7 Lessons from Target's Breach
One Year Later, What Retailers, Bankers Have Learned
It's been a year since the breach at
Target Corp., which exposed 40 million debit and credit cards along with personal information about an additional 70 million customers.
See Also: Account Takeover, Payment Fraud and Spoofed Identities: The Common Thread
Although the attack drew attention to the need for bolstered cybersecurity measures, retail breaches show no signs of abating. Other major
payments breaches at retailers since Target have included
Sally Beauty,
Michaels,
Home Depot,
Kmart and
Staples, to name a few.
Target was a watershed event that put the spotlight on payment card security. Here's a review of seven important lessons learned from the huge breach incident.
1. EMV Alone Is Not Enough
Target's breach spurred congressional hearings and renewed debate among retailers and bankers about the need for a speedy migration to
EMV chip technology to help prevent breaches (see
Target Hearings: EMV Not Enough).
It also was a catalyst in October for a
presidential order to push adoption of EMV chip technology among U.S. retailers and banks.
Visa had years earlier set October 2015 as the counterfeit
fraud liability shift date for U.S. merchants and issuers that had not yet transitioned away from magnetic-stripe card technology. But EMV didn't get that much publicity until the Target attack.
In the wake of the retailer's breach, experts and industry groups, including the
Payment Card Industry Security Standards Council, said that in addition to EMV, merchants also should implement
tokenization and end-to-end
encryption, to ensure card data is completely devalued.
"Among all of the large retailers that I talk to, their attitude is that they won't talk to vendors unless they offer tokenization with EMV," says
Avivah Litan, an analyst for the consultancy Gartner. "It has to be part of the POS solution."
End-to-end encryption, on the other hand, can be an add-on, she says. "But retailers want to work with vendors that can provide all three."
2. Network Segmentation Is a Necessity
The Target breach also proved how easy it is for hackers to tunnel from one part of a corporate network to another, which is why merchants have to segment their networks.
Hackers broke into Target's POS system after they stole network credentials from
Fazio Mechanical Services Inc., a vendor that serves the retailer (see
Target Vendor Acknowledges Breach).
Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says network segmentation would have prevented many of the breaches suffered by retailers, including Target, over the last 18 months (see
OCC: Retailers Accountable for Breaches).
3. Third-Party Oversight Is Part of Compliance
The Target breach put a spotlight on vulnerabilities related to third parties. In August, the
PCI Council issued new guidance on managing third-party vendor risks that retailers and bankers alike can put to use.
Banking regulatory bodies, such as the
Office of the Comptroller of the Currency and the
Federal Deposit Insurance Corp. also have, in the wake of Target, repeatedly reminded banking institutions that they are responsible for ensuring the security of the third-party vendors and service providers with which they work.
See Also: Payments Security & EMV: Join CEO Bob Carr of Heartland Payment Systems
4. Log Monitoring Needs Analytics
A forensics investigation into the Target breach found that transaction logs raised alarms about anomalous activity, but no one picked up on the warnings, according to multiple reports. Thus, the breach went undetected for several weeks.
In November, the PCI Council announced it will issue guidance specifically aimed at log monitoring (see
Why PCI Will Issue Log Monitoring Guidance). But experts says log monitoring has to be coupled with additional analytics to be truly effective.
"Everyone is inundated with alerts," Gartner's Litan says. "One retailer may get a half million alerts a day, so it's impossible to go through all of those. By putting context awareness and behavioral analytics to the transaction logs, you can start profiling users and devices. With this context-aware view of transactions, you're able to correlate anomalies across different systems. Then you can go from a few thousand high-priority alerts to a couple hundred."
Analyst
Julie Conroy of the consultancy Aite says without analytics, basic log monitoring is counterproductive because of the high rate of false positives. "A key lesson is the ability to apply analytics to the tens of thousands of false positives that these solutions throw off, to help security teams separate the wheat from the chaff," she says.
5. Executives, Boards Are Accountable
In May,
Gregg Steinhafel resigned as Target's chairman, president and CEO. In the statement issued about Steinhafel's resignation, the company noted that he "held himself personally accountable and pledged that Target would emerge a better company."
Steinhafel's announcement came just two months after the resignation of
Beth Jacob, Target's CIO during the time of the breach.
The two resignations came shortly after Target's chief financial officer, John Mulligan, was first questioned about the breach before Congress (see
Target, Neiman Marcus Differ on EMV).
The congressional attention given to Target's breach, coupled with the resignation of two of its key officers, made waves in the financial services industry, too. Over the summer, banking regulators launched a
pilot cyber-exam program at 500 community banks to review the cyber-awareness of C-level executives and boards of directors at those institutions.
In November, the
Federal Financial Institutions Examination Council noted that cybersecurity awareness among executives and boards was in need of improvement, and that cyber-awareness had to be a higher priority across the board (see
FFIEC: Boards Need Cyber Training).
6. Retailers May Be Liable for Breaches
The debate over who should be liable when card data is compromised at the retail level also has heated up since the Target breach. For months, banking groups and retail associations have been at odds about who is responsible for bearing the losses associated with card breaches (see
Hold Merchants Accountable for Breaches?).
While bankers argue they're stuck with expenses related to card reissuance and fraud, retailers say they indirectly cover these costs for banks through the interchange fees they pay to the card brands (see
Card Breaches: Retailers Doing Enough?).
~Banking regulatory bodies, such as the
Office of the Comptroller of the Currency and the
Federal Deposit Insurance Corp. also have, in the wake of Target, repeatedly reminded banking institutions that they are responsible for ensuring the security of the third-party vendors and service providers with which they work.
See Also: Payments Security & EMV: Join CEO Bob Carr of Heartland Payment Systems
4. Log Monitoring Needs Analytics
A forensics investigation into the Target breach found that transaction logs raised alarms about anomalous activity, but no one picked up on the warnings, according to multiple reports. Thus, the breach went undetected for several weeks.
In November, the PCI Council announced it will issue guidance specifically aimed at log monitoring (see
Why PCI Will Issue Log Monitoring Guidance).
But experts says log monitoring has to be coupled with additional analytics to be truly effective.
"Everyone is inundated with alerts," Gartner's Litan says. "One retailer may get a half million alerts a day, so it's impossible to go through all of those. By putting context awareness and behavioral analytics to the transaction logs, you can start profiling users and devices. With this context-aware view of transactions, you're able to correlate anomalies across different systems. Then you can go from a few thousand high-priority alerts to a couple hundred."
Analyst
Julie Conroy of the consultancy Aite says without analytics, basic log monitoring is counterproductive because of the high rate of false positives. "A key lesson is the ability to apply analytics to the tens of thousands of false positives that these solutions throw off, to help security teams separate the wheat from the chaff," she says.
5. Executives, Boards Are Accountable
In May,
Gregg Steinhafel resigned as Target's chairman, president and CEO. In the statement issued about Steinhafel's resignation, the company noted that he "held himself personally accountable and pledged that Target would emerge a better company."
Steinhafel's announcement came just two months after the resignation of
Beth Jacob, Target's CIO during the time of the breach.
The two resignations came shortly after Target's chief financial officer, John Mulligan, was first questioned about the breach before Congress (see
Target, Neiman Marcus Differ on EMV).
The congressional attention given to Target's breach, coupled with the resignation of two of its key officers, made waves in the financial services industry, too. Over the summer, banking regulators launched a
pilot cyber-exam program at 500 community banks to review the cyber-awareness of C-level executives and boards of directors at those institutions.
In November, the
Federal Financial Institutions Examination Council noted that cybersecurity awareness among executives and boards was in need of improvement, and that cyber-awareness had to be a higher priority across the board (see
FFIEC: Boards Need Cyber Training).
6. Retailers May Be Liable for Breaches
The debate over who should be liable when card data is compromised at the retail level also has heated up since the Target breach. For months, banking groups and retail associations have been at odds about who is responsible for bearing the losses associated with card breaches (see
Hold Merchants Accountable for Breaches?).
While bankers argue they're stuck with expenses related to card reissuance and fraud, retailers say they indirectly cover these costs for banks through the interchange fees they pay to the card brands (see
Card Breaches: Retailers Doing Enough?).
While courts have dismissed numerous class action suits filed by consumers against breached retailers, a class action suit filed against Target by banking institutions, seeking to recoup their breach-related costs, has won court approval to proceed (see
Target Breach Suit Won't be Dismissed).
See Also: Account Takeover, Payment Fraud and Spoofed Identities: The Common Thread
If banks win that suit, it could send a strong message about the financial responsibilities retailers should bear in the wake of a breach.
7. Cyberthreat Intelligence Sharing Must Improve
The Target breach also raised awareness about the need for more cross-industry information sharing. The sharing of cyberthreat intelligence among banking institutions has been on an upward swing since 2012, after numerous
distributed-denial-of-service attacks targeted leading U.S. banks.
But it wasn't until the retail breaches of the last year that serious consideration was given to the need for similar information sharing among retailers, as well as across the payments and financial landscape.
In May, the
Retail Industry Leaders Association announced the launch of the Retail Cyber Intelligence Sharing Center - an effort to improve sharing among retailers and other public and private stakeholders, including the Department of Homeland Security and law enforcement.
Then in June,
Tim Pawlenty, CEO of the Financial Services Roundtable, explained why information sharing in the retail sector needed to mimic information sharing within the financial sector.