Attacks/Breaches
1/22/2014
02:45 PM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Target Mocks, Not Helps, Its Data Breach Victims

The only thing consumers did wrong is to shop at Target. Why are they being blamed for the retailer's security failings?

At face value, Target's $5 million contribution to organizations that educate consumers on computer safety makes sense. There was a computer compromise -- one that compromised weak computer security -- so Target should look to strengthen it. Unfortunately, the error pointed out a weakness in Target's security efforts, not those of its customers. The only thing that consumers did wrong is shop at Target.

If Target wanted to help its victims, it would have contributed $5 million to resources that help victims of the crimes that resulted from Target's own security failures. For example, the funds would be much more effective in the hands of the Identity Theft Resource Center, a nonprofit that provides counseling to victims of identity theft, which Target's customers have become.

Instead, Target mocks and marginalizes its victims by sending a message that everyone -- consumers and retailers -- has equal responsibility when it comes to data breaches. To a limited extent, that is true, but the donation is a blatant attempt by Target to repair its image without taking responsibility for its security failings.

Worse, the action implies that, if customers (the victims of the identity theft) had only engaged in better security practices, they would not have been attacked in the first place. If Target were truly interested in repairing its image, it would reframe the discussion and take responsibility for the fact that its own internal weaknesses compromised user data.

More class, less action
Some make the case that it's not wrong for Target to make a large donation to some very good organizations, but the truth is that Target knows that it will likely have to donate money to some nonprofit as part of a class action settlement when the dust settles. If it pays that money now, while it is in the middle of a public relations nightmare, there's really no down side.

The reality of class actions is that consumers rarely benefit from them. Yes, it sounds good that Target will ultimately pay tens of millions of dollars in settlement fees. But what I've discovered, after researching many such lawsuits, is that most consumers walk away with nothing tangible. Let's assume, for example, that Target agrees to pay $30 million for consumers to obtain a year of free credit monitoring. Many people already have this service, and few take advantage of it. So Target will likely end up paying less than $5 million of that sum.

Target will also probably give some discount coupons or credit vouchers that let customers believe they will receive $50 million in payouts. These payouts will require consumers to go through extensive measures to prove they suffered a loss. Then they will be required to go into and spend more money at Target. Assuming consumers actually take advantage of the payouts, that spending could represent a net gain for Target. Then there is the $5 million donation, which is a drop in Target's marketing budget. Of course, the big money -- $10-$20 million or so -- will probably go to the attorneys supposedly representing the class in the action

Well-meaning but irrelevant nonprofits help Target mock its victims while attorneys get rich filing paperwork. Target needs to stop implying that its victims are to blame. It needs to start providing real help that repairs the real damage it caused through its failure to provide adequate security for its customers' data.

Ira Winkler is co-founder and president of Secure Mentem Inc. and president of the Internet Security Advisors Group. Described as a modern day James Bond, he began his career at the National Security Agency and is recognized as an expert in Internet security and cybercrime.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
1/29/2014 | 11:10:06 PM
Re: Target Info Breach- Target not helping anyone but themselves
Of course, Marilyn, then it becomes a little like game theory.  Next thing we know, we'll see a major breach like this...and then another (exceedingly well-planned and executed, with perhaps inside help) breacon on the same company in the wake of it well into the remediation process.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/29/2014 | 8:58:15 AM
Re: Target Info Breach- Target not helping anyone but themselves
I have to agree with you Joe, that it (sadly) is probably safer to shop at Target today than it was a few months ago, before the breach. Same theory as flying on an airplane after a crash. The security will never be higher than in the days and weeks after a disaster. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
1/28/2014 | 10:07:57 PM
Re: Target Info Breach- Target not helping anyone but themselves
FWIW, Target has already been attacked and beefed up their security since.  It's probably safer right now to shop at Target than their competitors.  (Esp. considering the recent Neiman Marcus attack.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
1/28/2014 | 10:05:45 PM
Class actions
More likely than a nonprofit, the bulk of class action money not going to lawyers will probably wind up in the hands of states' coffers (as state AGs go after the company).  I don't see Target money going to a nonprofit as part of a settlement as a foregone conclusion.
jgstoddart
50%
50%
jgstoddart,
User Rank: Apprentice
1/28/2014 | 1:30:49 PM
Re: Data Breach Costs
The cost I meant was for the company to have to pay all those affected by the breach..

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/28/2014 | 11:01:41 AM
Data Breach Costs
Data breaches do cost a lot of money, beyond the damage to a company's reputations. In fact, The Poneman Instititute and Symantic have been benchmarking worldwide costs of data breach for the past eight years. In its May 2013 report,  for example, researchers reported that German and US companies experienced the most costly data breaches at $199 and $189 per record at a total cost of $5.4 million in the US and $4.8 million in Germany.

Clearly. organizations must consider these losses as a standard cost of doing business. Otherwise they would be more proactively investing in systems and policies that help avoid them. 

 
jgstoddart
50%
50%
jgstoddart,
User Rank: Apprentice
1/25/2014 | 12:37:20 PM
Re: Credit monitoring
I agree with Thomas 100%, responsibility is a big part of the issue. Data breaches should cost the company something (other then a hit to their reputation), there should be compensation to all persons affected by this. Only then will companies take notice, in the wallet thats where it hurts...

Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 10:31:26 AM
Re: Ideas?
[Target] is essentially saying that if our information is used then it was our fault for not being deligent enough to stop it. 

Couldn't agree more, JeniferS511. There is definitely something wrong with that picture. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 10:27:04 AM
Re: Ideas?
Great list, @rradina. I won't hold my breath about Target providing a complete disclosure regarding their PCI internal and external audits but I too would like to know if Target employees complained about system problems. If so, Target could have addressed the issue earlier and saved many more shoppers from having their personal data compromised. 
rradina
100%
0%
rradina,
User Rank: Apprentice
1/23/2014 | 2:21:47 PM
Re: Ideas?
My greatest concern is that this will be swept under the rug and those responsible for bad decisions will not be held accountable.  Therefore I'd like Target to:

1)  Come clean and provide a complete description of exactly what happened

2)  Provide full disclosure regarding their PCI internal and external audits -- including the external auditor's name

3)  Provide internal Target staff the ability to anonymously voice past and present PCI concerns.  I'd like to know if folks on the inside repeatedly warned of risks that were never addressed and know what's being done to address them and if there are any that still aren't being addressed.

4)  Cover all costs banks incur issuing new cards and covering fraud.

5)  Cover all government costs incurred helping them figure out what happened.

6)  Provide free legal help to anyone who experiences trouble with identity theft or creditors and cover their losses @ 120%.  If that's handled through a third party, fine, but I shouldn't have to lift a finger to start the service.  You sent me an e-mail apologizing.  You can send me an e-mail stating that you've activated a service on my behalf.  WHY DO I HAVE TO SIGN UP AND PROVIDE MY CREDIT CARD! Target needs to give them a purchase order number!  I have no desire to have some B.S. auto-renewed plan that I have to fight to get cancelled a year from now.
Page 1 / 3   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.