Back in 2013, the retail giant, Target, suffered a huge data breach, resulting in the credit and debit card information of 40 million customers being compromised. This is a huge amount of stolen sensitive data, so let’s dive in and see what actually happened.
According to the Congressional Research Service, on December 12 the Department of Justice (DOJ) notified Target about suspicious activity relating to cards that had been used at Target. The following day, Target met with DOJ and Secret Service officials, and on December 14 Target hired third-party experts to conduct a forensic investigation.
Target acknowledged the malware and stated that most of it had been removed by December 15. Target then notified payment processors of the breach, and by the 18th it had removed the last of the malware. It wasn’t until the 19th that the company publicly announced the data breach, but this wasn’t the end of Target’s problems. Over the next few weeks, Target announced that PINs had been stolen, as well as the personal information of 70 million people. This included names, phone numbers, email addresses and physical addresses.
How did hackers steal so much card data and personal information?
According to the security journalist, Brian Krebs, the attack began when hackers stole the credentials of Fazio Mechanical Services, a vendor that worked on Target’s HVAC systems. According to the HVAC company, it didn’t remotely control or monitor the HVAC systems for Target, but it was connected to Target for billing, project management and contract submission. Another Krebs report states the unconfirmed claim that the attackers installed the Citadel password-stealing malware on the HVAC vendor’s systems.
It’s not clear exactly how the attackers managed to use their foothold in the vendor’s systems to gain entry into Target’s network, but throughout November of 2013, the attackers were able to install credit-card stealing malware onto a limited number of point-of-sale (POS) devices at Target stores. Over this period, the attackers tested the malware to ensure that it was working.
By the end of November, the attackers had managed to install the malware on the majority of Target’s POS machines and they began collecting credit and debit card information from ongoing customer transactions. By December 15, the attackers had access to around 40 million customers’ debit and credit card records.
Once the attackers had accumulated the data, the next step was to secretly exfiltrate it. According to Krebs, the data was first moved to locations that wouldn’t raise suspicions, such as servers at a Miami-based business, and other servers in Brazil. Once it was safely out of Target’s control, the attackers moved the 11 gigabytes of customer data to Eastern Europe. Ultimately, the card data was sold on darknet marketplaces and presumably used in fraud attempts.
