The dust continues to settle after Target’s massive holiday season data breach, let’s look at what Target did wrong and how other enterprises can avoid the same mistakes.
PCI compliance is typically top of mind for organizations looking to prevent the theft of their customers’ protected credit and debit card information, and from the looks of it, Target was actually on top of their compliance game. In a statement issued to writers at Bloomberg Businessweek, Target Chairman, President, and CEO Gregg Steinhafel said that “Target was certified as meeting the standard for the payment card industry (PCI) in September 2013.” And yet hackers were still able to pull off the biggest retail data breach in history. Why?
An examination of what happened reveals the answer, and it’s disturbing.
The actual mechanism of the attack is nothing to write home about. At the heart of the attack was some fairly garden-variety malware and an approach that Businessweek characterized as “conventional.” Target’s FireEye malware detection software actually caught it. Not only did FireEye detect the malware, but it actually alerted both Target’s Bangalore and Minneapolis security teams.
So what happened?
Simple human error. Time after time, the Minneapolis security operations team failed to respond to the alerts, according to Businessweek‘s sources. Detected but not addressed, the hackers’ exfiltration malware nestled cozily into Target’s systems, and, as Businessweek reports, “Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.” Investigations into the breach, and the roles that individuals played in allowing it to happen, are still ongoing, but it seems clear that human interaction is at the heart of the disaster.
The lesson to be learned from the Target breach is simple: the more human interaction a security strategy requires, the more likely it is to fail. By now, security systems like FireEye’s, and like most other antivirus, malware protection, and DLP solutions, are excellent at giving alerts. Where the system breaks down is when humans must interpret those alerts and choose whether to take action. What enterprises need are data protection systems that rely on policy-based automation to respond to alerts and threats. When CipherCloud’s cloud information protection platform spots a DLP violation, it doesn’t just create an alert and rely on a person to take action. Instead, it automatically takes action to address the issue in less time that it would take a human to respond.
Target has learned its lesson the hard way. The attack has already cost the retailer $61 million and left it battling over 90 lawsuits alleging negligence and demanding compensatory damages. For other organizations, however, it may not be too late. If you want to truly secure your enterprise’s and customers’ data, you must look beyond PCI compliance. Automated systems that take the work out of the fallible hands of humans will provide better protection than even the biggest SOC could.
Has your organization begun considering any changes in the wake of the Target breach? Tell us about your experiences in the comments.