← The Five Quadrants of Risk

Risk register · entry

Q1 · Predictable

Target data breach

Phished the air-conditioning vendor into 40 million cards. The alarms fired. Nobody answered.

Documented, foreseeable risks that were ignored anyway. The failure is attention, not information.

Room
Q1 Predictable
Year
2013
Impact
40M cards
Sector
Retail
Region
N. America
Category
Technological

Why this room

Target belongs in the Predictable quadrant because the intrusion generated its own alarms, inside Target's own defences, before any card data left the network. The FireEye malware detection system raised urgent alerts on 30 November and again on 2-3 December 2013 as the exfiltration malware was installed, and its automatic-deletion function - which would have neutralised the malware without human involvement - had been turned off. The U.S. Senate Commerce Committee majority staff 'Kill Chain' analysis concluded that Target missed multiple opportunities to interrupt the attack at successive stages. The information existed, was generated automatically, and was delivered to the responsible team. Only the response was missing.

The record

  • Target confirmed on 19 December 2013 that approximately 40 million credit and debit card account numbers had been stolen, and announced on 10 January 2014 that names, addresses, phone numbers and email addresses of up to 70 million customers were also taken; with an estimated 12 million overlap, the maximum number of affected customers is about 98 million.certain
  • The attackers entered through credentials belonging to Fazio Mechanical Services, a Pennsylvania HVAC and refrigeration contractor with remote access to Target's network for billing and project management; Fazio was compromised by a phishing email and was running the free version of Malwarebytes, which provides no real-time protection.high
  • Target's FireEye system triggered urgent alerts with each installation of the exfiltration malware on 30 November and 2-3 December 2013, but per the Senate staff report Target's security team 'neither reacted to the alarms nor allowed the FireEye software to automatically delete the malware'.certain
  • Target did not learn of the breach from its own systems: it was contacted by the Department of Justice on 12 December 2013, met DOJ and the Secret Service on 13 December, hired forensic investigators on 14 December, and confirmed and largely removed the malware on 15 December.certain
  • Target reported USD 248 million in cumulative breach-related expenses as of the quarter ended 1 November 2014, against USD 90 million received or expected from insurance; it later paid USD 18.5 million to 47 states and the District of Columbia on 23 May 2017, then the largest multistate data breach settlement on record.certain

Sources

  1. U.S. Government Publishing Office (Senate Commerce Committee hearing record, 26 March 2014)
  2. Congressional Research Service (report R43496)
  3. California Attorney General

The book

This entry is one of 111 in the register. The full story, and what it cost the people who lived it, is in Risky Business by Claudia Zeisberger, David Munro and Joanna Reijgersberg-Siew.

Join the waiting list