In December 2013, the world learned of the Target breach. We now know that more than 40 million credit card numbers were stolen along with 70 million other pieces of customer data. Together, this amounts to the second largest data breach at a U.S. retailer. Since the public became aware of the breach, more than 90 lawsuits have been filed against Target, as well as an investigation by the FTC and Senate Banking Committee.
As Target CEO Gregg Steinhafel was removed from his post this week, I left me to ponder what went wrong, and how it could have been avoided. Here are the 5 mistakes Target made with their data breach (that you should avoid):
1. They ignored the warnings.
Six months before the breach, Target installed a $1.5 million malware detection tool, one of the same tools the CIA and Pentagon use. Target also has an off-shore team to monitor computers 24/7 and alert the Minneapolis headquarters to anything suspicious. How then did a breach this large happen? Well, it seems as if Minneapolis ignored the warnings – at least three times.
2. They didn’t tell consumers fast enough.
Target first publicly disclosed the breach in a press release on December 19, 2013, after journalist Brian Krebs broke the story on his website. Despite the press release and the media swirling about the breach, Target waited more than a month to personally notify customers. This left hundreds of millions of customers to read the newspaper and watch the news and wonder if they were affected for over a month. Too much, too little, too late to assuage fears and/or regain trust.
3. Even after they told consumers, they didn’t disclose the full extent of the breach.
Target told us about the 40 million credit cards on December 19, but waited until January 10 to disclose that more than 70 million customers had personal information – names, phone numbers, email and mailing addresses – stolen. This lead to the feeling that the retailer was not being fully upfront with anyone. And was it a coincidence that this information didn’t come out until after the holiday shopping season was over?
4. The never really said they’re sorry.
As consumers, we want to feel like the big bad corporation is sorry for letting our information slip. With Target, we don’t. The combination of the above events, and the complete lack of sympathy Target is showing for them certainly doesn’t feel apologetic. The data breach FAQ on Target’s website isn’t exactly apologetic and feels like it exists to keep panicky customers from clogging phone lines, more than helping.
The form letter offering credit monitoring didn’t help either. Especially since free credit monitoring won’t help anything. Credit monitoring helps if someone steals personal information (social security numbers, date of birth, mother’s maiden name) – that didn’t happen with Target. Credit and debit card fraud doesn’t trigger anything on a credit report. It was a way to allay the fears of the masses, without really doing anything.
5. They’re dumping money and manpower into “new” systems and resources without changing what went wrong.
Since the breach, Target has promised hundreds of millions in upgrades, fired their CIO (they’re still looking for her replacement), promised better security systems, and, now, forced the CEO to resign. They’ve shouted from the rooftops about their new security systems and created new security roles, including those of Chief Information Security Officer and Chief Compliance Officer (Note: neither have been filled). All of this is nice, but their entire data breach could have been prevented with training. Yep, training.
We know from the investigations that Target already had every system in place to prevent the data theft. They already had state of the art systems, and monitoring, and alerts. The problem is, they ignored them. Someone on their compliance and security teams saw an alert and chose to ignore it. Someone failed to follow protocol and didn’t act. Target can buy all the expensive software it wants, but the problem won’t be solved unless they train their employees on how to respond to alerts. There needs to be a protocol, and a hierarchy, and an internal system in place to respond to red flags; and each employee needs to know their role in that system. Simple as that.
So, if you ever find yourself in the unenviable position of dealing with a data breach, remember Target (and don’t do what they did). Disclose early and thoroughly, communicate with your customers, evaluate and change your internal systems, and maybe most importantly, say you’re sorry.