In December 2013, just in time for the Christmas shopping frenzy, we learned of the data breach at Target.
Millions of credit card numbers were stolen along with many more million pieces of customer data. It was staggering news fodder for a while.
However, what’s been learned from this “largest data breach in US history” over the few months, is that the organization made mistakes with their data breach. Other organizations should take heed of these and try to avoid similar misfortunes.
Don’t ignore warning signs:
That’s why they’re called warning signs. Six months before the breach, Target installed a $1.5 million malware detection tool, similar to what the CIA and Pentagon use. Well that should be secure, right? Target also has an off-shore team in Bangalore to monitor computers 24/7 and alert HQ of anything suspicious. HQ was notified three times about funny business – Nov. 30, Dec. 2, and Dec. 12 – before finally stepping up.
Customers weren’t notified fast enough:
In fact, they were notified personally more than a month after a press release was issued. Of course, that left customers wondering if they were unknowingly participating as victims for more than a month before hand. A frightening prospect.
After customers were informed, they still didn’t know the full extent:
We initially learned from Target on Dec. 19 that 40 million credit cards were affected. However on Jan 10 that number was upped to 70 million. Quite a substantial increase that affects many people. Names, phone numbers, email address, and brick and mortar addresses, stolen. How convenient that the Christmas shopping season was over then.
Did they ever really say sorry?:
It’s a cardinal rule we learn growing up. And as a consumer, you want to know that the big corporations are sorry for slipping up like this. Is Target really sorry? One would hope so, but you sure don’t feel like they care when they ignore warning signs, cover up facts, then reluctantly inform customers after pressure to do so. And…yet we still make our weekly shopping expedition there, and for us Canadians, we make our token pit stop to the nearest “Tar’shay” when we’re south of the border.
Dumping money into new systems but not changing what went wrong:
Target is dumping money and manpower into new sytems without changing what went wrong in the first place. That’s great an all. But what about that good’ol honesty? Investing in new systems is fine…there wasn’t really anything wrong with the previous system though. It worked. Bangalore was alerted of something suspicious, and notified HQ. What HQ needs to do is fix how they handle situations like this. A bit of training on how to handle these situations company-wide, and…just be honest. The negative publicity could have been avoided.
Investigations show that Target already had every system in place to prevent the data theft – state of the art systems, monitoring, and alerts. However, someone on their compliance and security teams saw an alert and chose to ignore it. There needs to be a protocol, and a hierarchy, and an internal system in place to respond to red flags; and each employee needs to know their role in that system.
So what have we learned?
- Disclose early and thoroughly
- Communicate with customers
- Evaluate and change internal systems
This unfortunate post Christmas “Bah Humbug” event could have been avoided had an effective whistleblower program been in place where any employee could have sounded an alert on how HQ treated these warning signs. Effective whistleblower programs are built on a foundation of risk management, which includes a comprehensive understanding of all possible risk areas and potential points of ethical (and data) breaches. A 24/7/365 whistleblower hotline ensures that your employees always have an outlet to report any perceived wrongdoing.
WhistleBlower Security can prevent risks of fraud, waste, and abuse of authority from occurring in the workplace.