Last week, the biggest news in the payment industry was the breach at Target that compromised the data of 40 million customer credit and debit cards that were used between late November and early December. Happening during the busiest shopping time of the year, this would be a disaster for any merchant, let alone one of the most popular around.
Because the company and the U.S. Secret Service is still investigating, there is one thing that has not been revealed yet — how the attack was actually carried out. That doesn't mean some things can't be inferred.
A recent article from Mercury News interviewed several security experts to try and piece together how an attack of this magnitude could have been carried out for as long as it was. The best guess is to think like Hollywood.
While not quite as exciting as a blockbuster heist movie, the consensus is that this was "a meticulously planned and intricately coordinated attack to penetrate the retailer's defenses and make off with a spectacular booty."
Instead of Brad Pitt or George Clooney leading a team that infiltrated the company's headquarters, it was most likely handled by a few computer hackers remotely and possibly a small group that would be on the ground. Then, through the use of malware or taking advantage of network vulnerability, the criminals would turn their attention to accessing the server.
"A hacker can find a tiny vulnerability to get into a server, and then move laterally to exploit other vulnerabilities," Ken Westin, a security researcher at Tripwire, told the news source. "Once you get your foot in the door, all heck breaks loose."
Another specialist interviewed in the piece is Tim Erlin, Tripwire's director of IT security and risk management. He mentioned that even though this could have been a highly trained and planned out attack, Target may not be free from blame. Carelessness from the department store could also be at fault.
"The company might have failed to follow the principle of 'least privilege' in giving data access only to systems that require it. Or it might have been negligent in not keeping all of its systems up to all-important Payment Card Industry data-security specs," Erlin said. "Regardless, the thing that strikes me is the level of organization, the level of planning in pulling off the data heist."
The article also tossed out other, less likely, possibilities for how the attack happened. These include things like skimming equipment placed over card readers, criminals tampering with POS computers in individual stores or having people on the inside making it easier for criminals get inside and start playing around. However, the nature of the information stolen make these methods seem unlikely.
The number of different ways that these criminals could have attacked Target should raise alarms for every business. Companies need to be aware of the tools that criminals have and what steps they should take to ensure all credit card processing systems remain secure. With the help of a payment processing consulting firm that specializes in keeping retailer's data safe, any merchant can rest a little easier.