Lessons Learned From The Target Breach
Pravin Kotheri, Founder and CEO, CipherCloud
For Target, the dust still hasn’t settled after its massive 2013 data breach. Months after the theft of 40 million customer credit and debit card numbers and the names and contact information of up to 70 million people, Target is still suffering the consequences. The latest consequence involves a number of lawsuits against the retailer by small banks looking to recover their losses.
According to the Wall Street Journal’s Joel Schectman, “So far, seven financial institutions have filed class action suits against Target alleging the retailer didn’t adequately protect customer data.” The litigation will make the data breach even more expensive for Target than it already is.
For Target, the focus shifted to damage control some time ago. But for enterprises that secure customer, payment, and transaction data in compliance with PCI DSS and other data privacy regulations, the focus now should be on learning. The Target data breach offers a several valuable lessons.
Lesson One: Invest in protection now, or pay the price later (and more)
Data breaches are costly. In addition to fines of anywhere from $5,000 to $100,000 per payment brand, per month for PCI compliance violations, data breaches may also trigger lawsuits from other affected entities, as the litigation against Target shows. In Target’s case, banks claim that they might have to “pay millions of dollars to reissue compromised cards and repay customers whose accounts were struck with fraud” thanks to Target’s failure to prevent the data breach, Schectman reported.
The banks may also choose to sue for lost business due to customer reluctance to make card purchases after the breach. And speaking of business lost, Target’s sales have been hit hard enough for the company to “cut its profit forecast,” according to the Financial Times. Target may be able to absorb the damage and eventually recover, but can you imagine the damage a similar incident could do to your brand or reputation? Better never to have to find out.
Lesson Two: Protection must be comprehensive–no point solution is a silver bullet
Lost among the talk of Target’s losses is any definitive answer on how the breach happened in the first place. Experts have posited a few compelling theories, each with their own lesson to impart.
The network segmentation theory.
According to Computerworld, the Target data breach “may have resulted partly from the retailer’s failure to properly segregate systems handling sensitive payment card data from the rest of its network.” Security blogger Brian Krebs claims to have traced the break-in back to login credentials stolen from an HVAC company with access to Target’s network. What this teaches us is that network segmentation and tightly controlled access to sensitive data are critical. The “HVAC company” in question was authorized to access Target’s network to carry out “tasks like remotely monitoring energy consumption and temperatures at various stores.” Why did its login credentials grant access to payment card and customer information?
The takeaway is: Lock your sensitive data down so that stolen logins don’t become a disaster. This is especially important in cloud environments, in which you may be sharing network and data center resources with other organizations entirely.
The malware theory.
Many analysts and experts say malware was most likely to blame for the Target data breach, whether that malware infected Target’s network itself or the Point of Sale (POS) terminals that originally captured the stolen card information. This highlights an important point: malware defense is a critical part of your overall data protection strategy. Technologies like encryption, key management, tokenization, and DLP get more attention, but you need robust and up-to-date antivirus and malware prevention measures on your endpoints to stay safe from hackers, too. When endpoints can access the cloud, this becomes even more crucial, as infection points and vectors multiply.
The dust still hasn’t settled from the Target data breach. More revelations are likely to come, and it wouldn’t be a surprise to read about more bad news for Target’s bottom line. In the meantime, organizations must take a long hard look at their own security postures, particularly when it comes to how they manage employee access and sensitive data in cloud environments.
What lessons have you learned from the Target breach? Let us know in the comments.
About the author:
Pravin Kothari is a security visionary with more than 20 years of experience building industry-leading companies and bringing innovative products to market. Pravin was the founder CTO of Agiliance, a leading Security Risk Management company, and co-founder VP Engineering of ArcSight, a leading security company, which was acquired by HP for $1.6 billion. He holds over a dozen patents in security technologies and is the inventor behind CipherCloud’s groundbreaking cloud encryption technology.