In the past couple of days it was released that stolen
vendor credentials were used in the huge Target data breach. I first saw an article on this at: http://money.cnn.com/2014/01/29/news/companies/target-breach-password/
. As I was later reading the weekly
reading assignment for my Information Security Management course about risk
management, I wondered if some of these principles had been properly applied by
the vendors as well as Target themselves.
I wonder if the vulnerability of stolen vendor user
credentials was even part of targets risk assessment. After all risk assessments are only performed
on risks that have been identified. If
they did think of this as a potential risk, what did Target do to address this
risk? Certainly they reacted properly,
or at least it appears they acted appropriately, once they found the
breach. The real problem is why did it
take 3 weeks to discover the breach?
In this case the potential loss for Target was huge since
they are one of the larger US retailers.
One would think that protecting their customer’s data would be one of
the most important things for the company.
After all look at all of the money they are now spending to try to
recover from this breach. They have
spent money handing out discount cards, offering credit monitoring services and
extra time and effort in damage control.
This money spent doesn’t even take into account the lost revenue they
have likely seen from less customers in the stores and online. All of this makes me wonder if they would
have saved time and effort by doing a better job of assessing risk and
implementing controls to prevent the data breach in the first place.