NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

A Hack is Not Just for Christmas

December 4, 2015

  • Blog
  • Archive
Target Hack It's becoming quite common to wake up in the morning and see yesterday's hacking stories in our inboxes or on our favourite news-feeds. To us they seem to erupt in a flurry of reporting, there's impact to the businesses and then usually within days, occasionally weeks, the excitement dies away and it's over. So it seems for those who aren't directly affected but the ramifications roll on, reverberating like the aftershocks from an earthquake. Re-emerging in a multitude of ways over the coming months and, yes, years. Getting hacked isn't a point-in-time event, it can change your business permanently. As we barrel into Christmas, hopefully this year with heightened awareness of the risks that come from so much fresh data being created from our shopping, I thought it worth reflecting on one of the high profile hacks of recent years that emerged right on Christmas' doorstep. One that is still rumbling on impacting the company and customers involved, that company is Target. For most, the Target hack has been consigned to the waste bin. It happened in late 2013, 2 years ago, and at the time we all reeled at the initial impact it had. The reports of the details of as many as 40 million credit card being compromised, followed by the revelation that the personal details of up to 70 million customers had been exposed as well, led to customers avoiding Target in their droves. Turnover at the company tumbled a massive 46% as a result, in Q4 of 2013 they also spend a total of $61m in expenses relating to the breach (they did get $44m from insurance to offset that to only $17m in actual spend). By May 2014 the ongoing impact was profit around 16% down on expectations, all attributed to the hack. This is probably long past when most people had stopped being interested. So, it would seem that the Target hack rumbled on for around six months with profits beginning to climb again. About mid-year however two of the C-suite were gone. The CEO resigned after just over six months in post, while this was almost certainly driven by the issues with the Canadian operation (which also contributed to the 46% slump in profit) the hack is seen as the catalysing event that forced him to take this action. The CIO, apparently strong in IT Security, was replaced. During the early part of 2014, customers and banks were lining up to sue Target for losses relating to the credit card data being exposed. The customers to recover fraudulent charges and to cover the impact that had on them, the banks for the costs of the fraud and in reissuing the credit cards. The latter estimated at $10 per card... that's 40 million cards, or $400m hanging over their heads. By the time we get to March 2015 customers who brought a class-action lawsuit are awarded $10m with individual claims of up to $10,000 in damages. April saw them agreed $19m compensation with Mastercard, only to have that rejected days later as too low. Just over a week ago, (25-Nov-2015) that was resolved with $19.11m to Mastercard along with $20.25m to banks and credit unions for their losses over this breach. Target have also agreed to pay the legal costs (up to $20m) for the plaintiffs. All in all Target are reporting $290m spent in dealing with this breach, it may not seem a lot when you look at their operating profit but percentage-wise for a smaller organization this could have been devastating. Even two years on, it's not over for Target. They still face lawsuits from shareholders as well as investigations from the Federal Trade Commission and various State Attorneys General as a result of the breach. $290m not only reflects the monetary cost, it's also $290m of effort that was directed somewhere other than core business. Staff turnover has been high and growth has undoubtedly not been what it could, or should, have been. This latest judgement caused a minor 1.2% drop in the share price. For Target, this is definitely not over and will continue for some time. Just before I close this post I want you to look back to the start of this post and broaden your thought process. Read it again but this time think of the companies that supply Target (directly and indirectly), think of the staff who work there and the customers who were affected. Imagine hosw they have been impacted through this process. How many companies in the Target supply chain have been impacted, possibly to the point of no return? Think of the emotional impact to staff who are working under the pressure of a company staring down the barrel of nearly half a billion dollars losses. Of course we can't ignore the customers, many of whom saw fraudulent charges which, while they may eventually be reimbursed, are hell to deal with. Some customers were even the victims of identity theft, something that can be next to impossible to recover from. I'm sure you are now imagining the ripples spreading out and just like ripples on a pond they bounce and reverberate for a very long time. As a company, if you want to provide your customers with the best possible products and services you need to include security of their data as one of those. I urge you to step back, get the basics right first: effective vulnerability management (go for the known exploitable vulnerabilities first), eliminate privileged user accounts (prevent lateral movement) and take control of access to shared privileged accounts. Do this and you'll have a simpler security model that will make your next security move many times more effective because you'll be doing on a solid foundation. At BeyondTrust we know we aren't going to be the only security vendor you work with but we do believe we should be one of the first.
Photograph of Brian Chappell

Brian Chappell, Chief Security Strategist

Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.