Just days after the 2013 Target data breach, the retailer hired security consultants from telecom giant Verizon...
to perform an internal investigation of the company's security flaws. Now, those weaknesses have been exposed in an internal report about the investigation that was obtained and published by information security reporter Brian Krebs.
Target's data breach became an information security milestone because it affected an unprecedented amount of customers -- over 100 million -- whose credit and debit card numbers, names, addresses, email addresses and phone numbers were all exposed. While the initial intrusion point was a third-party HVAC vendor that had been breached by attackers, the Target data breach report showed that once the attackers gained access to the enterprise's network, there was virtually nothing stopping them from moving through the network and gaining unauthorized access.
The new report reveals that Target had many security flaws, including the use of weak and default passwords, which were stored in a file on multiple servers. Once accessed, the Verizon consultants entered the internal network and even possessed control to freely move about the network as a system administrator, according to the report. Within a week, the Verizon consultants were able to crack 86% of Target's 547,470 passwords.
Verizon ranked the company's password complexities based on length, base words, numbers, and upper and lowercase letters. Shockingly, many people shared the same password. According to the report, 4,312 people used "Jan3009#," 3,834 people used "sto$res1," 3,762 people used "train#5," and so on. For those who did not have the exact same password, a high number of passwords contained the same base word: 8,670 passwords used "target," 3,050 passwords used "summer" and 3,840 passwords used "train." The more passwords that use the same words, symbols and numbers, the easier it is to crack multiple passwords instead of just one at a time.
The Verizon consultants noted that Target's systems ran on outdated Web-server software or were missing important security patches. The consultants were able to compromise multiple systems because of vulnerabilities in the internal network and, eventually, they had access to the entire internal network through a domain account.
In a follow up external penetration test in February 2014, the remediation procedures did not entirely address the vulnerabilities, but later, "major improvements" were made to the remediation procedures, according to the report. Target made proactive changes that will protect the company's infrastructure, which detects and blocks external threats. In response to the 2013 breach, Target incorporated additional cybersecurity measures into the company by instating a "cyber fusion center" that responds to potential attacks and risks.
According to Krebs' report, Target neither confirmed nor denied the internal report was authentic.
In addition to the cost of replacing all the stolen cards from the breach, which was estimated to be around $400 million, Target paid $10 million to settle a class action lawsuit from affected customers. The company also agreed to a $67 million settlement with banks that issued Visa credit cards. A similar $19 million settlement with MasterCard issuers was rejected in May.