[BreachExchange] The mouse that roared

[Audrey McNeil]

http://www.boothbayregister.com/article/mouse-roared/87156

If you’ve been wondering when we entered this current age of cyber crime,
the event that signaled the beginning may well have been the 2013 data
breach at Target Corporation.

For those who have forgotten it, here’s a brief recap: At the height of the
holiday shopping season between Nov. 27 and Dec. 15, 2013, Target
Corporation was the victim of a cyber attack via malware that entered the
company’s point of sale system.

Before the damage was identified and brought under control, an estimated 40
million credit and debit card accounts were involved and an additional 70
million records had been exposed. All in, 110 million customers had been
cyber mugged.

It was an epic breach. If you like superlatives, this is your breach.
“Largest” and “historic” are adjectives that are applied to this breach
with good reason.

But what continues to surprise is the ongoing financial pain from this
breach. Target’s costs from the breach have now reached $202 million. This
includes settlements with attorneys general of 47 states (and the District
of Columbia) for $18.5 million, $39 million to the banks that issued
affected payment cards, and as yet unresolved additional lawsuits that may
put the total tab over $220 million for the retailer.

Why should we care? Here’s the most interesting part of this story: Those
in a position to know pretty much agree that the breach didn’t begin at
Target Corporation. It was from a computer at a company that provided
services to Target. Target Corporation was their customer!

It appears that an employee at that third party company opened an
attachment in an email and that simple act let the hounds of hell loose.
The malware found its way through the vendor’s computers and onto Target’s
point of sale system. I’m oversimplifying a bit and experts believe that
Target should have had more robust security for its computer systems. But
just as “want of a nail” may cause the loss of a kingdom, the simple act of
clicking to open an email attachment can have far-reaching consequences.

Something as insignificant as a $7 mouse can cause a whole lot of damage if
someone uses it to open an attachment or a link to a website without first
considering what may happen.

Here’s the lesson to be learned from Target about our own computer
behaviors:

If you are an employee with access to your organization’s computers or you
are using a computer at home, please think about Target Corporation before
you open any attachment that shows up on your screen. If you are an
employer, consider a quick couple of hours of training for your employees
and reminders about computer use that may trigger a data breach. And
suppliers who have access to your organization’s computer systems need to
understand their roles in preventing cyber damage, too.

Target’s saga is a great reminder that no business, town government or
non-profit organization can afford to be complacent. That computer mouse
may be inexpensive, but misusing it can have a very high cost.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170606/a522e83a/attachment.html>