A few weeks ago news broke on several media sites about the
huge data breach that occurred involving a major US retailer. The retailer was Target. According to reports including the one found
on USA Today’s website at: http://www.usatoday.com/story/news/nation/2013/12/18/secret-service-target-data-breach/4119337/,
there were up to 40 million credit cards potentially compromised from Nov 27 to
15 Dec 2013. This is all at the peak of
Christmas shopping season. According to
the article the type of information that was compromised was the actual data
stored on the strip of a credit card and any pin numbers that were
entered. This means that the data stolen
is the type of information that could be used to recreate physical credit cards
and it is not believed that online purchases were affected by this data
breach. The article also noted that
according to data breach experts businesses are usually unprepared for the breaches
when they occur.
This topic brings to mind the latest lesson that we have
been covering in my CIS 608 course. This
week we have been learning about incident response plans. With the magnitude of this data breach it
begs the question as to why data was leaked for close to 3 weeks prior to being
stopped. With proper incident response
comes incident detection. What method of
incident detection was in use by Target during this period of time? If that much data is being moved away from
Target you would think the retail giant would have measures in place to detect
this. It is easy to play Monday morning
quarterback and state that this should have been detected sooner I also do not
know what the indicators were that the breach had occurred. Once the detection
is made the company should have a plan in place to cease the data breach and
alert the appropriate authorities as quickly as possible.
In any case, this type of breach reinforces the fact that
having a good incident response plan in place is vital for a business. I’m sure that a retailer like Target will
make it out of this incident with no problem but that would likely not be the
case for much smaller business operations.