Case Study

POS (Point-of-Sale)
Malware Attack

Target Data Breach

© Copyright IBM Corp. 2023

 Description of the Attack Category:

•Category:

1.Description: A PoS malware attack involves malicious software

targeting point-of-sale systems to capture payment card
information. The malware often resides in the system’s memory,
intercepting and exfiltrating card data during transactions. In the
Target breach, attackers used malware to access card data from PoS
terminals, which was then transmitted to external servers controlled
Attack by the attackers.
Category: 2.Statistic: In 2013, the year of the Target breach, PoS malware
attacks were responsible for a significant proportion of data
Point-of-Sale breaches in the retail sector. According to the Verizon 2014 Data
(PoS) Malware Breach Investigations Report, 40% of the breaches in the retail
industry involved PoS systems.
Attack Sources:
•X-Force Threat Intelligence Index 2023
•Verizon 2014 Data Breach Investigations Report
•Wikipedia: Point-of-Sale Malware
 Breach Summary:

•Incident: Target Data Breach

•Date: Disclosed in December 2013

•Summary: In December 2013, Target disclosed a

significant data breach affecting approximately 40 million
credit and debit card accounts. The breach occurred
Company through malware installed on Target’s point-of-sale (PoS)
systems. Attackers gained access to cardholder
Description and information, including card numbers, expiration dates, and
Breach security codes. The breach was initially detected in mid-
December but had begun as early as November 2013.
Summary Target later revealed that an additional 70 million records
containing customer personal information, such as names,
addresses, phone numbers, and email addresses, were also
compromised. The breach led to widespread financial
losses, increased scrutiny of Target’s security practices,
and a major public relations issue.
Sources:
•Target Data Breach 2013 Summary
 November 2013: Initial Malware Installation
1 •Attackers installed malware on Target’s point-of-sale (PoS)
systems through a third-party vendor, gaining access to the
network.
December 15, 2013: Detection of Breach
2 •Target's security systems detected unusual activity and
malware on its PoS systems, leading to the discovery of the
breach.
December 19, 2013: Public Disclosure
3 •Target publicly disclosed the breach, revealing that
approximately 40 million credit and debit card accounts had
Timelin been
•
compromised.
December 20, 2013: Investigation and Response
e 4
•Target began working with federal law enforcement and
cybersecurity firms to investigate the breach and mitigate further
damage.

January 10, 2014: Additional Data Exposure

•Target revealed that an additional 70 million records containing personal
5 information, including names, addresses, phone numbers, and email addresses,
were also compromised.

March 2014: Settlement and Legal Actions

•Target agreed to a $10 million settlement to compensate affected customers and
6 announced plans to enhance its cybersecurity measures and offer credit monitoring
services.
Vulnerabilities
The Target data breach was primarily due to multiple vulnerabilities in Target's cybersecurity
infrastructure and third-party vendor management. The attackers exploited weaknesses in
network security, endpoint protection, and monitoring systems to gain unauthorized access to
sensitive data. The breach highlights the importance of robust security measures across all layers
of an organization, including third-party vendors.
Vulnerability 1 Vulnerability 2 Vulnerability 3 Vulnerability 4
Third-Party Vendor Inadequate Network Failure to Implement Weak Security Monitoring
Weakness Segmentation Effective Endpoint and Incident Response
Protection
•Description: Attackers gained •Description: Target’s network •Description: Target’s security
access to Target's network lacked sufficient segmentation •Description: Target’s monitoring system failed to
through compromised between its PoS systems and endpoint protection was recognize and respond to
credentials from a third-party other internal systems. This insufficient to detect and suspicious activity in a timely
vendor, Fazio Mechanical allowed malware to move prevent the malware used in manner. Alert signals from the
Services. This vendor was laterally within the network the attack. The malware malware were not acted upon
connected to Target's network after initial compromise. exploited vulnerabilities in the promptly.
for HVAC system management. PoS systems without being
•Impact: Attackers were able detected by the existing •Impact: The delay in detection
•Impact: The breach of third- to access sensitive payment antivirus software. and response allowed the
party vendor security allowed information from compromised attackers to exfiltrate large
the attackers to infiltrate PoS systems and spread •Impact: The malware went volumes of data before the
Target’s internal network. malware throughout the undetected for several weeks, breach was identified and
•Source: Krebs on Security network. during which it captured mitigated.
•Source: Forbes Report payment card data from •Source: Reuters
affected systems.
•Source: The Verge
 Costs Prevention

Financial Losses estimated • Enhance Third-Party Vendor

at around $162 million, Security
including settlements and
• Improve Network
other expenses.
Segmentation
•Source: Forbes
Costs and • Upgrade Endpoint Protection
Prevention Reputational Damage and Monitoring.
•Source: The Verge

Regulatory Fines and Legal

Fees
•Estimate: Costs included
settlements with banks and
payment card companies, as
well as legal expenses.
•Source: Reuters