The embarrassing 2013 data breach at Target Corp. which saw 40 million customer debit and credit card accounts exposed after attackers apparently gained access to the network through a third party contractor, isn’t quietly going away.
Last week a U.S. federal judge allowed a class-action lawsuit by banks suing the retailer for damages for having to issue new cards to customers to go ahead. This week security writer Brian Krebs got his hands on a report commissioned by Target shortly after the breach to find out how bad its IT security was. The answer: Really bad.
The report, by communication provider Verizon’s security investigation team, concluded there were “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.” Investigators were able to directly communicate with point-of-sale registers — which is where malware was placed by the original attackers to capture card data — and servers from the core network. In fact, Verizon’s team were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.
What caught my eye was the Verizon team’s findings that Target’s password policy wasn’t enforced, which likely gave the attackers the means to install their malware. A file containing valid network credentials was stored on several servers, Krebs quotes the report as saying. In addition systems and services had either weak or default passwords.
It only took the Verizon team a week to crack 472,308 of Target’s 547,470 passwords (86 percent) that allowed access to various internal networks, including 12 of 35 admin passwords.
While some staff used strong passwords with a mix of upper and lower cases, numbers and symbols, they apparently were shared. For example password Jan3009# (presumably some big event happened on Jan. 3, 2009) was used by 4,312 people. Others were less smart: 8,670 had the password target, while 4,799 used the password sto$res.
(Advice to any employee in the retail industry: The password sto$res — or any derivative of the word “stores” that only includes a dollar sign, should no longer be used).
On the one hand it is admirable that in a company the size of Target there were only 35 administrator passwords. On the other hand, Krebbs quotes the report as saying the testers were able to exploit several unauthenticated vulnerabilities on the internal network, compromised additional systems which eventually led to full access to the network through a domain administrator account.”
The report is another reminder to CISOs that they must set a tough password policy — including two-factor authentication — that is regularly and vigorously enforced.