Get Aligned!

Almost every day there is a data breach in the news. Companies like Yahoo, Linkedin, Adobe, JP MorganChase, and even a US voter database with over 191 individuals details, have all been subject to breaches through various methods. With all the money and security technology at their disposal, these breaches still seem to happen, whether through lapses in security, human error, or malicious internal leaks. While the goal is obviously to prevent breaches in the first place, if they do happen – who is at fault?

Let’s first look at one of the most infamous breaches in recent times – U.S. mega-retailer Target. They are one of the largest retailers in the US, and third largest in the world based on sales. They have 1,795 stores across North America, and see almost 3 million people pass through their doors on a daily basis; needless to say, they are a data goldmine. In fact, their data is so in-depth that they once (in)famously discovered that a teen customer was pregnant before she’d even announced the news to her family. With such a vast amount of data to protect, their IT department wisely realised that they were a target (pardon the pun!) and invested in a security monitoring system called FireEye. Unwisely, on the 30th of November, 2013, when that fancy new security system notified their IT department that malware had been detected on their system, they decided to ignore it.

Fast forward to the 13th of December, two weeks after the malware was first detected, when Target received a call from a journalist called Brian Krebs. Krebs wanted to let them know that he’d stumbled across a large, fresh batch of credit cards being sold on underground marketplaces. The cards all had one significant thing in common – they had been used at Target from late November to mid-December.

During their busiest shopping period of the year, Target knew they had been infected, and chose not to react.

In total, over 70 million individuals had their account data, including full names, credit and debit card numbers, expiration dates, CVV codes, and even PIN data stolen, right under Target’s nose. Recent estimates expect Target to be liable for over $3b USD. More than 90 lawsuits have been filed against the retailer by both customers and banks, and their profit for the holiday shopping period fell almost 50%.

When Target Chairman/President/CEO Gregg Steinhafel was asked any specific questions about the incident, he had this to say: “Target was certified as meeting the standard for the payment card industry in September 2013…”. In other words, “We met the standard – what else do you want from us?” The answer to that is increasingly difficult to answer, yet couldn’t be more relevant to today’s companies.

Demonstrated by what is known as ‘negligence per se’, if there’s a law, regulation, or widely adopted industry standard, then failure to meet said standard is automatically negligence – but achieving compliance with that law or standard is not enough to prove that you weren’t negligent.

What if Target had never purchased FireEye – is ignorance an excuse? Unfortunately not. Where the law states you must take reasonable care to protect your customers’ data, that means utilising the tools available, whether or not they are an ‘industry standard’. In the rapidly advancing security marketplace, this means continuously evaluating projects and solutions that were previously deemed too expensive or unnecessary. The recent explosion of augmented reality game Pokemon Go only served to show how quickly technology can be adopted – what is out of reach one week might be vital to the company the next, so you have the responsibility to always make sure your company is ahead of the curve.

While proper prevention and protection measures should always be in place to defend your company, breaches can happen – when they do, make sure you have taken the precautions necessary to know that you have done all you can to protect your data. Your customers (and insurers!) will thank you for it!

Back to List

Related Stories

Windows 7, Server 2008 and 2008 R2 security updates end January 2020

Windows 7, Server 2008 and 2008 R2 security update…

On January 14, 2020, support for Windows 7, Windows Server 2008 and 2008 R2 will end. That means the end of regular security updates. Failur…

Read Post

Protecting Your Property

Protecting Your Property

The physical protection of your building and IT Systems is just as important as online protection. With the use of information technology an…

Read Post

Understanding The Digital Workplace

Understanding The Digital Workplace

The digital workplace is the virtual, modern version of the traditional workplace. It quickly and securely provides personalised, role-based…

Read Post

5 Things to Know About Wi-Fi 6 and 5G

5 Things to Know About Wi-Fi 6 and 5G

The sixth generation of Wi-Fi, Wi-Fi 6, also known as 802.11ax, provides more speed, lower latency, and increased device density. The fifth …

Read Post

The New Technology Buyer

The New Technology Buyer

It is predicted that 80% of new technology spend will sit with business buyers by 2020. This is a change which has come about primarily due …

Read Post

Security on the move

Security on the move

The ability to stay secure and productive anywhere, on any device is of great and growing importance to all businesses.

We look at the fi…

Read Post

Business Benefits of Microsoft Azure

Business Benefits of Microsoft Azure

Connecting Clouds: The growing pains of cloud adoption continue as organisations realise that a single solution of either Private Cloud, Dat…

Read Post

Understand & improve your security posture

Understand & improve your security posture

Gain deeper visibility into and take control of your security.

Assessing your security posture is an ongoing challenge. Increasingly soph…

Read Post

Artificial Intelligence

Artificial Intelligence

Artificial Intelligence (AI) and Machine Learning (ML) are fast becoming important pillars of many organisations’ digital transformation s…

Read Post

IT Risk Management

IT Risk Management

With today’s pressures of compliance, cybercrime and customer demands organisations can no longer afford to have ad-hoc IT Policies and IT…

Read Post