About
Target
Target Corporation
was incorporated in Minnessota in 1902 and currently offers everyday essentials
and fashionable differentiated merchandise at discounted prices. Target relies
strongly on its technology infrastructure to deliver a preferred shopping experience.
Prior to the first quarter of 2013, Target operated in the US credit card
segment, providing credit to its Guests. Additionally, until January 15, 2015
Target also operated within the Canadian segment (Target Corporation, 2015).
About the data breach
During
the fourth quarter of 2013, Target experienced a significant data breach which impacted
its ability to handle customer enquiries resulting in weaker than expected
sales along with the loss of certain payment card and guest information from
its network (Target Corporation, 2015). The information which
was taken included names, email addresses, phone numbers or mailing addresses
and has affected up to 70 million individuals. Additionally the breach has
impacted approximately 40 million credit and debit card accounts (corporate.target.com, n.d.).
Short term effects
From
Target’s perspective, as of January 31, 2015 the financial impact of the data breach
was costly as it has incurred net cumulative breach expenses of $162 million.
In addition, fraudsters and scam artists were using the opportunity to target
Target’s customers via various attack vectors such as phishing, social
engineering, smishing and pretexting. In addition, Target took a number of
initiatives to enhance monitoring and logging, create application whitelisting
of point-of-sale systems, implementation of enhanced segmentation, reviewed and
limited vendor access while resetting passwords of 445,000 within its
infrastructure while also broadening the use of two-factor authentication (corporate.target.com, 2014). All these initiatives may be part of the $162
million Target spent as a result of the data breach.
Even though the
above is directly related to Target, the short term effect on the industry has
seen more companies allocate resources towards preventing, detecting and
resolving cyber breaches. Cyber Security budgets have increased by 34 percent,
with fifty percent of this going towards Security Incident and Event Management
(SIEM) tools, forty eight percent to Endpoint Security, forty four percent
going to Intrusion Prevention and Detection technologies and thirty eight
percent towards encryption and tokenization (Ponemon, 2015). While the companies have also focused
on technologies, Senior Management in general has shown extremely high concern
to Cyber Security incidents (Ponemon, 2015).
While companies
may be in a position to implement new processes and hire new people to deploy
and or maintain the latest and or greatest technologies, the same cannot be
readily said about individuals. In the short term individuals need to be
vigilant, when receiving any communications purporting to be from Target and or
any other breached entity. As stated above, fraudsters have chosen techniques
such as phishing, social engineering, smishig and pretexting to dupe potential
victims. Individuals may help to protect themselves by at a minimum, having all
patches and relevant updates installed on their computer, while also having
up-to-date antivirus or other anti-malware tools.
Long
Term effects
In the long term,
greater effort would be placed on the strategic importance of IT security to
the operations of the companies. This would result in more focus being placed
on the people and the process rather than on the technology. As an example,
companies are now focusing on the creation of an Incident Response Team,
training and awareness activities, measurement of data security effectiveness,
policies and procedures along with specialized education for IT security staff (Ponemon, 2015).
In addition, as in
the case with Target, companies may face court action from customers, card
issuing banks, shareholders and or other individuals seeking relief (Target Corporation, 2015).
While it is
expected that companies will continue to invest in people, processes and
technologies, they will also look into buying insurance to cover any costs
which may be associated with a data breach on its infrastructure. Target
maintains a $100 million network security insurance coverage, above a $10
million deductible. It is believed that this coverage along with other
insurance may reduce its exposure to cyber attacks (Target Corporation, 2015). In the next 5 years
a larger amount of services will be conducted online. This increase in online
activity will result in more companies looking to lower the risk from cyber
attacks (ibisworld.com, 2014)
More importantly,
as hacks similar to Target continues to occur, greater efforts will be made
towards information sharing, so as to reduce the probability (and effects) of
the breaches propagating beyond its initial target. In his Cyber Security
Legislative Proposal, President Obama has included voluntary information
sharing with Industry, States, and Local Government as one of the key methods
for protecting the security of the United States (US) digital infrastructure (whitehouse.gov, 2011).
Finally and most
importantly, governments can and may enact laws which controls how companies
respond to data breaches. At present, a number of US states and some of its
territories have enacted data breach laws, which dictates who must comply with
the law, what constitutes a breach, requirements for notice along with
exemptions (ncsl.org, 2015). At the federal level, the proposed Data
Security and Breach Notification Act of 2015 requires entities that owns or
possess data in electronic form containing personal information to notify
affected individuals and a designated government entity (FTC, Secret Service, FBI, Attorney General, etc )
no later than 30 days after the date of discovery of a breach. In the event of
a breach, any individual who intentionally and willingly conceals the fact that
a breach occurred and there is damage greater than $1000 may be fined and or
imprisoned for not more than 5 years (congress.gov, 2015).
Conclusion
In the long term,
hacks like target will cause both individuals and companies to place more
attention on cyber security. Companies though will be the ones that ultimately
need to make the investments to secure our personal data. The world is becoming
more networked and big data is the ultimate objective for most of these
companies. They more data is had, the more companies can predict your next
move. However, how they protect this data will be the ultimate concern. Action
by governments is needed to ensure that all companies respond consistently
whenever a breach occurs.
References
congress.gov. (2015, 1 13). S.177 - Data Security
and Breach Notification Act of 2015. Retrieved from
https://www.congress.gov/bill/114th-congress/senate-bill/177/text
corporate.target.com.
(2014, 04 29). updates on Target’s security and technology enhancements.
Retrieved from corporate.target.com:
https://corporate.target.com/discover/article/updates-on-Target-s-security-and-technology-enhanc
corporate.target.com.
(n.d.). data breach FAQ. Retrieved from corporate.target.com:
https://corporate.target.com/about/shopping-experience/payment-card-issue-faq
ibisworld.com. (2014, 08).
Cyber Liability Insurance in the US: Market Research Report. Retrieved
from ibisworld.com:
http://www.ibisworld.com/industry/cyber-liability-insurance.html
ncsl.org. (2015, 12 1). Security
Breach Notification Laws. Retrieved from
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Ponemon. (2015). 2014:
A Year of Mega Breaches. Ponemon Institute LLC.
Target Corporation.
(2015). Annual Report . Minneapolis.
whitehouse.gov. (2011, May
12). FACT SHEET: Cybersecurity Legislative Proposal. Retrieved from
https://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal
No comments:
Post a Comment