The Target Breach 10 Years Later

March 12, 2024
This uber-breach was a wakeup call on the urgency to protect supply chains

Just over 10 years have passed since Target Corporation's cyberattack, which may have compromised 70 million debit and credit cards. Of the 11 gigabytes of data leaked in the event, up to 70 million people's names, mailing addresses, phone numbers, email addresses, and credit card information were exposed. Nobody knew how it happened at the time, but it was the first of several business alerts about how susceptible their vendor networks were to insider threats and external hackers.

After a forensic investigation, it was determined that the incident began when a phishing email tricked a Target employee who worked for a third-party vendor called Fazio Mechanical. Citadel, a password-stealing bot version, was installed on Fazio systems, as security blogger Brian Krebs first revealed. After Citadel was able to obtain Fazio's login credentials, the attackers were able to infiltrate Target's Ariba vendor portal, enter the company's internal network, and take over its servers.

Expensive Lesson in Cybersecurity

Several years after the breach, Target agreed to pay $18.5 million to settle claims by 47 states and the District of Columbia and resolve a multi-state investigation. It turned out to be a small settlement as a wave of breaches has escalated both the damage costs incurred by companies and consumers since.

While no one knew initially how the breach occurred, it turned out that hackers and cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. This called attention to the vulnerability of supply chains and was a wake-up call for both industry and government.

Cyber-attackers will always look for the weakest point of entry and mitigating third-party risk of supply chains is now seen as critical for cybersecurity. Cyberattacks on supply chains may be conducted by nation-state enemies, spies, thieves, or hackers. Using the weakest links in the chain, they aim to compromise suppliers, contractors, companies, and systems. This is often accomplished via infiltrating networks with compromised or fake hardware and software, taking advantage of suppliers' lax security procedures, or using insider threats.

Cyber-attackers will always look for the weakest point of entry and mitigating third-party risk of supply chains is now seen as critical for cybersecurity.

As a result of the Target breach, both the public and private sectors have collaborated and developed strategies and tools for fixing the vulnerabilities of supply chains in the past decade. Strengthening industry and government cooperation, as emphasized by policy initiatives on supply chain security, has helped mitigate some of the threats to supply chain vulnerabilities.

To be more exact, initiatives were enacted aimed at implementing risk management procedures that find weak points in systems, particularly older ones, and that provide visibility into every aspect of the supply chain.

AI and Blockchain New Tools in Cyber Wars

In 2023-4 we are now using emerging technologies such as artificial intelligence and blockchain to track, notify, and evaluate supply chain operations—the use of cybersecurity tools to close operational gaps and vulnerability assessments. Data Loss Prevention (DLP), encryption, log management, identity, and access control systems, and SIEM platforms can help mitigate cyber threats. Stenographic and watermark technologies can trace software and items, and artificial intelligence and machine learning techniques can provide visibility and predictive analytics. Of course, cyber-hygiene, and training of employees is significant as are visibility and zero-trust protocols for all the parties involved in a supply chain.

There have been a variety of supply chain cybersecurity risk frameworks. The Department of Homeland Security (DHS), the Department of Defense (DOD) and the White House have all recently implemented supply chain security measures. The Department of Commerce’s NIST has suggested a practical one for supply chain security that provides sound guidelines from both government and industry.

NIST recommends:

  • Identify, establish, and assess cyber supply chain risk management processes and gain stakeholder agreement.
  • Identify, prioritize, and assess suppliers and third-party supplier partners.
  • Develop contracts with suppliers and third-party partners to address your organization’s supply chain risk management goals.
  • Routinely assess suppliers and third-party partners using audits, test results, and other forms of evaluation.
  • Complete testing to ensure suppliers and third-party providers can respond to and recover from service disruption.

The lesson 10 years after the Target breach is that although cyber-defenses are improving, the large surface attack area for criminal hackers continues to grow. And the supply chain on that surface can still be a weak link for breaches and exfiltration of data, including ransomware. Being proactive, and agile, and having a holistic risk management plan focused on preventing supply chain breaches is more important now than ever. 

Chuck Brooks serves as President of Brooks Consulting International. He also serves as an Adjunct Professor at Georgetown University, teaching graduate courses on risk management, and cybersecurity., Chuck has received presidential appointments for executive service by two U.S. Presidents and served in senior executive roles in industry during his career.

He has also been named "Cybersecurity Person of the Year" by Cyber Express, Cybersecurity Marketer of the Year, and a "Top 5 Tech Person to Follow" by LinkedIn” where he has 113,000 followers on his profile.

As a thought leader, blogger, and event speaker, he has briefed the G20 on energy cybersecurity, The US Embassy to the Holy See and Vatican on global cybersecurity cooperation. He has served on two National Academy of Science Advisory groups, including one on digitalizing the USAF, and another on securing Biotech. He has also addressed USTRANSCOM on cybersecurity and serves on an industry/government Working group for CISA focused on security space systems. He has an MA from the University of Chicago, a BA from DePauw University, and a certificate in International Law from The Hague Academy of International Law.