Category Archives: data security

Lessons Learned From The Target Data Breach: Part 1

In the holiday shopping rush of December 2013 Target (TGT), the 1,778 store middle market retailer, had one of the biggest data breaches in American business history.  The breach apparently affected more than 70-100 million customers over 40 million cards (varying estimates exist) across all U.S. stores but excluded Target.com and stores in Canada.
target date leakThe general consensus is that a HVAC contractor for Target, Fazio Mechanical Services, who had access to Target’s networks got their own networks hacked via an e-mail phishing attack, normally an elementary attack method; yet that attack installed malware that then got onto Target’s network and installed more malware that copied personal data from Target’s payment processing terminals when it was in the “working memory area” or “cache” of the software/system – that is before it gets encrypted to be sent to the bank to be authorized.  This is part of the reason why it was not detected so fast and yes these hackers were smart.

Yet Target also did a bad job separating their networks and servers while they were trying to save money by having less networks and broader access for those who needed them.  Yet I don’t see why an HVAC contractor would need to be so close to the networks that work the registers.  This is simply poor design.  I am sure the HVAC company could have done their job without access to the Target network.  Let’s not hope they just wanted to upload HVAC reports and browse the network.

According to a recent Business Week article, “Target had a team of security specialists in Bangalore to monitor its computers around the clock.  If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.  On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route.  As they uploaded exfiltration malware to move the stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis.” (http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data)
target date leak2Yet Target did not take this alert seriously but why?  Fear of change, ego, poor leadership, and too much bureaucracy got in the way of the costly software’s effectiveness.  At the time of the breach FireEye was a new software tool for Target’s technology group and what I know about new technology is that people delay embracing and learning new systems of out of fear that those systems will be buggy or not as good as the old ones.  I understand this very well having worked part time in the P.C. dept. at Best Buy for more than 3.7 years representing Intel and related software makers Microsoft, Symantec, Trend Micro, and Adobe.  When Windows 8 came out all kinds of people were doubting it not because it was bad but because it was more work to get to know, and if they saw something really different about it, they were inclined to think it was a bug when in fact it was a useful design feature they didn’t yet understand.  The same bias can be applied to Apple computers.  People falsely think that they are immune from viruses because Apple designs them that way.  What a joke.  Apple computers are only as secure as their understanding of the latest virus.  Yes it is true the Apple operating system is not targeted as much for viruses but it is also not used as much and it is hardly used by large companies and governments.

Moving on, the CIO really needs to get behind any major software change like this, and if Target’s former CIO Beth Jacob was really behind FireEye she probably would have done something about the alerts they were giving her.  You would think as CIO she would want to immediately act and reduce any risk.  What was she doing at the time, giving some speech about how she was such a great leader in the industry while some high buck corporate partner pays for her three-course lunch?  Clearly, her eye was not on the ball or even on Target (no pun intended), and she had a big enough ego to think she was smart enough and had put the right people on her team to take care of this.  Yet what an epic fail.  It is also likely that there were people some layers below Jacob that tried to inform others to the alert but I am sure their voice of concern and reason got squashed by Jacob’s massive ego, after all you can’t doubt a CIO – right?  I highly doubt everyone in Target’s IT security team was going to ignore these alerts but it is too many layers of bureaucracy that got in the way of Target’s safety.  Target is better off with a more open style of bureaucracy where concerns can be heard at all levels and tools and processes are shared for innovative solutioning – Google’s culture is a good example of this.

Target has also grossly underestimated the costs associated with the data breach to keep their stock price up but of course they would never say it like that, however I am not alone in thinking Target’s $147 million figure is too low.  According to one analyst, “costs would rise even more over time. “I don’t see how they’re getting out of this for under a billion, over time,” he said, adding, “$150 million in a quarter seems almost like a bargain.” (http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html?_r=0)

Those who have the stolen data are likely outside of the U.S. and when and if they use the data to commit fraud the ability of a U.S. corporation or court to go after them is diminished, timely, and costly.  Moreover, since the U.S is the midst of negative geo-politics with parts of Europe, particularly Russia where some sources have traced the hack, those who have the data are likely to be bold in how they use it and that’s where the cost to Target will add up.  The other areas where the costs will grow is in Target’s own internal policy and procedure changes as well as the growth of their IT security staff and tools, but most importantly their investment in training must grow.  At present Target has over more than 90 lawsuits against them regarding the breach and that number is likely to grow so the costs here are going to be huge overall.

Lastly, I am not all negative on the Twin Cities’ favorite corporate hometown hero as I shop at Target often, have the REDCard, have been to their diversity events, and I have also seen a lot of concerts and sporting events at both Target Field and the Target Center.  However, the mere fact that Target has the money and lobbying power to get their name in the community does not mean they are a true leader in the community.  As the data security community increases consumer awareness retailers like Target will continue to be challenged to innovate and that’s better for all people.

By Jeremy Swenson

Former FDIC Chair Shelia Bair Comments On Bank Bailouts, Peer-To-Peer Lending, And Tax Reform

On Tues, 04/08/14, former FDIC Chairperson Shelia Bair visited Minneapolis and offered commentary on the financial services industry, peer-to-peer lending, systemic risk, and the recent recession.  Bair is educated as an attorney and was Assistant Secretary for Financial Institutions at the Treasury Dept. and a professor at the University of Massachusetts Amherst before she moved over to Chair the FDIC from 2006 to 2011.  At the FDIC Bair helped the nation’s financial system out of an exacerbated recession and unprecedented bank run from 2007 to 2010 but not without ruffling a few feathers.

Addressing a sold out crowd including former Congressman Tim Penny and other elected officials, business people, students, and ethically minded community members, Bair had the honor of being the keynote speaker at Saint Mary’s University of MN’s publically broadcasted Hendrickson Forum on Ethical Leadership.  Bair opened her keynote by describing how unimpressed she was that when she arrived at the FDIC in 2006 the organization had little to no info on sub-prime lending and had to buy a database to conduct research on it.  This was in part due to the fact that sub-prime lenders were private and not a part of deposit institutions and thus slightly out of scope for the FDIC at that time.  Bair did not inherit a perfect FDIC, and it can be inferred that the FDIC should have been paying attention to sub-prime lending far sooner as it was directly related to many elements that affect deposit institutions including real estate, entrepreneurship, income and tax, and community redevelopment.

Image

Bair now free from the constraints of holding a Washington office spoke openly about how she felt hindered to speak to the human element of the financial crisis while at the FDIC.  She indicated that although she was a part of the team that brokered the historic bank bailouts (2008-2009), that she has some serious reservations about that, because it was “too generous and uneven” and “helped the banks far more than it helped homeowners and families”.  She also described regular disagreement with then Treasury Secretary Timothy Geithner and suggested he was too close to many of the bank executives who benefited from the bank bailouts.

She further described miscommunication and lack of collaboration as Geithner worked around her efforts at the FDIC, and the undertone of this was political disagreement over which agency should lead the recession resolution in terms of the banking industry.

At present, Bair supports the Dodd-Frank Act because it favors bankruptcy and a three-year claw back for executives over a bailout in the event of a bank failure.  Although Bair in the past has said she disagreed with Janet Yellen’s support to repeal the Glass-Steagall Act, she presently indicated she still supports the new Fed Chair and viewed her as a reliable Washington outsider.

Image

When I directly questioned Bair on the growth of peer-to-peer lending she seemed cautious about its long-term viability citing an unknown regulatory landscape and even recounted that peer-to-peer lender Prosper lost many investors during the worst months of the recession.  In discussion with Bair I observed that she, like many banks, is in a wait and see mode with peer-to peer-lending, but she did indicate that for customers consolidating higher interest rate debt it can be a good thing and that could in turn force banks to be more customer centric with better terms.

Yet I am more optimistic on peer-to-peer lending than Bair in partnership with many respected peer-to-peer investors including Google who invested $125 million in Lending Club and the former CEO of Citi Group, Vikram Pandit.  It is really telling when the former Citigroup CEO goes against his own industry in favor of a tech-heavy new lending model, but he is right because most customers no longer need the big bank branches and elaborate services that are fee heavy.  Moreover, peer-to-peer lenders offer attractive rates, diverse portfolio options, and low operational costs and that keeps investors and borrowers happy.  Just like online news slaughtered traditional print media, as soon as peer-to-peer lending gets more regulatory backing it will slaughter traditional fee-heavy banks if they don’t adapt to this new environment.

When commenting on federal sequestration Bair showed frustration and disagreement over the automatic spending cut approach and instead suggested that tax rates be reduced and restructured in a number of areas to encourage more employment, keep businesses in the U.S., and encourage business innovation which would in turn provide more income and employment thus bringing in a greater amount of taxable income to offset her proposed tax reduction.  This truly can be a helpful aspect of the budget deficit issue in that taxes in the U.S. are far too high and there are some needless loopholes that harm many and help few.  The 2.3% Medical Device Tax is an example of this as it encourages the many medical device companies in MN to move their operations outside the U.S. due to the high tax cost, and it adds to their cost of doing business thus reducing their ability to get favorable loans.

Lastly, as an advocate for consumer protection and creative thinking I asked Bair if she had any insight on what the massive Target data breach might mean for the banking and related industries — where an estimated 10-15% of the 40 million affected cards have encountered some type of fraud — and she reminded me that the banks are taking the losses before the retailer does.  Although she offered no specifics other than suggesting that debit cards are more relevant, she shared my concern that data security is a growing factor in financial regulation yet I was then reminded that Bair is more of a politician and economist than a technologist.  Yet from an economic policy standpoint if the nation encounters more data breaches like this it could drive the cost of goods up thus forcing more costly and secure card payment products perhaps with biometrics on them.

Photos by Rick Busch.

Written by Jeremy Swenson (c)