In a recent article by Brian Krebs, we get a little more insight into the credit card breach at Target back in late 2013. In the attack that led to over 40 million credit card accounts being compromised and has cost Target about $100 million, we are now seeing some information coming out as a result of the lawsuits making their way into court. In this article we get some helpful tips on what they did wrong, so you might not make the same mistakes. Verizon was hired by Target as the breach was discovered, and their report is the most detailed information about the breach we have seen so far:
- No controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers
- HVAC vendor given 24×7 access to the network, without limits to systems or network segments
- Target has a password policy, but the Verizon security consultants discovered that it was not being followed
- Within one week, the Verizon security consultants reported that they were able to crack 472,308 of Target’s 547,470 passwords (86 percent) that allowed access to various internal networks
- Penetration testers also identified many services and systems that were either outdated or missing critical security patches
- Networks were internally tested using Nessus, but issues were never remediated
This makes for an interesting read.