225642/http://faziomechanical.com/Target-Breach-Statement.pdf
12. https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/files/external/Target_Kill_Chain_Analysis_FINAL.pdf
13. https://www.databreachtoday.com/senate-report-analyzes-target-breach-a-6677
14. https://www.wsj.com/articles/holder-confirms-doj-is-investigating-target-data-breach-1391012641?tesla=y
15. https://eu.usatoday.com/story/money/business/2014/01/22/target-layoffs/4778267/
16. https://corporate.target.com/press/releases/2013/12/target-confirms-unauthorized-access-to-payment-car
17. https://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/
18. http://www.startribune.com/target-layoffs-will-hit-1-700-with-another-1-400-jobs-going-unfilled/295752841/