Remember that time Target was hacked through an air conditioner? Not “a Target storefront,” but the entire corporation and its customers’ information. The 2013 incident remains a touchpoint in the realm of cybersecurity for its sheer absurdity. A national retailer brought low because of a rattling metal box which was somehow connected to millions of customer credit or debit cards? Objectively funny…and a teachable moment on the merits of intelligent IAM implementation.
The biggest lesson drawn from the Target breach is not that cybersecurity experts were incompetent, but that hackers are smart. So long as a potential entry-point exists, no matter how small, it remains a risk. By unpacking how the breach was carried out and how it could have been prevented, this incident from nearly a decade ago can avoid repetition.
How an HVAC Defeated Target in 2013
So, how did the information of 70 million customers, along with 40 million of their credit cards and debit cards, get pilfered through an HVAC unit? The full roadmap to Target’s data breach is quite extensive and disappointingly didn’t involve a hacker jacking into an air conditioner. Rather, it started from the most common of attack vectors: human error. The hackers phished their way into the systems of refrigeration contractor Fazio Mechanical and installed a trojan. Soon enough, the necessary credentials were theirs.
At this point, the attack focused on Target itself. Target had provided Faizo with unsecured vendor access to their system. This allowed the hackers to infiltrate into Target’s point of sale system. From there, the hackers started monitoring and recording card data from card readers. They even employed a clever NetBIOS trick to steal card data from offline card readers.
The aftereffects from the hack were severe. Besides Target’s $18.5 MN settlement in 2017, the company publicly reported a loss of $202 MN, though some estimates place it as high as $252 MN. Because the attack took place during the holiday season, the attack hit the company especially hard. The attack caused Q4 profits to drop 46%. Target’s CEO stepped down. Affected customers filed over a hundred lawsuits. Even ten years later, the incident remains a black mark on the company, damaging customer confidence in Target’s ability to keep their data safe.
Proper IAM Implementation Could have Stopped the Breach
Only through a comprehensive IAM implementation could the incident have been avoided. By not setting up comprehensive protections for all attack surfaces, even those outside the company, Target was unknowingly counting down to a breach. Unsecured third-party partners leave a critical flank unguarded. A federated security solution, covering the full breadth of identities attached to the company, would leave no gap to find.
True, a mistake in that perimeter could leave open a gap all the same. However, that is why layered defenses are so important. Protected by automated monitoring driven by a robust PAM platform, Target could detect and lock down suspicious activity the moment it appeared. With well-defined policies enforced through adaptive MFA, the hackers could not hope to penetrate far. Additionally, such a system cuts down identity sprawl, which is very important for shrinking potential attack surfaces.
Furthermore, PAM and IGA would have played a further role in halting or at least limiting the damage done when the hackers tried to make changes to the system backend. A well-implemented PAM allows no changes without privileged permission. Even in cases where the security protocols are not so strict, PAM provides invaluable information. By recording the answers to the six critical security questions, the PAM solution enables much better tracking and control of a breach in progress.
IAM Implementation for Your Modern Threats
The landscape of cybersecurity has only grown more perilous in the decade since the Target breach. Though the countermeasures discussed above can prevent a repeat of the incident, experts must anticipate and prepare against future threats. The biggest challenge, especially for retailers, is addressing the compromise between security and efficiency, but recent developments can eliminate that compromise altogether. Identity orchestration enables efficiency through security. Orchestration unifies an identity fabric under a single viewport with comprehensive controls enabled by automation. Within such a platform, security systems work towards efficiency rather than against it.
In that same vein, enterprises must consider and work to implement remediation strategies. Security-minded IAM implementation provides for both auditing and for hemming in breach events. Constant flagging and data collection cuts back on the hassle of satisfying regulatory compliance. Additionally, by implementing a recovery strategy, enterprise security personnel react to emergencies much faster than if they were scrambling for a response. Be wary of complacency and aware of your enterprise’s limitations. An internal security solution can only get you so far. Bad actors can exploit the slightest vulnerability in your perimeter. As such, your best bet for avoiding potentially ruinous breaches is expert IAM implementation.
The best identity service is smart about enforcing your policy for third parties. It implements a robust IGA and PAM with active monitoring. Finally, it bundles all these critical solutions into a comprehensive identity orchestration platform which aids in better user experience as well as heightened security. Pursuing the best possible IAM implementation keeps enterprises and their customers secure. If they don’t, they might well find themselves “Targeted.”
