Cyber Breach at Target
My diagnosis of the breach at Target is that Target was vulnerable and partly unlucky. Target was vulnerable in the way it organized its IT infrastructure. Several investigative reports identified vulnerabilities in Target’s IT environment. In fact, Target received several warning signals but ignored them. For instance, two auditors reported that the system is designed to detect malware automatically and prevent its installation. However, this feature had been turned off for unknown reasons. In addition, FireEye sent security alerts to Target, but there was no response. Surprisingly, FireEye sent the alerts multiple times but was subsequently ignored. Furthermore, some employees say that the board had received requests to review the company’s system but kept ignoring them. The company also had extra default accounts that were unnecessary. Unfortunately, the company was unlucky that hackers identified the extra default accounts used to access the company’s data.
There are several things that Target could have done to avoid being breached. To begin with, Target should have implemented the security measures provided by PCI DSS 2.1, which was recommended for PCI DSS being used in Target. Secondly, Target should have deleted the extra default accounts used by the hackers to breach the company. As some reports suggest, the main problem that might have prevented Target from taking these actions is a large number of alerts frequently received. Therefore, it was difficult to identify the alerts that needed immediate attention.
Generally, Target’s post-breach response was not successful because it even led to further losses in the company. Notably, Target did well in creating a procedural process with the aim of assisting customers who had concerns about their master cards and ATMs. It is important to also note that having made poor decisions to prevent the breach, Target further made more poor decisions in its post-breach responses and actions. For instance, it was not professional for Target to conceal information. It is reported that Target had initially denied losing customers’ data, only to confess later. In particular, Target had earlier reported that customers’ PINs had not been accessed by the hackers, yet the hackers had actually managed to access and steal most of the data that they wanted.
Target’s board of directors is accountable for the breach and its consequences because it failed to implement the recommendations presented to them by the IT department. For instance, the board had been advised to conduct a review of the IT system before the fourth quarter, but the idea was ignored, and the company proceeded with a system that had vulnerabilities. In addition, the board is also accountable for the consequences of the breach because it did not conduct the proper follow-up measures to make security efficient. This includes turning off the system’s ability to automatically prevent the installation of malware. As a member of Target’s board of directors, I would advise the company to first secure data that has not yet been tampered with by hackers. I would advocate for change in how the company ensures that security measures are fully implemented as they should.
The cyber breach case at Target provided companies with insight into various security issues in IT. The most important lesson that I have learned from the cyber breach case at Target is the benefit of adhering to security measures, however irrelevant they may seem. Ideally, any alert relating to security should be responded to with urgency. I also learned that having an organized IT infrastructure facilitates quick and easy detection of malicious activities. In responding to cyber-attack incidents, I learned that a company should be extra careful when revealing to the public some matters.