Targeting Compliance

KbAg0dV

As many of you may have heard, Target has had their customer databases compromised. From several sources, such as Krebs on Security and Information Week. The blame falls on Target relying on an external company who remotely manages the HVAC (Heating, Ventilation, Air Conditioning) for the stores. Most HVAC systems now are appliances, appliances with IP Addresses that allow for monitoring and management. But the blame is not only the HVAC company’s. We’ll get to that part.

Per Payment Card Industry Data Security Standards (PCI-DSS) regulations, Target is liable for any of its third-party contractors’ security shortcomings. Notably, PCI requires that merchants “incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.”

The result of the breach:

  • Customer loyalty was damaged and sales dropped, during the busiest and most profitable time of the year
  • Banks had to re-issue cards, Target had to pay banks for re-issued bank cards
  • Credit monitoring for all affected customers had to be purchased
  • Failure of compliance fines had to be paid

All which total $420 million, give or take.
What else?

  • Eight stores had to be closed down due to the losses, leaving hundreds of employees without a job.
  • The supply chain, such as delivery companies, security guards, insurers of locations, all take a hit to the finances as well.

What blame does Target have? They did not provide a two-factor authentication system for their contractors. They only reached compliance, but in many people’s opinion, did not do their due diligence and segregate their network for security. How is it they set up permissions for an external contractor to even have the ability to access payment systems. It is not a mandate within PCI to not intermingle PCI-zones and non-PCI-zones. (But it is highly recommended and from a security stance, a must!). Probably, the most important question. Was the CISO empowered to have made the right decisions or did the CIO/CFO/CEO squash them because it would cost too much to not just make things compliant but to make them secure? Was due diligence and due care sought?

Some companies do just barely enough to reach compliance. Some exceed.

I’d imagine that many companies are doing a lessons learned breakdown of what happened and how they can protect themselves and their customers from this type of cybercrime.

This entry was posted in Security Blog and tagged , , , , , , . Bookmark the permalink.