Friday, January 17, 2014

Target Data Breach – Target CEO Belatedly Starts to “Man Up”

Target and CEO Gregg Steinhafel have finally downloaded a book on crisis management and are following the script for when a company crisis occurs.   They could have begun a lot earlier after this November/December data breach occurred. Right after the breach was discovered.  They have managed to never say the phrase “Advanced Persistent Threat (APT)” in their communications. I would imagine that any company offering an APT solution has contacted them.

On January 14th, Target ran a full page ad in a number of major US newspapers. Below are snippets of the four bullet points and my comments. These adverts do cost $$.  Earlier blogs on this topic are on

  1. Closed the access points that were used and removed the malware.  I should hope so!  Preferably, this was done a month ago.
  2. Hired a team of data security experts to investigate how this happened.  Good.  Hopefully this happened a month ago. The internal IT department kind of messed up here.  However, most current security technology is unable to stop these kind of attacks. Hence, the number of APT solutions being offered.
  3. Communicated that  guests will have zero liability for any fraudulent charges.  First, they’re customers, not guests.  A bit of a $$ olive branch. Usually, customers have a small window of  to dispute charges on debit cards and credit cards. The rules vary. They don't have unlimited liability.  But a person’s checking account could, in theory be emptied.  This communication hopefully happened right after the breach was discovered and closed.
  4. Offered one year of free credit card monitoring and identify theft protection.  This should have happened weeks ago.  Target – do not auto renew this on Target debit cards. That would be tacky.
Target is now doing much of the right thing. Steinhafel even said, “Sorry”.    All the above   was late. The crisis management book would have had Steinhafel front and center right after the breach was discovered, rather than having an update section on the Target web site.
Demerits for Target for not being transparent early to customers. Demerits for not keeping Target employees in the trenches in the loop immediately and ongoing about this.  Target should even consider having something conspicuously posted (with copies available) at checkout lines at their stores.  The 10% additional weekend discount offered was barely an olive branch.
It now appears that even non Target customers are now getting emails from Target. These read, in part,  from one article on the topic: 
"The good news first: A Target spokeswoman has confirmed to Consumerist that the email is “an official communication,” despite it seeming like the perfect chance for hackers to strike yet again. So, whew. But when we asked where Target obtained email addresses for people who are not now and have never been customers of the retailer, the spokeswoman simply said, 'The information was obtained by Target through the normal course of our business.'" 

Target IT employees. Start evaluating APT solutions.

Why hasn’t Target and/or the relevant financial institutions gone out and immediately sent out replacement cards?  First, a less costly solution would be if all customers would go and change their passwords. This isn’t going to happen. The information (fortunately a lot of it encrypted) has already been stolen. Second – behind the scenes, the financial institutions and Target are probably pointing fingers at each other regarding inadequate protection.  Third – the cost of sending out replacement cards is around $10.  This could be   an up to $440 million hit in revenue to Target and/or the affected financial institutions. So, this isn’t going to happen.

No comments: