Do you think that the data center from which Target’s stolen consumer data was compromised has been a lot like a scene out of RF Code Theater Production’s “Supernatural Info-tivity” lately? With 110 million victims in the November data breach (70M higher than the originally reported 40M), the Target data breach ushered in the age of the Big Data Theft to public consciousness and resulted in major losses for the company. Follow-up reports that Michaels and Neiman Marcus suffered similar attacks only further echoed that your data is everywhere and each time one of us swipes a payment card, we could potentially be sending our most vital details straight to a scary situation.
This month, details have been released that parallel the breach even closer with the typical horror movie. Just as we’ve seen in thousands of B-level scary movies when teenagers are told not to drive down that road or a girl is warned not to open that box, it was revealed that Target was warned. Two months prior to the huge data breach, IT security staff warned Target of potential vulnerabilities within their card payment system, and we wouldn’t be watching a horror movie if Target had heeded their advice.
True, there may not have been any gruesome deaths at the hands of a psychopath or demonic possession. Instead, the frights occurred when Target purchased credit protection plans for all 110 million victims, were struck with multiple law suits from financial institutions, stock prices fell to a 20-month low, and ultimately reported lower-than-expected 2013 Q4 results. With analysts predicting that the entire ordeal may cost the big box retailer more than $1 billion in fees, many on Wall Street and in Target’s boardrooms would describe the incident as…well… a bloodbath.
The Target situation goes far beyond strictly data center security, as malware was even installed on point-of-sale registers. These registers are all connected to remote management software and “protected” with what are now being reported as weak passwords. The industry’s defense has been to rally for more information about cyber threats, through the Retail Industry Leader Association’s Cybersecurity and Data Privacy Initiative and to encourage chip-and-PIN cards to replace the existing technology. Already the standard in Europe, these cards are supposedly more secure because they are difficult to counterfeit and provide encrypted information on-site. However, it’s worth noting that the switch to chip-and-PIN cards would be enormous to financial institutions (some already carrying the costly burden of compromised consumer information following the Target data breach) and that Target’s data thieves successfully stole encrypted PIN information.
With the potential for even more damaging breaches occurring as the role of data in our daily lives increases, RILA’s initiative as well as the exploration of more secure card technology is definitely a step in the right direction, but I can’t help to wish that more attention was being called to actual data center infrastructure management improvements. After all, warnings can be ignored, weapons and defenses can be used against you, and it’s usually the unlocked door or the flat tire that lets the bad guy sneak in the back door.