Case Overview
This attack started from stealing credentials from a vendor, using them to install malware on around 7500 self-checkout POS terminals and then stealing data. Went unnoticed for 5 months (April - Septemper 2014) and grabbed the data from 56 million credit and debit cards (useful for identity theft) and 53 million emails (useful for phishing). Investigation started on September, 2nd and on 8th indicated that the system was breached. They also offered free credit services to affected customers who use their payment card as early as April of 2014, and apologized for the data breach.
Step 1.
Windows 0-day vulnerability that allowed them to pivot from the vendor.
Lessons Learned
No regular patch management and no regular scans. Wrong configurations: the PoS systems should have been isolated. Also, they still used Windows XP whitch is higly insecure. Vendor credentials were not properly managed, i.e. should have allowed minimum access. Lack of good monitoring (5 months they remained unnoticed).
Cost: $19,5 payout to customers. $134.5m to credit card companies and banks. Total cost $179m + legal fees.
Chip-and-PIN cards now have a security chip along with the magnet stripe. Promotion of Apple 🍏 and Google Pay. Additional P2P encryption.
References
[1] IBM course