The biggest known corporate breach in U.S. history was perpetrated on Target in November, 2013. Hundreds of stories have been written about it in the news, on blogs and magazines. That comes as no surprise considering the current number of customers affected reaches upwards of 100 million.
The looming question in consumers minds remains. Who is responsible for the Target credit and debit card breach? Brian Krebs, and American journalist and investigative reporter who runs a computer security website has identified a likely suspect – Andrew Hodrievski of Odessa, Ukraine. Attempts to contact the suspect proved futile, but Krebs was able to email an associate of Hodrievski. After exchanging emails with the associate, Krebs Security was offered $10,000 not to publish the incriminating information. Hodrievski has not been arrested or questioned.
How Did They Do It?
The who question may have been answered, but the how question is still somewhat of a mystery to the public. Investigators have determined that the hackers were able to breach Target’s security through a third party vendor. Fazio Mechanical Service provided heating and air conditioning for the stores. After hacking into Fazio’s computer they gained the vendor’s username and password into Target. The hackers then used the same username and password to hack into the point of sale information where all customer information is stored.
Hackers then uploaded software to retrieve customer data for them. They tested the software on a handful of registers. Within two days they had access to a majority of Target’s cash registers and point of sale information. Thus the fraud began. Once they had customer data they sold the data on underground internet sites. The value of this data has gone down significantly as banks have purchased the same data, disabled cards and reissued new ones.
Investigators think the vulnerability was caused by the lack of two factor authentication for remote access, which is required by PCI Data Security Standards. PCI Standards help merchants to secure all Point Of Sale transactions. Apparently Target used one network for most of their data while they should have been two different networks. Isolating 3rd party remote access for vendors and customer data would have added another security measure needed and possibly helped prevent this type of security breach.
Beth M. Jacob, chief information officer and executive vice president for Target’s technology services resigned from her position on Wednesday, March 5, 2013, just one week after Target posted their 4th quarter losses of $1.5 billion dollars compared to the previous year’s figures. More encouraging news in this case would have been that the criminal behind the attack was arrested.
For consumers who are now worried about their accounts being drained by complete strangers there is no magic bullet. The best thing to do at this point is to learn how to set up automatic alerts from your bank to your cell phone any time a transaction on your account occurs. You can then call the bank immediately when you discover any unauthorized transaction and prevent further loss.