Target Hackers Lurked for Months Before Pouncing at Holidays

It looks increasingly likely that the hackers responsible for the massive data breach at Target were lurking inside the retailer's network for months before they started swiping customers' credit card data, according to security expert and blogger Brian Krebs.

Krebs was the first to break the news of the breach, in which 40 million cardholders' card data and 70 million customers' phone numbers and email addresses were compromised during the holiday shopping period. He describes the Target incident as an "advanced persistent threat," where hackers break into a network and lurk there undetected for days, months or even years, waiting for the most opportune time to strike.

"There's a lot we don't know, but I guarantee you the bad guys didn't break in November 26 and throw the switch on the 27th," Krebs says.

Krebs' latest investigation results have found that hackers broke into Target's network using the password of a heating, ventilation and air conditioning provider, Fazio Mechanical Services. It's common for retailers to have an HVAC provider monitor energy consumption and temperatures in their stores to save on costs and to alert managers if the temperature has become uncomfortable, Krebs writes. Such vendors need to be able to remotely access the system to make adjustments and upload patches and updates to the software.

Similarly, in another recent breach, major hotel chains such as Marriott, Holiday Inn and Sheraton became victims when a subcontractor that provides hospitality systems, White Lodging, was compromised between March and December. Debit and credit card data may have been stolen at 14 hotel properties managed by the firm.

Such incidents are drawing attention to the need for all companies, including banks, to better monitor the security tactics of vendors and other companies with which they partner. "The tier-one brands are often better protected than their suppliers are," says Tom Patterson, global general manager for cybersecurity consulting at Falls Church, Va.-based CSC.

"It's standard for advanced threats to attack a lower-tiered supplier and work their way up through," he adds. CSC recommends to all its big-brand clients that they extend their security policies throughout their supply chain. "It would help a tremendous amount if all their suppliers were held to the same high level of security standard that [big brands] themselves do."

The recent hacking events show that the Payment Card Industry's 2013 guidance on vendor access management was timely, says Alphonse R. Pascual, senior analyst of security, risk and fraud at Javelin Strategy & Research. PCI Data Security Standard 3.0, which came out last year, requires companies that deal with cardholder data to pay close attention to the security policies and practices of third parties that have access to this data.

The seemingly endless stream of data breaches — Barclays's announcement Monday that as many as 27,000 customer files were "leaked" in a data breach dating back to 2008 is the latest incident — also show the need to focus on early detection of inappropriate data access, both in a bank or card issuer's own network and those of its partners.

In some client engagements, CSC investigators have discovered that clients had hackers in their networks for well over a year but had yet to actually transfer data out of the company's network.

These breaches also show that passwords are a poor way to authenticate users, Pascual notes. "They're a vestige of Roman times — we're talking the fifth and sixth century B.C.," he says. "We have better alternatives at this point and the fact that in an age of biometrics, we still put pen to paper, shove it in a drawer, and call that our secret code, is a bit naïve. The fact is, when passwords are compromised, people shouldn't be overly surprised. It didn't blow my mind to hear that it was a vendor password."

The New York Times reported in a Jan. 17 article that Target's entire network is far more open than most observers believed, stating that the retailer's systems lacked the "virtual walls and motion detectors found in secure networks like many banks.'"

"I think it's easy in hindsight to say anything is open," Patterson says. "Most companies defend their perimeters better than they defend their interiors." CSC advises that companies take internal security as seriously as external security — for instance, separating human resources and IT administration systems from other parts of the network. That way, even if intruders broke in through the firewall, they wouldn't be able to roam at will through the company's network; there would be interior barriers keeping them away from sensitive information.

There's been much speculation about whether Target was negligent in the way it protected its cash registers, point-of-sale terminals, networks and databases from attack.

But Krebs says the attack was a sophisticated one. "Everyone wants to beat up on Target [and other companies that have suffered a breach] about not doing enough to protect themselves," he says. "But at the end of the day, if these guys had this kind of access for this amount of time, there's a lot of damage they can do, regardless of what security these companies have deployed.

"The guys that pulled this off knew what they were doing — they're good at this type of theft and it's very likely they had a lot of time to prepare for it," he says.

Two things would have made this breach less likely or lower impact, Krebs says. One is "if the retailers and banks would stop their dickering and push out chip and PIN, it wouldn't stop the theft of credit card information, but it would make these types of breaches a lot less attractive."

The second is a focus on discovering breaches much sooner. "If you look at the Verizon breach reports [referring to Verizon's annual Data Breach Investigations Report], they'll tell you it's very common for companies to be breached for months before they figure it out, and they usually don't figure it out on their own," he says.

One problem is that most retailers tend to only look for signatures of known malware, the absence of which gives them a false sense of security. By looking for any unusual behavior in access to data or documents and the escalation of access privileges, a company can catch advanced threats before they steal data.

"Most companies haven't been subject to these kinds of advanced threats before, so none of them are geared to look for this," Patterson says. "That's the bad news. The good news is, it's no more expensive or time-consuming to look with advanced threat detection as it is to look with yesterday's old-style detection."

Still, Patterson worries that, once the attention surrounding the Target breach fades, firms will be less vigilant about thwarting attacks.

Massive data breaches like Target's tend to stir up worry and interest, but then die down after a time, and everyone goes back to business as usual. Many of the same discussions about tougher security taking place today took place in the wake of the T.J. Maxx data breach of 2006 and the Heartland Payment Systems breach of 2007.

"Industries get excited for a while — it's a big event and they say they're going to make a lot of changes," says Patterson. "If they don't act then, during that window, something else does tend to come along. I can pull out my notes from after the T.J. Maxx breach five years ago and talk to you about the same recommendations for the industry we were talking about then."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER