Abstract
In this chapter, we cover the 2013 Target breach when hackers exfiltrated over 40 million credit card numbers and the JPMorgan Chase (JPMC) breach of 2014 when attackers stole the names and email addresses of over 70 million customers. We cover these two mega-breaches together because, in part, both were caused by third-party compromises. An organization may have to work with many third parties, including developers (as Cambridge Analytica was to Facebook), acquisitions (Marriott acquiring Starwood Hotels), and customers (Dun & Bradstreet providing customers data on businesses). As business models evolve to support more open “platforms,” we can expect to see the reliance on third parties continue to increase, which makes the lessons from this chapter relevant and applicable. In the case of Target and JPMC, both were initially breached through a third-party supplier. The Target and JPMorgan Chase breaches were also significant because they were the first two mega-breaches, in which tens of millions of records were stolen in one shot, that took place starting in 2013 and 2014.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We cannot know for sure if the attack on Fazio Mechanical led attackers to victimize Target or whether Target was the initial mark. In the former case, attackers most likely cast a far and wide net when running an email malware scam to then see what victims look like promising leads. The second scenario is that attackers initially went after Target because it is a large retailer that had publicly exposed plenty of internal documentation.
- 2.
Note that all of Target’s public vendor pages have been taken down or are now privately hosted since the breach in 2013. Some of the URLs Target previously used are listed as follows. Spot a pattern?
- 3.
Target’s Supplier Portal: https://extpol.target.com/SupplierPortal/index.html
Target Facilities Management: https://extpol.target.com/SupplierPortal/facilitiesManagement.html
List of Target’s Vendors: https://extpol.target.com/SupplierPortal/downloads.html
- 4.
Metadata is data that describes other data. For example, when you take a photo with your phone, the picture is saved along with metadata that includes the location where the photo was taken, the settings of the camera when the photo was taken, and the size and resolution of the photo. If you use Google Photos, you can see all this metadata by viewing the details of the photo. In the case of a Microsoft Excel file, metadata can include when the file was created, when it was last edited, and who last edited the file.
- 5.
An Active Directory is a live directory or database that stores information such as user accounts and other sensitive data. Active directory credentials would authenticate a user to access the said active directory.
- 6.
Aorato’s analysis of the breach matches with details of the breach provided by Krebs on Security insider sources.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
A website certificate verifies the identity of a website to its visitors. A valid website certificate also allows for a secure transfer of data between a website visitor and the website. Data is securely transferred using the HTTPS protocol, which you will see at the beginning of your URLs.
- 14.
Two-factor authentication requires a user to authenticate themselves with not only their username and password but also a one-time second verification code. This could be a text message with a six-digit code or a notification on a trusted device that requires a user to click a button.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2021 Neil Daswani and Moudy Elbayadi
About this chapter
Cite this chapter
Daswani, N., Elbayadi, M. (2021). The Target and JPMorgan Chase Breaches of 2013 and 2014. In: Big Breaches. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-6655-7_8
Download citation
DOI: https://doi.org/10.1007/978-1-4842-6655-7_8
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-6654-0
Online ISBN: 978-1-4842-6655-7
eBook Packages: Professional and Applied ComputingApress Access BooksProfessional and Applied Computing (R0)