Target Data Breach, How Target Almost Lost Everything

  • By David Lukic
  • Published: Sep 22, 2020
  • Last Updated: Nov 23, 2023

One of the first notorious data breaches to hit the news hard was the Target data breach in 2013. Prior to this event, cybersecurity wasn’t taken as seriously as it is today. The professional changes that many businesses made in response likely saved billions of data points from falling into criminal’s hands.

There is a Target data breach case study done by security company ESET which describes how this single event transformed how cybersecurity experts evaluate retail security systems.

Is Your Information on the Dark Web?

Hackers stole 40 million credit card numbers and personal details for 70 million customers. In light of recent data breaches, this may seem small, but at the time, it was quite an offense to customers’ trust. The attack hit during the 2013 holiday shopping season, which somehow made it worse.

Along with credit card numbers, the cybercriminals also got away with PINs, customer names, email addresses, phone numbers, expiration dates, and security codes. This incident, combined with the Home Depot hack, effectively pushed credit card companies to move to a chip-based system with PINs and away from the magnetic strip style cards. The change is one of many that came out of the target hack. 

target data breach

How Did the Target Data Breach Happen?

Target’s 2013 breach kicked off when a third-party contractor for Target, Fazio Mechanical Services, fell victim to a phishing attack. This company remotely accessed Target’s network for billing purposes, contract fulfillment, and general management.

The emails sent to Fazio Mechanical Services contained malware that stole the employee’s credentials and granted the criminals access. Later investigations revealed that some standard cybersecurity procedures like malware detection software weren’t implemented in their day-to-day.

Malware started stealing customer information on November 27th, which wasn’t detected until three days passed. Target’s security team received a notice for a generic threat named “malware.binary.” Security experts believed the threat was relatively harmless and did not act on the warning.

It wasn’t until December 12th that the US Department of Justice uncovered the scope of danger and informed Target. An investigation began in collaboration with governmental agencies, and the malware was removed from Target’s network by December 15th.

What Did Target Do in Response?

Rather than a Target spokesperson or press release, news of the historic breach came from the independent cybersecurity blogger Brian Krebs. Target released its statement the next day while reporting on its investigation in tandem with the FBI and Secret Service.

Ignoring Target’s initial oversight, the company’s response was relatively quick after learning the seriousness of the threat. The company notified customers within four days and removed the malware during that time.

However, customer trust was at an all-time low, and Target needed to reassess its entire digital infrastructure. This included how they managed third-party contractors and cybersecurity systems.

  • Increased monitoring and recording of alerts
  • Enhanced segmentation of networks
  • Restricting vendor access
  • Resetting 445,000 employee and contractor passwords
  • Introducing 2-factor authentication

The most important of these changes is Target’s choice to segment its networks. This architectural approach divides large networks into separate subnets. This helps administrators better manage the data flow and isolate problems before they can harm the entire system.

What Information Was Stolen?

Hackers accessed Target’s database and downloaded the information to a European server. Details included credit and debit information from roughly 40 million accounts. However, the total number of customers affected could be as high as 110 million.

The stolen information included:

  • Card Types
  • Expiration Dates
  • Magnetic Stripe Data
  • Issuing Countries and Banks
  • Names
  • Contact Information

Black-market card vendors purchased this information. This passed everything to cybercrime operations attempting to steal identities, fabricate cards, and initiate phishing scams.

Cost of the Target Data Breach

According to IBM, the average data breach cost in 2022 was $4.35 million. However, just looking at America, the amount is more than twice as much at $9.44 million.

A few factors determine the price of a data breach in the US. Considerations like the company’s response time, legal fees, reputational damage, and level of fault are all considered. While Target had to pay an $18 million settlement, their estimated losses are over $200 million.

These losses came primarily due to bad timing. The breach began in late November and wasn’t resolved until mid-December. These months are the heart of the holiday shopping season, and Target couldn’t direct its full attention toward it.

Additionally, Target lost customers’ trust, and many people were unwilling to shop at their stores for a time. During this period, reported earnings dropped by 46 percent. Of course, there was also the cost of restructuring their cybersecurity networks, but those paled in comparison.

Takeaways for Cybersecurity

The Target data breach is the most significant retail data breach in history. Before it happened, many businesses relied on outdated and easily circumvented security systems. Below are a few of the biggest lessons the industry learned in 2013.

Prioritize the Switch to EMV

At the time of the attack, less than one percent of American credit cards used an EMV (Europay, Mastercard, and Visa) chip. The magnetic stripe used on most cards was outdated and ineffective for protecting against upcoming security threats.

The Target breach exposed millions of American PINs and magnetic stripes. This information allowed criminals to duplicate and use fraudulent cards.

Afterward, card issuers announced their plans to shift broadly into an EMV, or Chip-and-Pin, system. Merchants were given until October of that year to make the necessary changes, and gas stations received an additional year to transition.

The EMV Chip was revolutionary for financial security. It used a chip with a stored cryptogram to check for any alterations in the transaction. The chip also recorded individual transactions to ensure that the same transaction wasn’t made multiple times-which is a glaring sign of fraud.

Consider How Third Parties Fit into Security

Another effect of Target’s breach was it emphasized the dangers of allowing third parties to access a network. In the beginning, it was Fazio Mechanical Services that fell for a phishing scam, but it was Target who paid the price.

Despite the risk, avoiding working with other businesses on a supply chain is impossible. However, companies learned to check the cybersecurity measures of their partners thoroughly. Cybersecurity terms became a more entrenched part of contracts. Risk management clauses appeared in vendor dealings, and third parties were removed from non-essential data.

In Target’s case, this process became much easier after properly segmenting their networks.

Plan for When a Cyber Attack Gets Through

Cybercriminals are resilient and determined. Nearly half of American businesses have been targeted by phishing and other cyberattacks in the past few years. If it can happen to Target, which is in the top 10 largest retailers in the US, then it can happen to anyone.

So, it’s essential to have a plan ready.

Target’s initial response wasn’t the best. They ignored early warnings and then waited a few days to inform the public. Doing so made Target appear untrustworthy and irritated many customers amid the holiday shopping season. The entire incident could have been contained by reacting or double-checking the threat immediately.

If Target had a premeditated response plan for the company to follow, they wouldn’t have had to react off the cuff. Response plans typically include regulations over:

  • Designating leaders during an emergency
  • Announcing the breach to the public
  • Determining responsibility to governmental agencies
  • Investigating the attack

Stolen Target Information

How to Check if Your Data Was Breached During the Target Hack?

Target sent out letters to everyone who was affected by the data breach. If you shopped at any Target stores between Nov. 27 and Dec. 18, 2013, you should also review your credit card and bank statements from that time period to look for suspicious charges. The time to file a claim has passed, but you might be able to take legal action if you were not notified, and you were affected by the target hack. 

What to Do if Your Data Was Breached During the Target Hack?

Unfortunately, it is too late to file a claim with Target. The deadline of July 31, 2015 has passed, but you can still take some action. If you never received a notice from Target, you may still have some legal options. If you haven’t already taken the steps below, do so now:

  • Cancel the credit card you used at Target during the data breach and request a new one.
  • Change all your online passwords for banking and credit card accounts (use strong passwords with combinations of letters, symbols, and numbers).
  • Work with credit card companies to remove any fraudulent charges.
  • Get a copy of your credit report and sign up for credit monitoring (IDStrong.com offers this service).
  • Keep an eye out for phishing and other scam emails. 

Are There Any Target Lawsuits or Settlements?

There was a massive class-action lawsuit with a huge Target data breach settlement payout of up to $10,000 per customer. Target set up a website to inform people of the settlement and how to file a claim. The deadline to file (July 31, 2015) has passed, and no further claims are being accepted. In August of 2019, Target legal counsel began sending out payments to affected customers. Those that received payouts had to provide proof that the incident led to fraudulent charges, costs incurred restoring their credit, identity theft, or other serious consequences. 

Can My Stolen Target Information be Used for Identity Theft?

The information stolen during the Target data breach is exactly what is needed for identity theft. The personal details combined with credit card information and logins are more than enough to provide a hacker with what they need to infiltrate your other accounts and possibly even your computer. You cannot be too careful when protecting yourself against identity theft

What to Do to Protect Yourself When Buying from Retail Stores?

Hacking incidents may scare off some consumers, but most of us will continue to shop and use credit cards. However, there are steps you can take to keep yourself safe.

  • Use only one credit card for retail purchases and monitor your statements carefully each month.
  • Review bank statements and your credit report regularly to scan for fraudulent activity.
  • Invest in credit monitoring and consider a credit freeze where new accounts cannot be opened without your permission.
  • Keep all your devices updated with antivirus software and run scans often.
  • Use common sense and watch for suspicious scam emails that push you to click a link or download an attachment.
About the Author
IDStrong Logo

Related Articles

What is Data Leak and How to Prevent Accidental Data Leakage

Data breaches take many forms, and one of them is through data leak and accidental web exposure. M ... Read More

The Saga of T-Mobile Data Breach: 2013, 2015, 2021 and 2023 Hacks

T-Mobile has experienced a number of data breaches in the past decade. The first case occurred som ... Read More

Anthem Data Breach Exposed 78 Million Records

In the Anthem Data Breach of 2015, hackers were able to steal 78.8 million member’s records. ... Read More

Everything You Need to Know About Insider Data Breach

Data breaches are on the news frequently, but the average person doesn’t really know that much a ... Read More

The NSA Hack, How Did it Happen?

The National Security Agency (NSA) was the main attraction in a major data breach involving three ... Read More

Latest Articles

What You Need to Know about the Delta Dental Data Breach

What You Need to Know about the Delta Dental Data Breach

Delta Dental is a dental insurance provider serving over 90 million Americans. It offers coverage in all 50 states, Puerto Rico, and Washington, D.C. The company was established in 1966 in California as part of the Delta Dental Plans Association.

What You Need to Know about the Hot Topic Data Breach

What You Need to Know about the Hot Topic Data Breach

Hot Topic plays in the fashion, apparel, and shoe industry as a retailer of music-influenced apparel and accessories, such as jeans, tops, belts, dresses, pajamas, sunglasses, jewelry, and tees.

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close