Chapter Five Case: Targeting Target The biggest reteil hack in U.S history wasn't particularly Inventive, nor did it appear destined for success, In the deys prior to Thenksglving 2013, someone Installed malware in Target's security and paments system designed to steal every credit card used at the company's 1,797 U.S. stores. At the critical moment-when the Christmas gifts had been scanned and bagged and the cashier asked for a swlpe-the malware would step in, capture the shopper's credit card number, and store it on a Target server commandeered by the hackers It's a measure of how common these crimes have become, and how conventional the hackers approach in this case, that Target wes prepared for such an attack. Six months earlier, the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye, whose customers also Include the CIA and the Pentagon. Target had a team of security specialists In Bangalore to monltor its computers eround the clock. If Bangalore noticed anything suspicious, Target's security operations center In Minneapolis would be notified. On Saturday, Nov. 30, 2013, the hackers had set their traps and had just one thing to do before starting the attack: plan the data's escape route. As they uploaded exfiltration malware to hove stolen credit card numbers-first to staging points spread around the U.S. to cover thelr tracks, then into their computers in Russia-FireEye spotted them. Bangalore got an alert and flagged the security team In Minneapolis. And then Nothing Happened! For some reason, Minneapolis didn't react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company's data security operation, as well as elght fic knowledge of the hack and its aftermath, Including former employees, securlty researchers, and law enfortement officials. The story they tell is of an alert system, installed to p tect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers-and 70 milion addresses, phone numbers, and other pleces of per sonal Information-gushed out of its mainframes. When asked to respond to a list of specific questlons about the incident and the companys lack of an Immediate response to it, Target chalrman, president, and chief executive officer Gregg Steinhafel Issued an emailed statement: "Target was certified as meeting the standard for the pay- ment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we e conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience. Whle we are still in the,midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards. However, as the investigation is not complete, we don't believe it's constructive to engage in speculation.without the benefit of the final analysis." More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damages. That's on top of other costs, which analysts estimate could run into the bilions. Target spent $61 million through February 1, 2014, responding to the breach, according to its fourth-quarter report to investors, It set up a customer response operation, and in an effort to regain lost trust, Steinhafel promised that consumers won't have to pay any fraudulent charges stemming from the breach. Target's profit for the holiday shopping period fell 46 percent from the same quar ter the year before; the number of transactions suffered its biggest decline since the retailer began reporting the statistic in 2008.15 Questlons How did the hackers steal Target's customer data? What types of technology could big retailers use to prevent identity thieves from stealing information? What can organizations do to protect themselves from hackers looking to steal account data? In a team, research the Internet and find the best ways to protect yourself from Identity theft. Questions 1. Identify the different types of hackers and viruses and explain how a company can protect itself from hackers looking to steal account data. Authorities frequently tap online service providers to track down hackers. Do you think it is ethical 2. for authoritles to tap an online service provider and read people's email? Why or why not? Do you think it was ethical for authorities to use one of the high-ranking members to trap other gang members? Why or why not? 3. 4. In a team, research the Internet and find the best ways to protect yourself from identity theft