Skip to comments.Inside Target, CEO Gregg Steinhafel Struggles to Contain Giant Cybertheft
Posted on 02/19/2014 10:58:29 AM PST by ImJustAnotherOkie
How Target Is Working to Manage Crisis After Theft of Credit and Debit Card Numbers From Millions of Customers
MINNEAPOLISExecutives settled around a square table inside a Target Corp. TGT +1.92% conference room here earlier this month and munched on store-brand snacks as they chewed over something far less appetizing.
Opinion surveys commissioned by the company found that the massive cybertheft that waylaid Target late last year had knocked confidence and trust in the 51-year-old retailer to an all-time low.
Some of the executives were frustrated. Target was having trouble shaking the fallout from a key decision by Chief Executive Gregg Steinhafel that made the crisis appear even worse than it already was.
(Excerpt) Read more at online.wsj.com ...
I don't know why retailers should have to keep any information except the transaction ID.
Supposedly the hackers gained access to Target’s systems via an HVAC contractor in Sharpsburg, PA who was a vendor to them.
Some employee at the HVAC firm clicked a link in one of those SPAM emails. The hackers infected that machine, and jumped into it’s connection to Target’s network used for billing and invoicing. And they were off to the races.
Scary to think you not only have to worry about your own company’s IT security, but that of thousands and thousands of vendors, some of whom employ idiots.
Retailers have the information from the sale. Many choose to keep it for a myriad of reasons. mostly with knowing more about their customer so they can increase sales.
For example Target can determine a woman is pregnant based on her buying.
In this case that data wouldnt have matter, because the data was stolen at the time of sale from the credit card machine.
Why was Target using fourteen year old
unpatched Microsoft code in every cash register
open to the entire network ?
It’s Target’s own damn fault for not proactively installing real-time monitoring of their servers. This is what happens when you have incompetent managers. Getting hacked happens to _everyone_. However, getting hacked and taking days upon days to figure out that it happened is just plain bad management. Heads should roll all the way up to the CEO level.
Target should become the poster child for how a company can die.
Slightly OT but a couple years back doing some side stuff for a decent sized retailer, I saw a red hat Linux cash register.
Red Hat Linux is very successful at what they do, it seems. They apparently have thousands of employees selling what is essentially open source software.
That has got to be like selling ice to an eskimo.
Rumor has it that they hacked a device, like a store terminal.
That however wasn’t the core issue, just a peripheral contributing factor.
The real issue in my eyes is why don’t the CC companies invest in a better infrastructure model. They make the real money without reinvesting. In fact this is crucial enough there should be a significant R&D (Not Implementation) project by someone like DARPA and design a next, next, next generation system.
The could have employed techniques such as examining the metadata on MS Office files authored by Target employees. E.g., you might try googling site:target.com filetype:xlsx. That turns up 172 hits, but the server is down for some reason, so, sorry, you'll now have to be content with the Google cache results. But apparently it was not down a few days ago, when Krebs visited. He was able to find internal Target Windows domain names and user names embedded in documents, potentially useful to an intruder trying to gain entry to more sensitive parts of Target's network.
MS Office is quite famous for its leaky nature. A favorite is change tracking in Word. As a collaborative author, you want it on, so that the changes made by you and your colleagues are visible. But you don't want it visible while you are writing, because that is very distracting. The problem is when you send the doc to an external party. If you forget to delete the change history, the recipient can set change tracking back to visible and potentially gain valuable insight at your expense.
I don’t support Target’s decision to support a behavior God detests, so I don’t trade with them.
The next generation credit and debit card systems are already in existence and deployed. Just not in the USA market. One of the other posters probably nailed it in describing it as the card companies maxing their profits by not reinvesting the radically better armored card technologies that are in wide use outside our borders.
The attack vector was either email or employees Browsers need to be isolated from the core business of
The core problem was nothing was sandboxed by
browsing Eastern European Porn Sites.
the corporation. In addition outside vendors also need to be isolated
from internal networks. Cash registers running XP POS need to be
sandboxed from internal networks. I also understand the malware
was certified to create transmission caches
and certified for transmission outbound.
The attack vector was either email or employees
Browsers need to be isolated from the core business of
Perhaps you should look into it before publicly demonstrating your ignorance on the matter.
Bingo...Take away the getaway car and you have a lot fewer bank robberies.
Years ago, when the Three Mile Island nuclear accident occured, I said similar words about General Public Utilities, the owner of TMI.
Fascinating and I once experienced just that, but I don’t know how to delete the change history. Can you tell me?
As is your God-given right. Freedom of Association is natural.
Eastern European Porn Sites
It’s always fascinating to see people work to divest God from humankind and yet we’re in His image and likeness. Why wouldn’t His Laws benefit us?
All illicit activities attract a certain type. That’s why even when prostitution is legal or decriminalized you still get slave trafficking, drug abuse, sexually abused people and their mob-type pimps/pushers. Nothing new under the sun.
Cecil B. DeMille, who made the Charlton Heston film the Ten Commandments, observed that we don’t break the Ten Commandments, but break ourselves upon them.
Then, after following the removal instructions, I would google for such as ms word forensics and use the methods mentioned to attack both my original document and the scrubbed version and verify that nothing sensitive remains in the scrubbed version.
Being lazy, I've generally used the save-as-PDF method. But, depending on your needs, that may not be satisfactory, e.g., if the external recipient is supposed to edit and return the doc.