Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

A Hack is Not Just for Christmas

December 4, 2015

  • Blog
  • Archive
Target Hack It's becoming quite common to wake up in the morning and see yesterday's hacking stories in our inboxes or on our favourite news-feeds. To us they seem to erupt in a flurry of reporting, there's impact to the businesses and then usually within days, occasionally weeks, the excitement dies away and it's over. So it seems for those who aren't directly affected but the ramifications roll on, reverberating like the aftershocks from an earthquake. Re-emerging in a multitude of ways over the coming months and, yes, years. Getting hacked isn't a point-in-time event, it can change your business permanently. As we barrel into Christmas, hopefully this year with heightened awareness of the risks that come from so much fresh data being created from our shopping, I thought it worth reflecting on one of the high profile hacks of recent years that emerged right on Christmas' doorstep. One that is still rumbling on impacting the company and customers involved, that company is Target. For most, the Target hack has been consigned to the waste bin. It happened in late 2013, 2 years ago, and at the time we all reeled at the initial impact it had. The reports of the details of as many as 40 million credit card being compromised, followed by the revelation that the personal details of up to 70 million customers had been exposed as well, led to customers avoiding Target in their droves. Turnover at the company tumbled a massive 46% as a result, in Q4 of 2013 they also spend a total of $61m in expenses relating to the breach (they did get $44m from insurance to offset that to only $17m in actual spend). By May 2014 the ongoing impact was profit around 16% down on expectations, all attributed to the hack. This is probably long past when most people had stopped being interested. So, it would seem that the Target hack rumbled on for around six months with profits beginning to climb again. About mid-year however two of the C-suite were gone. The CEO resigned after just over six months in post, while this was almost certainly driven by the issues with the Canadian operation (which also contributed to the 46% slump in profit) the hack is seen as the catalysing event that forced him to take this action. The CIO, apparently strong in IT Security, was replaced. During the early part of 2014, customers and banks were lining up to sue Target for losses relating to the credit card data being exposed. The customers to recover fraudulent charges and to cover the impact that had on them, the banks for the costs of the fraud and in reissuing the credit cards. The latter estimated at $10 per card... that's 40 million cards, or $400m hanging over their heads. By the time we get to March 2015 customers who brought a class-action lawsuit are awarded $10m with individual claims of up to $10,000 in damages. April saw them agreed $19m compensation with Mastercard, only to have that rejected days later as too low. Just over a week ago, (25-Nov-2015) that was resolved with $19.11m to Mastercard along with $20.25m to banks and credit unions for their losses over this breach. Target have also agreed to pay the legal costs (up to $20m) for the plaintiffs. All in all Target are reporting $290m spent in dealing with this breach, it may not seem a lot when you look at their operating profit but percentage-wise for a smaller organization this could have been devastating. Even two years on, it's not over for Target. They still face lawsuits from shareholders as well as investigations from the Federal Trade Commission and various State Attorneys General as a result of the breach. $290m not only reflects the monetary cost, it's also $290m of effort that was directed somewhere other than core business. Staff turnover has been high and growth has undoubtedly not been what it could, or should, have been. This latest judgement caused a minor 1.2% drop in the share price. For Target, this is definitely not over and will continue for some time. Just before I close this post I want you to look back to the start of this post and broaden your thought process. Read it again but this time think of the companies that supply Target (directly and indirectly), think of the staff who work there and the customers who were affected. Imagine hosw they have been impacted through this process. How many companies in the Target supply chain have been impacted, possibly to the point of no return? Think of the emotional impact to staff who are working under the pressure of a company staring down the barrel of nearly half a billion dollars losses. Of course we can't ignore the customers, many of whom saw fraudulent charges which, while they may eventually be reimbursed, are hell to deal with. Some customers were even the victims of identity theft, something that can be next to impossible to recover from. I'm sure you are now imagining the ripples spreading out and just like ripples on a pond they bounce and reverberate for a very long time. As a company, if you want to provide your customers with the best possible products and services you need to include security of their data as one of those. I urge you to step back, get the basics right first: effective vulnerability management (go for the known exploitable vulnerabilities first), eliminate privileged user accounts (prevent lateral movement) and take control of access to shared privileged accounts. Do this and you'll have a simpler security model that will make your next security move many times more effective because you'll be doing on a solid foundation. At BeyondTrust we know we aren't going to be the only security vendor you work with but we do believe we should be one of the first.

Brian Chappell

Director, Product Management

Brian has more than 25 years of IT and cybersecurity experience in a career that has spanned niche system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian leads the Product Management of the flagship Password Safe product globally, ensuring the delivery of a world-class, industry-leading Privileged Password and Session Management solution. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.