The data breach at Target in November could have been averted, or at least mitigated, if the alerts produced by the retailer’s $1.6m security system hadn’t been initially dismissed.
The breach, the sixth largest in history, saw the loss of 40 million payment card details in addition to 70 million other personal records which has prompted many to question whether companies are doing enough to safeguard important data.
Speaking about the organisation’s security team yesterday, Target spokeswoman Molly Snyder, said that the company logs a huge number of events each week and that,
“a small amount of activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different.”
According to a report from Bloomberg BusinessWeek report, Target were using a newly installed network monitoring tool at the time of the attack. The $1.6m system, provided by FireEye, alerted staff that there was malware on the system on two separate occasions prior to the actual breach occurring. Those alerts were picked up by security personnel in Bangalore, India, who forwarded them to the retailer’s headquarters in Minneapolis but no further action was then taken.
It seems likely, had the alerts received the attention that we now know they merited, that Target would have had several options for dealing with the threat which would have likely prevented the breach altogether, or at least mitigated its impact.
Also, the monitoring system installed by FireEye could have been used to neuter the attack but this did not happen as the capability was not operational at the time due to the newness of the installation which had yet to be tested.
So it looks like Target probably had the technological capabilities to detect and prevent (or at least minimise) the data breach. The reasons why they didn’t aren’t technical in nature though and show why the human element remains key within any organisation.
The Target breach should, hopefully, serve as a wake up call to other retailers in the US to ensure that their defences are robust and, more importantly, that their staff are well trained and security aware enough to recognise signs of intrusion, deal with alerts and actually use the technology at their disposal to deal with any threat.
And, if anyone thinks this is a US-only problem, think again.
As Neira Jones said earlier this week (see her excellent post here):
“Will a retailer data breach happen in the UK/ Europe? Yes, absolutely: e-commerce sites are still a relatively easy target for criminals, but we probably won’t get to hear about it much as disclosure laws are somewhat different over here (that is until the EU data protection regulations come into force…).”
And, just to drive the point home, here is an excerpt from a Facebook posting made by UK retailer Morrisons this very morning:
“We are extremely sorry to inform you that there has been a theft of colleagues’ personal information, which was uploaded onto a website… The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation.”
Have you assessed your organisation’s security recently and do you have a pre-planned response should your business become the next victim of a data breach?