Entries tagged with “Target Data Breach”.


Cyber security and data breaches remain front and center on the Congressional radar as the Senate Commerce Committee today holds a hearing on protecting consumers from data breaches.

The witness list includes John Mulligan, vice president and chief financial officer at Target, and Dr. Wallace Loh, president, University of Maryland. There’s an insurance industry witness too, with Peter Beshar, executive vice president and general counsel, Marsh & McLennan giving testimony.

Recent data breaches at Target and the University of Maryland highlight the fact that organizations across many different business sectors are vulnerable to cyber attacks.

The February 18, 2014 UMD data breach compromised an estimated 309,079 student, faculty and staff records, including names, birth dates, university ID numbers and social security numbers.

The massive 2013 data breach at Target during the holiday season exposed the financial and personal information of as many as 110 million consumers.

A report released yesterday by the U.S. Senate Commerce, Science and Transportation Committee suggests that Target missed a number of opportunities to prevent the massive data breach. Hat tip to Reuters via Huffington Post which reports on the findings here.

The Senate staffers report, titled “A Kill Chain Analysis of the 2013 Target Data Breach” says key points at which Target apparently failed to detect and stop the attack include:

● Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.

● Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s systems.

● Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting Target failed to properly isolate its most sensitive network assets.

● Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network.

The report analyzes what has been reported to date about the Target data breach, using the “intrusion kill chain” framework, an analytical tool introduced by Lockheed Martin security researchers in 2011, and widely used by information security professionals today.

This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.”

Check out an I.I.I. whitepaper on cyber risks and insurance here.

The fallout continues in the wake of the massive data breach at Target in which hackers stole 40 million debit and credit card accounts from stores nationwide between November 27 and December 15.

USA Today reports that so far three class-action lawsuits have been filed in the wake of the incident, seeking more than $5 million in damages. Two of the cases were filed in California and one in Oregon.

The same USA Today article reports that the Attorney General in at least four states – Connecticut, Massachusetts, New York and South Dakota – have asked Target for information about the breach, in what is regarded as the first step to a possible multi-state investigation into the breach.

Meanwhile, the Krebs on Security blog which broke the story of the Target breach last Wednesday December 18, reports that card accounts stolen in the breach are flooding the underground markets. Check out the latest reports here and here.

For anyone who shopped at Target during the breach period, the New York Times has a helpful Q&A on what you should do.

While latest studies indicate U.S. companies continue to improve their preparation for and response to a data breach, the security breach at Target highlights the vulnerability of major companies to this threat.

Both the organizational cost of a data breach and the cost per lost or stolen record declined last year, according to the 2013 Cost of a Data Breach study by the Ponemon Institute and Symantec.

The organizational cost of a breach declined from $5.5 million to $5.4 million and the cost per record from $194 to $188.

The Ponemon report also noted that while the cost of a data breach can vary widely because of the types of threats and data protection laws, the financial consequences are serious worldwide.

Check out I.I.I. facts and statistics on identity theft and cyber security.