Keller Graduate School of Management
Of
DeVry University
Research Project 1: A Recent E-Commerce Threat Michaels Stores’ Breach
Nitesh Timilsina
E-Business Security (SEC573)
Kathleen Milburn
03/22/2015
Table of Contents
1. Threat identification, technical features, and vulnerabilities 1
2. Diagram depicting the mechanism of attack and exploitation 2
3. Potential or actual consequences 5
4. Risk assessment 6
5. References 8 1. Threat identification, technical features, and vulnerabilities
On January 2014, Michaels an art and craft retailer and its subsidiary Aaron Brothers, revealed that costumer information database consist of payment card number and expiration date been compromised. Costumer using credit or debit card at Michaels in between May 8, 2013 to Jan 27, 2014 compromised 2.6 million cards and at Aaron Brothers in between June 26, 1013 to Feb 27, 2014 been compromised 400,000 cards. The company committed to work with other parties to improve security of payment card transaction for all consumers.
An unauthorized and highly sophisticated malware that not been encountered previously by any security company attacked the point-of-sale systems where all the card information is stored. The outcome of this hacking been extensive and affected millions of customer’s personal and payment data was exposed, results in the payment card compromise of three million customers.
Point-of-Sale (PoS) is the system that used by
A direct cyberattack in 2014 to JPMorgan Chase caused a compromised of accounts effecting a total of 76 million households and seven million small businesses. We are clearly, in times when consumer confidence in the digital operations of corporate America is on shaky ground. In directly, banking is taking the brunt of the fallout but major stores also have breaches which of course are directly related to their financial data. Store like, Target, Home Depot and a number of other retailers have experienced major data breaches. 40 million cardholders and 70 million others were compromised at Target alone in 2013 and an attack at Home Depot in September, 2013 affected 56 million cardholders.
Restaurants have a tendency to be targets for cyber criminals. These criminals steal and reconfigure the payment card data for their own purposes. At the Heartland Cafe, Tom has a chance to be a target for a cyber attack by being in a high-traffic area. If the customer is compromised, Heartland Cafe will quickly lose public trust and perhaps Tom will lose the business altogether. Extra measures toward risk management should be taken to ensure that the business itself remains safe. Compliance with PCI-DSS protocols, PTS requirements and the franchisor should inform the franchisee of any software that could translate
In December of 2013, target corporation faced a serious security breach where over 40 million credit cards were stolen from different target stores. This paper is going to explore the problem, the background information about the problem, the controls that could have been in place to prevent the issue, the intended plan of control and the associated risks involved.
During the dates of November 27 through December 2013, the department store Target experienced a data breach in which approximately 40 million customers credit and debit cards were exposed. During this breach, customer’s personal information may have also been exposed for use of possible fraud. January 2014, Target
On December 18, 2013, one of the security bloggers, Brian Krebs, posted in his blog that Target, one of the biggest US retailers, had suffered a massive data breach. The next day, Target announced that data from more than 40 million credit and debit card accounts had been stolen from its systems, and noting that they started a thorough investigation. Perhaps learning from Target’s mistakes, other organizations could achieve a goal of better protecting themselves and their customers’ information.
During the dates of November 27 through December 2013, the department store Target experienced a data breach in which approximately 40 million customers credit and debit cards were exposed. During this breach, customer’s personal information may have also been exposed for use of possible fraud. January
The Target Corporation was exploited in December 2013 and then again in 2015. These breaches included customer’s personal identifying information and retailer’s data. This credit card data breach is a prime example of weak security and infrastructure. This breach happened over the course of one of the United States’ major holiday seasons, Christmas. The security issue involved hackers accessing Target’s customer 's credit and debit cards by the machines that were being used to swipe the cards. These hackers accessed Target’s network with a stolen username and password from a company that was providing refrigeration and HVAC services. This company could access Target’s network `remotely to monitor energy consumption and temperatures. With that, the hackers uploaded malware software on the Target’s credit card machines. The customer data hack happened across the nation, and it was performed in stores and not an online breach of Target customer information.
From November 27 to December 15, 2013 Target Corporation released 70 million customers’ personal information. On average, it takes companies 200 days to uncover they are being hacked (Lunden, 2015). It only took Target 12 days to figure out the crisis that began happening. On December 19, Target originally said only 40 million credit and debit card accounts may have been compromised during Black Friday weekend to December 15. “The information stolen included customer names, credit or debit card number, and the card’s expiration date and CVV” (McGrath, 2014). Although Target never clarified how they were hacked, security experts say that hackers targeted their POS system. “Target spent $61 million through Feb. 1 responding to the breach, according
Michael’s Store, Inc. is an arts & crafts Retail chain. It has more than 1040 stores located in 49 US states & Canada. The company also owns and operates the Aaron brother’s retail chain, which happens to have an additional 115 stores across the Country. Michael’s store Inc. had a Security breach, which took place between May 8, 2013 and January 27, 2014. About 2.6 million cards or about 7 percent of payment cards used at its stores during the period were affected. Alarmingly, its subsidiary Aaron brothers also had been breached between June 26, 2013 and February 27, 2014. It was reported that Aaron brothers had 400,000 cards impacted. The duration of the treacherous attack in total was 8 months (Schwartz, 2014). In this report, security breach of Michael’s store Inc. is analyzed. The topics covered are how the breach occurred, what did the authorities do to educate the customers & how in future such attacks can be avoided.
Identity theft is, unfortunately, a commonplace in today’s world. Technology is ever advancing and evolving making today’s purchases obsolete. The obsolesces of technology plagued TJX. The company was attempting to get through under the radar with the enterprise security systems. “Because of the lax security systems at TJX, the hackers had an open doorway to the company 's entire computer system” (Weiss, 2014). TJX was cognizant of the breach and withheld information from stakeholders of the business. “Once a breach is discovered notification to consumers is paramount.”
Once on Target’s network with elevated privileges the attackers were able to launch malware to the POS systems that would capture the credit card information of the consumers as they swiped their cards to pay for their items. They launched a second piece of malware that that would take the captured information and move it to a dump server on the internal network. Once the information was on the dump server it them
The Target data breach remains one of the most notable breaches in history, it was the first time a CEO of a major corporation was fired due to a security event. The breach received an enormous amount of attention, it caused corporations and individuals to change the way they think about information security and data protection. Between Thanksgiving and Christmas 2013 hackers gained access to 40 million customer credit cards and personal data of 70 million Target customers. The intruders slipped in by using stolen credentials and from there gained access to vulnerable servers on Targets network to launch their attack and steal sensitive customer data from the POS cash registers. All this occurred without a response from Targets security operations center, even though security systems notified them of suspicious activity. The data was then sold on the black market for an estimated $53 million dollars. However, the cost to Target, creditors, and banks exceeded half of a billion dollars. This report will review how the infiltration occurred, what allowed the breach to occur including Targets response, and finally who was impacted by the security event.
In December 2013, Target announced that massive amounts of credit and debit card information they collected over the years might be in the danger of theft. The credit card breach could affect as many as 70 million customers who swept cards in the retail stores or linked their cards with the membership card, the RedCard. Each card information contains a card number, holder’s name, address, phone number and etc. The more information the thieves got, the more conveniently the thieves could use them to get benefits from the card holders. Jia Lynn Yang and Amrita Jayakumar, the authors of “Target says up to 70 million more customers were hit by December data breach”, write about how bad people will use customers’ information to crime. These thieves possibly shop online by inserting the card information. They could also contact with the victims to gather more sensitive information, and even hack into their computers. This event forces us to seriously consider the crisis in how retails protect customers’ data (Yang &
Target, one of the nation’s largest retailers, had a data breach that had up to 40 million consumers have their credit card and debit card data stolen, while up to 70 million had their personal information stolen such as their addresses and phone numbers. Information from the credit and debit cards stolen was the names, the card numbers, expiration date and the CVV (card verification value). The consumer information that was stolen such as names, mailing addresses, phone numbers, and even email addresses. The breach took place during the holiday shopping rush of 2013. This breach damaged Target’s sales during the holiday season, and remains one of the largest data breaches in history.