Analyzing target's big data security breach by Sutherland Global Services

Analyzing Target's Big Data Security Breach May, 2014

Disclaimer This document is the proprietary and exclusive property of Sutherland Global Services except as otherwise indicated. No part of this document, in whole or in part, may be reproduced, stored, transmitted, or used for design purposes without the prior written permission of Sutherland Global Services. The information contained in this document is subject to change without notice. The information in this document is for information purposes only. Sutherland Global Services® disclaims all warranties, express or limited, including, but not limited, to the implied warranties of merchantability and fitness for a particular purpose, except as provided for in a separate software license agreement. All confidential or proprietary information contained in Sutherland’s response shall at all times be and remain the sole and exclusive property of Sutherland Global Services, Inc.

©©2014 GlobalServices Services Inc., rights reserved. Privileged and confidential information of Sutherland Global 2010Sutherland Sutherland Global Inc., All All rights reserved. Privileged and confidential information of Sutherland Global Services Inc. Services Inc.

www.sutherlandglobal.com

What exactly has happened

The Breach

 



Target disclosed a breach of 40 Mn credit and debit card accounts over a 3-week period before Christmas of 2013 In January 2014, the company additionally announced that the hackers also stole personal information such as names, phone numbers, email and mailing addresses from c. 70 Mn customers The breach attracted dozens of legal actions against Target Customer traffic and sales took an immediate hit, and Target is yet to fully recover from the same Target had installed a malware detection tool made by the computer security firm FireEye in early 2013 and there is enough speculation that , on November 30, 2013, when the Bangalore’s security team of Target had alerted the Minneapolis HQ about the possible breach; no (or only inadequate) action was taken by the Target HQ

“ … with the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different … like any large company, each week at Target there are a vast number of technical events that take place and are logged … through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon … based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up … ” >>>> Molly Snyder, Spokeswoman, Target

“ … the malware utilized is absolutely unsophisticated and uninteresting ... if Target had had a firm grasp on its network security environment they absolutely would have observed this behaviour occurring on its network ... ”

>>>> Jim Walter, Director of threat intelligence operation, McAfee

www.sutherlandglobal.com August 6, 2014

Timeline of Breach

Hackers used credentials of an HVAC vendor to get into Target’s network, and spent several weeks scouting, in order to install malware programs Hackers sent credit card numberstealing malware to cashier stations in all domestic Target stores Hackers installed malicious code that sent card data to three hijacked ‘staging point’ servers in the U.S. before the data moved to Moscow

On Dec. 2, the credit card numbers started flowing out. Target’s security system detected the hack, but the company failed to act (adequately)

Federal investigators warned Target of a massive data breach on Dec. 12 Target confirmed and eradicated the malware on Dec. 15, only after 40 Mn credit card numbers had been stolen

www.sutherlandglobal.com August 6, 2014

Quick Stats on the potential impact

40 Mn

1 – 3 Mn

46%

no. of credit and debit cards stolen from Target between Nov. 27 and Dec. 15, 2013

no. of cards stolen from Target successfully sold on the black market and used for fraud

percentage drop in Target’s profit in Q4 2013 vis-à-vis a year before

53.7 Mn USD

70 Mn

61 Mn USD

the income the hackers are likely to generate from the sale of 1 - 3 Mn stolen cards

no. of records stolen that included name, address, email address and phone no of Target shoppers

amount spent by Target in breach related charges in Q4 2013

100 Mn USD

200 Mn USD

18.00 – 35.70 USD

expected outlay for Target to upgrade payment terminals to support Chipand-PIN enabled cards

cost to credit unions and community banks for reissuing 21.8 Mn cards, 50% of stolen cards

median price range per stolen card, that got resold in the black market

www.sutherlandglobal.com August 6, 2014

Key personnel who left Target and Experts’ take on the same Resigning Executive

Designation

Replaced by

Beth M. Jacob

CIO

Bob DeRodes, CIO – Head of Security

Gregg Steinhafel

CEO

John Mulligan, current CFO and interim CEO

“ … ultimately, too much rained down on Gregg Steinhafel … there was no way he could escape the black vortex of news …”

>>>> Brian Sozzi, CEO and chief equities strategist, Belus Capital Advisors

“ … this is the first time a high-level CEO, to my knowledge, has actually been forced to resign or step down due to an IT breach, but you can guarantee that will put a lot of people on notice that this is something that, at the highest business level, people have to treat as a existential business risk … ”

“ … he [Gregg Steinhafel] was the public face of the breach. The company struggled to recover from it … it's a new era for boards to take a proactive role in understanding what the risks are … ” >>>> Cynthia Larose, Chair of the privacy and security practice, Mintz Levin Law Firm

“ … the information security community believes the resignation [of Gregg Steinhafel ] will help raise information security to a C-level [corporate] issue … ” >>>> Craig Carpenter, Chief strategist, AccessData (a cybersecurity company)

“ … they [at Target] need some fresh blood at the top that can facilitate some change …they wanted to clear the slate and get it out there that they’re hearing investor calls for a new change at the company … ” >>>> Joe Feldman, Analyst, Telsey Advisory Group

>>>> Brian Fitzgerald, Vice President, RSAEMC security division Source: Secondary Research, Sutherland Research and Analysis © 2014 Sutherland Global Services Inc., All rights reserved. Privileged and confidential information of Sutherland Global Services Inc.

www.sutherlandglobal.com August 6, 2014

What lies ahead

The Solution 



In May 2014, Target announced plans to have store credit and debit cards with chip-and-PIN security technology in order to mitigate the risk of similar frauds in future

To make the switch from Pin to Chip-and-Pin, Target is in the process of replacing its registers with ones that can conduct transactions using the new technology. Target expects to have new terminals in all its U.S. stores by the end of September, 2014



Target’s CIO as well as CEO posts have new leadership in the form of Bob DeRodes and John Mulligan respectively



Target also started hosting a frequently updated FAQ and information section on its website to help address customer queries and assuage their fears

“ … as we aggressively move forward to bring enhanced technology to Target, we believe it is critical that we provide our REDcard guests with the most secure payment product available … this new initiative satisfies that goal” >>>> John Mulligan, CFO and interim CEO, Target

“ … migrating to chip-and-PIN technology is a major component of RILA's Cybersecurity and Data Privacy Initiative …the security features associated with chip-and-PIN technology will reduce the risk of fraud in the United States as they have done around the world where this enhanced fraud prevention technology has been in place for years … ” >>>> Sandy Kennedy, RILA president

www.sutherlandglobal.com August 6, 2014

End of Presentation