Attention Target shoppers, we regret to inform you that up to 40 million of you may have had your credit card information stolen, and up to 70 million may have had some, or all of your personal information compromised. Oops. Have a nice day.
Five Months After The Target Data Breach – Lessons Learned
Despite the bit of snark above, Target’s post-breach behavior was solid, if not exemplary. They came clean about it right away, let everyone know upfront the size, scale, and scope of the breach, provided good, solid, actionable advice on next steps, created a web page that they actually bothered to keep updating, and so on. In short, there was a lot to like about the company’s handling of the breach after it had already happened.
The problem, of course, lies in the fact that the company’s pre-breach performance was…oh, let’s use the polite word and call it “lacking.” Still, there are some lessons learned here, and we can certainly apply them to help be sure we’re not the next “Target,” and that if we are, we do something constructive about it before the fact, not after.
The Technology Worked
Target had recently installed this great security software by FireEye, and lo and behold, it worked as advertised, sending a warning to human IT folk, alerting them to some suspicious behavior on the network. Kudos to FireEye for producing a superior product.
The Human Factor
This story could have had a very different ending if the system had been automated in such a way as to lock out or escalate on its own when it detected the breach, but that was no job for computers, the company reckoned. Better, by far, to leave that in the hands of those wily humans, who are much better at making the tough calls.
There was just one slight glitch in that line of thinking. The humans who got the notification of the suspicious activity from the software? Yeah, they choose to ignore it. I guess you could say they “chose wrong,” except that with 40 million credit cards compromised and a total user impact of 70 million, “they chose wrong” just seems a bit understated. Here’s a pop quiz: Which is worse, fifteen minutes of annoyance when the company’s credit card processing system locks out until humans can assess the situation, or 70 million user accounts impacted?
You can probably work that math out in your head, and there’s really no contest. By whatever metric you choose to view the equation, any suspicious activity on the system should be investigate immediately. If it cannot be, the system should be set to lock out. There’s just no other responsible way of handling that many user accounts and that kind of transaction data. You either treat every potential threat as serious and address it on the spot, in real time, or you set your system to go into a kind of “safe mode” the moment it detects trouble that a human cannot investigate in real time. Anything less and you become the next “Target.”
No data security system is perfect. Throughout history, it has always been the case that it is easier to destroy than to create. Easier to attack than to defend. It’s no different in the digital world. A determined attacker will find a way. The best you can hope for is that when he does, you’ve got enough fail safes and contingencies in place that when he does, you can keep your people safe. That’s what’s important.