Aamir Lakhani wrote a fantastic article on the recent data breach of Target’s network. If you recently shopped at Target, you really should read this. The original article can be found HERE.
Anyone who swiped their credit or debit card between Nov. 27th through Dec. 15th may have had his or her accounts breached.
Target, just like any other merchant that takes and processes credit card information is required to abide by the Payment Card Industry Data Security Standard (PCI DSS) PCI standards.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available here.
PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
Organizations the size of Target spends millions of dollars protecting credit card information. I have no idea what Target did or did not do in this case. As of right now the exact details of the breach are unclear.
It would be difficult to say if they did everything they could have done to protect their customers. The truth is most breaches are extremely complex and conducted by extremely motivated individuals who have the brains, time, resources, and money to invest in these types of attacks. In most cases these attacks may take advantage in a flaw of a technology, process, or culture of their victim. In other words, organizations can protect themselves of many different attack scenarios, but the scenario that will work, is the one they didn’t think of.
I do hope there is some there is some transparency about the breach details. I truly believe as sophisticated and as complex as attacks are getting it will be impossible to stop them. Sophisticated Big Data and Security Analytics tools may help discover vectors for attackers and the vulnerabilities they are taking advantage of sooner rather than later. This will help us shorten the kill chain window.
There are theories that this may have been an insider job, organized crime, or a state sponsored attack from a foreign enemy. It may be difficult for Target to reveal exactly what happened because of some of the legal and liability considerations that it must think about. However, instead of using the blame game to see what went wrong, this could be a watershed event to increase the overall posture of cyber security by using this as an opportunity to see how the risk could have been mitigated, or detection could have been quicker.
My advice is if you have shopped at Target in the last 12 months; keep a close eye on your accounts. If possible request new cards and accounts. Check your credit card statements carefully. If you see suspicious charges, report the activity to your credit card companies and call Target at 866-852-8680. You can report cases of identity theft to law enforcement or the Federal Trade Commission.
You can get more information about identity theft on the FTC’s website at www.consumer.gov/idtheft, or by calling the FTC, at (877) IDTHEFT (438-4338).