Target’s multistate data breach settlement over its 2013 data breach outlines the kind of security measures enterprises should have in order to not be found negligent with customer data. The problem is, the settlement doesn’t go far enough to improve organizational security. For the pro-active CSO, the settlement should indicate the bare minimum and not what they should aspire to.
Tom Kellermann, CEO of Strategic Cyber Ventures and the former CEO of Trend Micro, called the terms a “slap on the wrist” for Target and said they were insufficient as they focused on keeping attackers out and not on improving response. Modern security needs to focus on reducing the amount of time between a compromise when detection, and making it harder for attackers to carry out their operations. While network segmentation and two-factor authentication will slow down attackers, the bulk of the terms are still defensive in nature.
“They [settlement terms] represent yesterday's security paradigm,” Kellermann said.
To briefly recap, criminals stole credentials from a third-party HVAC vendor and gained access to Target’s network, and then proceeded to infect payment systems with data-stealing malware just before the beginning of the holiday shopping season back in 2013. The malware skimmed credit and debit card information belonging to about 40 million consumers, along with personally identifiable information (PII) for 70 million people. While Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach.
To its credit, Target since then has toughened its security posture and made significant improvements, and many in the industry tout the retailer as a good example of how to recover from a data breach. The settlement gives Target 180 days to “develop, implement, and maintain a comprehensive information security program,” but most of the terms refers to the changes the retailer has already adopted.
"[The] settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers," Illinois Attorney General Lisa Madigan said in a statement.
The reference to industry standards suggest that future breach-related lawsuits may use the Target settlement to try to prove the organization did not go far enough in protecting personal information and other sensitive data. The settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network and implementing stricter access control policies to sensitive networks and data.
“All organizations that store valuable data need to implement a comprehensive security program that includes continuous risk assessments and a responsible executive that is accountable and actively involved in the program,” said Steven Grossman, vice-president of strategy at Bay Dynamics.
Sign up for CIO Asia eNewsletters.