Target data loss woes
Even though the hack occurred in 2013, it wasn’t till the next year that the full extent and the ramifications were known to the wider public. So far the figures are, the CIO and CEO, $148M USD , 40M credit card details and personal information on up to 70M US consumers.
The worst of it was that Target had the hardware and the infrastructure; they had spent 1.6M USD on security tools, including an intrusion detection system which was installed and configured correctly. BUT they failed to act on the alarms from at least two different systems over a period of weeks, from when they were infiltrated where alerts were suppressed and ignored. This was when credit card details and personal information was exfiltrated to different countries. It was only US federal law enforcement informed them that they had noticed suspicious card transactions, that Target took action by announcing the data breach and hiring data forensics team.
The failure was not a lack of resources or insufficient deployment of technical apparatus. They were also PCI compliant at the time. The root cause was governance; although the tools and structure was in place to detect, monitor and halt malware and data leakage; the wherewithal to act upon the alerts was not instilled into the management. The shortfall is rooted in the culture of security operations and ultimately the accountability lies with the CIO.
Further reading
Loss of 148M USD and counting ….
Target’s PCI QSA is sued by banks