Tuesday 25 February, 2014
In late 2013, a security breach at major American retailer Target led to as many as tens of millions of customers’ data being compromised.
The attack compromised 40 million credit card numbers, the personal data of 70 million people, and a whopping 110 million customers’ data being stolen in some way, shape or form.
Who was the culprit? Perhaps a worldwide consortium of mad genius hackers? No, the brains behind the attack was a single Russian 17-year-old who simply wrote a piece of code giving him access to Target’s point of sales system at all of its cash registers. When the cashier in Omaha, Nebraska, rings you up for your package of socks, the data goes to a teenager in Russia who sells it to bigger criminals on the black market.
How the Attack Happened
Somehow, the hacker managed to get their code uploaded into Target’s point of sales system. It was previously believed that the hacker was an IT specialist or disgruntled ex-Target employee. But it turns out that hackers obtained access by stealing credentials from an HVAC contractor who had recently done some work for Target. At the time of writing, it’s still not known exactly why a contractor had unfettered access.
Through these credentials, the hackers could upload malware to the system and continuously steal its data. This was done through a data mining software program that sent information straight from cash registers to hackers. Security experts are saying it looks like the BlackPOS program, which is available on hacker forums to anyone with about $2,000 and wicked intentions.
The BlackPOS program is interesting because it uses its own encryption to hide the data it steals. This is why usual detection programs don’t work on it. Interestingly, this encryption technology was developed for the exact purpose – to protect data.
Due to the access the hackers obtained and the program’s encryption, they could bypass the company’s over 40 security programs, which include firewalls and data protection tools designed specifically for attacks like this. This shows how important it is that companies restrict access to their important customer data.
Getting Smarter to Prevent Further Attacks
The attacks continued from November 27th to December 15th. Hackers could get data from any of Target’s stores. This data was then quickly sold on the black market.
In response to the attack, the National Retail Foundation, representing Target, sent a letter to congress charging that banks have failed to upgrade technology for processing American customer information. Target is doing its own very serious damage control, which includes issuing new smart cards that have encryption chips installed. This way, if someone obtains the data, it’s useless without the specific decryption key.
The teen suspect is now in custody.