tadamichi - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Internal report on Target data breach reveals glaring security holes

An internal report on Target's breach, obtained by security reporter Brian Krebs, shows the retailer suffered from major security flaws.

Just days after the 2013 Target data breach, the retailer hired security consultants from telecom giant Verizon to perform an internal investigation of the company's security flaws. Now, those weaknesses have been exposed in an internal report about the investigation that was obtained and published by information security reporter Brian Krebs.

Target's data breach became an information security milestone because it affected an unprecedented amount of customers -- over 100 million -- whose credit and debit card numbers, names, addresses, email addresses and phone numbers were all exposed. While the initial intrusion point was a third-party HVAC vendor that had been breached by attackers, the Target data breach report showed that once the attackers gained access to the enterprise's network, there was virtually nothing stopping them from moving through the network and gaining unauthorized access.

The new report reveals that Target had many security flaws, including the use of weak and default passwords, which were stored in a file on multiple servers. Once accessed, the Verizon consultants entered the internal network and even possessed control to freely move about the network as a system administrator, according to the report. Within a week, the Verizon consultants were able to crack 86% of Target's 547,470 passwords.

Verizon ranked the company's password complexities based on length, base words, numbers, and upper and lowercase letters. Shockingly, many people shared the same password. According to the report, 4,312 people used "Jan3009#," 3,834 people used "sto$res1," 3,762 people used "train#5," and so on. For those who did not have the exact same password, a high number of passwords contained the same base word: 8,670 passwords used "target," 3,050 passwords used "summer" and 3,840 passwords used "train." The more passwords that use the same words, symbols and numbers, the easier it is to crack multiple passwords instead of just one at a time.

The Verizon consultants noted that Target's systems ran on outdated Web-server software or were missing important security patches. The consultants were able to compromise multiple systems because of vulnerabilities in the internal network and, eventually, they had access to the entire internal network through a domain account.

In a follow up external penetration test in February 2014, the remediation procedures did not entirely address the vulnerabilities, but later, "major improvements" were made to the remediation procedures, according to the report. Target made proactive changes that will protect the company's infrastructure, which detects and blocks external threats. In response to the 2013 breach, Target incorporated additional cybersecurity measures into the company by instating a "cyber fusion center" that responds to potential attacks and risks.

According to Krebs' report, Target neither confirmed nor denied the internal report was authentic.

In addition to the cost of replacing all the stolen cards from the breach, which was estimated to be around $400 million, Target paid $10 million to settle a class action lawsuit from affected customers. The company also agreed to a $67 million settlement with banks that issued Visa credit cards. A similar $19 million settlement with MasterCard issuers was rejected in May. 

Next Steps

Find out how third-party vendor management can prevent incidents like the Target data breach

Learn why the Target breach was a turning point for enterprise security

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Did the Target data breach motivate you to review your enterprise security program?
Hey, that hardware that has a default password.  Don't save it in a doc on a server for everyone.  get everyone their own account, use a password manager like LastPass for example, and stop making it so easy for people to breach systems.  I'm sure Target is not the only one at risk from these sorts of things.

Veretax makes a good point in that any shared resource that requires multiple people to know passwords and share them creates a fault. LastPass is a good step, but it also requires having both the ability to be used effectively (meaning the guts to actually do away with duplicate passwords and knowledge of who has which one). A coworker of mine once told me it was maddening to make that switch, but that today he feels much more secure in the system's ability to manage those details. 
This Target report lends credence to reports I've seen of bad actors doing seemingly 'normal' things and compromising systems.   The next generation of security controls will have to find ways to better control who has access to data and how much at a time.