jro-grafik - Fotolia

Target data breach settlement requires security improvements

News roundup: The Target settlement following the 2013 data beach requires the company to adopt a stronger security program. Plus, experts knock the FCC's DDoS claim, and more.

Target Corp. reached another settlement this week over its 2013 data breach that compromised tens of millions of customers' information, and this one will require the retailer to make more than just a million-dollar payout.

In the data breach settlement, Target agreed to pay $18.5 million to 47 states and the District of Columbia. More importantly, Target also agreed to follow certain guidelines to create a security program. Within 180 days of the agreement, the retail giant must "develop, implement and maintain a comprehensive information security program" to protect the data it collects from its customers.

"Families should be able to shop without worrying that their financial information is going to get stolen, and Target failed to provide this security," said California Attorney General Xavier Becerra in a statement following the Target settlement. "This should send a strong message to other companies: you are responsible for protecting your customers' personal information. Not just sometimes -- always."

The data breach settlement states that Target must write up the details of the security program and include the scope of its operations and activities, as well as the level of sensitivity of the customer data it collects. The program can be based on the existing security structure -- which Target has taken steps to improve since the 2013 breach -- but it must meet the guidelines set out by the courts.

One of these guidelines in the Target settlement is that the retailer is now required to hire an executive officer to run its new security program and serve as a security advisor to the CEO and board of directors.

The data breach settlement also covered some more technical details about what will be required of Target, including software support.

"Target shall make reasonable efforts to maintain and support the software on its networks, taking into consideration the impact an update will have on data security in the context of Target's overall network and its ongoing business and network operations, and the scope of resources required to address an end-of-life software issue," the Target settlement document reads.

As part of the Target settlement, the company will also be required to encrypt customer's personal data that it stores on desktops in the cardholder data environment, as well as customer data stored on laptops or other portable devices and transmitted wirelessly or across public networks.

The settlement agreement also outlined requirements for Target to implement segmentation, access control and management --including two-factor authentication on its individual, administrator and vendor accounts -- file integrity monitoring, whitelisting, logging and monitoring, change control systems for its networks, separate development environments, payment card security and devaluing payment card information.

Finally, Target must bring in a third-party assessor to provide a report on the company's mandated security efforts to the state attorneys general involved in settling this case. Prior to this data breach settlement with state governments, Target had settled two other lawsuits over the 2013 incident -- one with customers for $10 million, and one with credit card companies for a total of $106 million.

In other news

  • The U.S. Federal Communications Commission claimed that multiple distributed denial-of-service attacks were responsible for a website failure that prevented people from submitting comments about net neutrality. FCC Chairman Ajit Pai plans to reverse the net neutrality rules currently in place and people are free to leave comments about the move on an FCC webpage. Following a segment on the TV show Last Week Tonight with John Oliver that criticized the FCC's roll back of net neutrality rules, the website crashed and the cause was assumed to be because of an influx of people who were trying to comment. However, the FCC has since released a statement saying that DDoS attacks from unknown threat actors were responsible for the website's downtime. "These were deliberate attempts by external actors to bombard the FCC's comment system with a high amount of traffic to our commercial cloud host," said FCC CIO Dr. David Bray in the statement. "These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC. While the comment system remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments." There has been significant pushback from security experts about the FCC's claim that DDoS attacks were responsible for the outage, including a petition from Fight for the Future that claims the FCC has "zero evidence" of the attacks and that, "it seems likely that this alleged DDoS attack is their way of covering up the fact that they never actually fixed their website so that it could handle the large volume of comments from supporters of net neutrality."
  • Despite Samsung's claim that iris-based authentication is "one of the safest ways to keep your phone locked," hackers with Chaos Computer Club (CCC) have already succeeded in breaking into the Galaxy S8 smartphone with a cheap, easy attack. "With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner," the CCC explains in a post. "Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone." All attackers would need to unlock a phone using iris-scanning authentication is a digital camera, a laser printer and a contact lens. The simple technique means the "hack" can be done by taking a picture of the user's face or eye, printing it out and superimposing it on a contact lens and the Samsung Galaxy S8 will unlock. The CCC hacker who discovered this, known as Starbug, is also responsible for demonstrating in 2013 that the Android and Apple Touch ID authentication could be bypassed with fingerprints that were collected off of glass.
  • Google Project Zero security researcher Tavis Ormandy recently revealed on Twitter that he ported Microsoft's antivirus software Windows Defender to Linux for fuzzing. "The intention is to allow scalable and efficient fuzzing of self-contained Windows libraries on Linux," Ormandy explained in a post on GitHub. "Good candidates might be video codecs, decompression libraries, virus scanners, image decoders, and so on." C++ exception dispatch and unwinding work for this technique, as well as loading additional symbols from IDA, debugging with gdb, breakpoints and stack traces, runtime hooking and patching, and support for ASAN and Valgrind to detect subtle memory corruption bugs. "Distributed, scalable fuzzing on Windows can be challenging and inefficient," Ormandy wrote. "This is especially true for endpoint security products, which use complex interconnected components that span across kernel and user space. This often requires spinning up an entire virtualized Windows environment to fuzz them or collect coverage data. This is less of a problem on Linux, and I've found that porting components of Windows Antivirus products to Linux is often possible. This allows me to run the code I'm testing in minimal containers with very little overhead, and easily scale up testing."

Next Steps

Learn what your enterprise's compensation options are after a data breach

Compare the Target settlement to Sony's settlement after its data breach lawsuit

Find out how much Adobe paid out in its data breach settlement

Dig Deeper on Data security and privacy