By
Lauren
Camper
Benjamin
Crump
Ryan
Goodman
A
security breach is something that we all try not to think about. We put
sensitive information in our cell phones and hope that nobody can hack into
them and steal the information. We purchase items online with our credit cards
while hoping that our personal information is safe. Everybody knows that there
is a risk involved when using personal information on any internet-connected
device. The same does not hold true, however, for brick and mortar purchases.
Over the last several years, it has been a rare occasion that I have thought
about the possibility of having my personal information stolen subsequent to a
purchase at a brick and mortar store such as Target. Even if it does become
something that we think about on a regular basis, there really is nothing that
can be done, as a consumer, to prevent such risk except to pay for everything
with cash. As cash seems to be a dying part of the past, a sudden resurgence in
cash purchases seems unlikely. The reality that we face now is that our
information is always at risk, we just need to be prepared in case our
information is stolen. If you shopped at target in December of 2013, then your
credit card information might have been stolen by hackers who gained entry into
Target's information systems. According to Target's own website, up to 70
million individuals' personal information may have been stolen ("Payment
Card Issue FAQ", n.d.).
In
early December 2013, hackers somehow managed to install a form of malware in
Target's network. Unfortunately, this opened a hole that the hackers were able
to exploit so that they could steal private customer information ranging from
credit card information to addresses and other personal information
("Payment Card Issue FAQ", n.d.). According to an article in
Businessweek, the Department of Justice informed Target about the breach in mid
December (Riley, 2014). Target immediately began work to seal the breach and
determine the extent of the damage. They had just installed a new malware
detection software called FireEye a short time before the breach occurred.
Apparently, the system raised alarms, but they fell on deaf ears; these alerts
were missed by Target's information security team (Riley, 2014). The result of
the breach was a 46% drop in 4th quarter profits year-over-year (Krebson
Security, 2014). Consumer confidence took a nosedive specifically relating to
Target. Within 6 months of the breach, both the CIO and the CEO were ousted. This
video on Bloomberg highlights the fallout from the Target data breach Video
- Target Data Breach Fallout.
When
evaluating the issues involved with the Target data breach, it is helpful to
look at McCumber's Cube Framework, as shown below.
Source: http://en.wikipedia.org/wiki/McCumber_cube
The
cube gives us a theoretical framework from which to evaluate Target's data
breach in terms of what went wrong and how to potentially correct it in the
future. It is apparent that Target didn’t have policies or practices in place
to monitor alerts from their brand new FireEye Malware protection program.
Target didn’t have enough awareness, education, and training as it pertained to
their executives and senior management regarding cyber security. In terms of
what they did correctly, Target appropriately used and invested in the
technology necessary to detect the attacks, FireEye. As for the critical
characteristics of the data that was stolen, McCumber would classify the Target
breach as an issue of confidentiality. Target was not able to keep the data confidential
despite the trust that consumers placed in them. This framework highlights the
need for Target to institute specific monitoring policies and practices
regarding the FireEye Malware protection program as well as the need for
intense training, education and awareness as it relates to all members of the
company, especially senior management.
Cyber-security
is everyone’s issue. All levels of senior management should be concerned with cyber-security.
Target’s CIO and CEO are both no longer with Target as a direct result of the
data breach. According to an article by CNBC, a study done by a cyber-security
firm indicates that only 45% of senior management acknowledged that they are
responsible for protecting against cyber-attacks (Schlesinger, 2014). This is
clearly an unacceptable statistic. As senior managers (executives), everything
that happens to the firm or as a result of the firm's actions is their
responsibility. It is unfortunately that the majority of senior managers do not
feel this way. This points back to McCumber's cube framework and the need for
education, awareness, and training, especially at the senior management level.
Target
has been attempting to do all they can in order to regain the confidence of the
general public. Unfortunately, as with any breach in trust, this will take
time. I am still hesitant to shop at Target because of this, even though that
might not be a rational fear. As time moves on, Target will need to find ways
to assure the public that their personal information is safe. They have begun
to take steps towards that goal by putting a rush on their chip-enabled
technology rollout to their stores ("Payment Card Issue FAQ", n.d.).
This may or may not help protect customer information in the future, but it
certainly helps to foster the public perception that personal data is being
held safely and confidentially. Perhaps actual protection is not as important
as the perception of protection, as is the case with the safety of our country.
We are never truly safe from terrorist attacks, just as we are never truly safe
from attacks on our information. As consumers, and as business managers, we
need to take all possible steps in order to minimize the impact should a breach
of information occur. Preparation could save us all a lot of time and money.
Sources:
Krebson Security.
(2014, May 14). Krebs on
Security RSS. Retrieved July 19, 2014, from http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
Payment Card Issue
FAQ. (n.d.). payment card
issue FAQ. Retrieved July 19, 2014, from https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ#q5888
Riley, M., Elgin, B.,
Lawrence, D., & Matlack, C. (2014, March 13). Missed Alarms and 40 Million Stolen Credit Card Numbers: How
Target Blew It. Bloomberg
Business Week. Retrieved July 19,
2014, from http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
Schlesinger, J.
(2014, May 11). Painful lessons from Target's massive data breach.CNBC.com.
Retrieved July 19, 2014, from
http://www.cnbc.com/id/101650707#
Target's Data Breach:
What Went Wrong?: Video. (2014, June 3). Bloomberg.com.
Retrieved July 19, 2014, from
http://www.bloomberg.com/video/target-s-data-breach-what-went-wrong-lRqQ2owdQsal8Wok1eYbpw.html
Many points in this blog are truly valid and to the point. Target was hacked by a malware called BlackPOS, a Point Of Sale Malware that collects credit card data. It is reported that this malware was developed by a 17 year old Russian teenager (CNN.com), a quite astonishing fact. Target was complacent in ignoring the signs from a system that apparently worked. Had the Department of Justice not alarmed Target, how much more damage could have occurred? Other retailers also fell victims to similar hacking, Nieman Marcus and Michael’s also experience the same hacks.
ReplyDeleteExecutives sometimes view IT as unimportant or as a cost center. Not to say that this is the culture at Target. But as stated in the blog, this is the part where education plays an important role. This may be difficult to do with executives who drive strategic plans, since it is typically hard to get a block of their time let alone convince them to change their mind about business practices. But when the opportunity exists, one should incorporate McCumber's cube to ensure a comprehensive coverage of the issue at hand and to use it as a great facilitator to get the frameworks across.
Source:
Retrieved on July 28, 2014 from http://www.cnn.com/2014/01/20/us/money-target-breach/
Hey Zaki,
ReplyDeleteThanks for the comment. I think that you hit the nail on the head when you mentioned that executives sometimes view IT as unimportant or as a cost center. This absolutely seems to be the truth. And, to be honest, it could be considered a cost center. However, I think the more accurate classification would be an investment center, seeing as IT incorporates both capital investments and expenses. Like you said though, it is important that executives understand the importance of IT as a driver of the business. In the case of Target, it seems like senior management was not in tune with how important information security truly is to the business. This is clearly demonstrated by the lack of education, training, and awareness outlined in McCumber's cube.