As Marc mentioned yesterday, it was announced that Target experienced a data security breach which involved their point of sale systems, and potentially may have impacted as many as 40 million customers. While the investigation and incident are both still in the early phases, I took at look at what can be learned from this incident so far:
What's going on now?
Target has appeared to have taken swift and quick action to secure evidence, identify the potential vulnerability, and mitigate future risks to their systems and customers. Reportedly, the firm has engaged a forensics team to manage the investigation process as this is extremely important in containing any data breach incident. Target has also quickly engaged Law Enforcement, and the US Secret Service has stepped in under their Title 18, Section 1029 and 1030 authority to investigate financial and computer crimes. As Marc indiciated in his blog posting yesterday, this may have been a man-in-the-middle attack or an issue related to the retalier having a vulnerability in a database that contained massive amounts of data, beyond what they should have been storing. The outcome from the investigation will be insightful for future prevention.
Target also has obligations under various State Data Breach Notification Laws to notify potentially impacted customers. These laws vary from state to state, and it is important to be aware of the potential impact your firm may have in reporting a data loss incident.
Beyond the data loss, what risks are being managed by Target?
Target is also working quickly to protect their brand and reduce the Reputational Risk associated with the breach. The risk to their reputation has the potential to be worse than the actual monetary loss. Target's CEO Gregg Steinhafel has made comments to the media to reassure customers and shareholders that they are working diligently to mitigate the incident by saying "Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence."
The breach's Reputational Risk has given rise to potential Financial Risk in terms of an immediate decline in their stock price. At the market opened on Thursday, Target shares (NYSE:TGT) opened at $62.22, down $1.30 from Tuesday's close. Did Target's quick response to the media help lessen the blow to their financials? Time will tell, but something to consider.
What can retailers and other businesses do in the near term?
Data breaches are complex, and often carried out by actors who operate in organized teams, and often across the globe. In my opinion, Target stores would be a “hard target” in terms of their loss prevention operations and matured business processes, but they are also an attractive mark because of their large national footprint. “Brick and Mortar” retailers have been common victims in the past, as evidenced by these recent and major events:
- 2013: Long Island Railroad: Point of Sale ticket machine compromises
- 2012: Penn Station East Coast Subs: 80 restaurants had point of sale breaches
- 2007: TJ Maxx retailer: Wireless network breached to attack point of sale systems
At this point we don’t know specifically which vulnerabilities were exploited, nor am I attempting to “Monday morning quarterback” Target’s security. It would be reasonable to assume that the actors involved in the Target data breach were sophisticated, and the investigation and lessons learned will be extremely important for the payment card industry. Below is a list of generally accepted best practices to help businesses of all sizes ensure that they take basic precautions to reduce the likelihood that they may be a victim:
Ensure all employees with access to Point of Sale systems have proper background checks and verifications
Restrict access to point of sale systems and ensure that employees maintain close control of card readers and devices to reduce the likelihood of tampering
Ensure that point of sale hardware is procured by known suppliers and firms. Also verify technology support teams that maintain these systems.
Engage IT security teams to perform an assessment of your networks to ensure wireless networks are both encrypted and segregated from POS networks. (a lesson learned from the TJ Maxx data breach)
Have staff or firms on hard to manage your crisis and reputational risks. As seen with Target, it is critical to have a media and communications strategy before an incident occurs.
Keep a data forensics and response firm on retainer to respond quickly to confirmed and alleged data breaches.
Be aware of the threat landscape and environment. Remain active and engaged in industry forums, and associations.
Depending on the size of your firm, consider hiring an Information Security Officer who can design policy and implement procedures to help manage data and information security risks.
Links and Resources:
Privacy Rights Clearinghouse: http://www.privacyrights.org/data-breach
Data Breach Notification Laws: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
MSA Security’s experienced specialists provide a wide range of services to our clients, including the forensic examination of computer systems, servers, mobile devices, or any electronic media as well as providing expert testimony in a formal legal proceeding. For more information, contact MSA Security.