Attacks/Breaches
1/22/2014
02:45 PM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Target Mocks, Not Helps, Its Data Breach Victims

The only thing consumers did wrong is to shop at Target. Why are they being blamed for the retailer's security failings?

At face value, Target's $5 million contribution to organizations that educate consumers on computer safety makes sense. There was a computer compromise -- one that compromised weak computer security -- so Target should look to strengthen it. Unfortunately, the error pointed out a weakness in Target's security efforts, not those of its customers. The only thing that consumers did wrong is shop at Target.

If Target wanted to help its victims, it would have contributed $5 million to resources that help victims of the crimes that resulted from Target's own security failures. For example, the funds would be much more effective in the hands of the Identity Theft Resource Center, a nonprofit that provides counseling to victims of identity theft, which Target's customers have become.

Instead, Target mocks and marginalizes its victims by sending a message that everyone -- consumers and retailers -- has equal responsibility when it comes to data breaches. To a limited extent, that is true, but the donation is a blatant attempt by Target to repair its image without taking responsibility for its security failings.

Worse, the action implies that, if customers (the victims of the identity theft) had only engaged in better security practices, they would not have been attacked in the first place. If Target were truly interested in repairing its image, it would reframe the discussion and take responsibility for the fact that its own internal weaknesses compromised user data.

More class, less action
Some make the case that it's not wrong for Target to make a large donation to some very good organizations, but the truth is that Target knows that it will likely have to donate money to some nonprofit as part of a class action settlement when the dust settles. If it pays that money now, while it is in the middle of a public relations nightmare, there's really no down side.

The reality of class actions is that consumers rarely benefit from them. Yes, it sounds good that Target will ultimately pay tens of millions of dollars in settlement fees. But what I've discovered, after researching many such lawsuits, is that most consumers walk away with nothing tangible. Let's assume, for example, that Target agrees to pay $30 million for consumers to obtain a year of free credit monitoring. Many people already have this service, and few take advantage of it. So Target will likely end up paying less than $5 million of that sum.

Target will also probably give some discount coupons or credit vouchers that let customers believe they will receive $50 million in payouts. These payouts will require consumers to go through extensive measures to prove they suffered a loss. Then they will be required to go into and spend more money at Target. Assuming consumers actually take advantage of the payouts, that spending could represent a net gain for Target. Then there is the $5 million donation, which is a drop in Target's marketing budget. Of course, the big money -- $10-$20 million or so -- will probably go to the attorneys supposedly representing the class in the action

Well-meaning but irrelevant nonprofits help Target mock its victims while attorneys get rich filing paperwork. Target needs to stop implying that its victims are to blame. It needs to start providing real help that repairs the real damage it caused through its failure to provide adequate security for its customers' data.

Ira Winkler is co-founder and president of Secure Mentem Inc. and president of the Internet Security Advisors Group. Described as a modern day James Bond, he began his career at the National Security Agency and is recognized as an expert in Internet security and cybercrime.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 3   >   >>
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Moderator
1/22/2014 | 4:46:28 PM
Credit monitoring
The whole notion of credit monitoring as a service is offensive because it shifts responsibility for data integrity from the data gather to the consumer. If you're going to compile data, you should be obligated to maintain it and represent it accurately.
dak3
50%
50%
dak3,
User Rank: Moderator
1/22/2014 | 5:16:25 PM
Re: Credit monitoring
In fact, Target has already offered all of its customers a year of free credit monitoring. And I, for one, applaud their action in attempting to help educate the vast number of consumers who have no clue about security - how can that be a bad thing?
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
1/22/2014 | 7:53:14 PM
Ideas?
Readers -- what would you have rather seen Target do?
Mathew
100%
0%
Mathew,
User Rank: Apprentice
1/23/2014 | 5:31:12 AM
Re: Credit monitoring
Agreed. Even better would be allowing data breach victims to bill the offending party -- at a suitably high hourly rate -- for the time that they (or better, a designated third party) have to spend cleaning up the mess. 

ID theft monitoring is watching for criminals putting your stolen card details to use. Had the breached business properly safeguarded that information, customers wouldn't be stuck with having to watch for fraud -- through no fault of their own.

And it's a reminder to never, ever use a debit card except in an ATM, if you can help it.
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 8:45:41 AM
Re: Credit monitoring
There is nothing wrong with Target educating users about best security security practices. But how about Target educating retailers about the lessons they learned about how they got hacked in the first place. That would require a level of transparency that is rare in the industry.
BobH088
50%
50%
BobH088,
User Rank: Apprentice
1/23/2014 | 9:29:11 AM
data loss solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel after one of the tags was responsible for getting my lost laptop returned to me in Rome one time. You can get them at mystufflostandfound.com
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
1/23/2014 | 9:42:04 AM
Re: Credit monitoring
Security education is all well and good -- to argue against it is like arguing against teaching kids math and science. But it misses the point here. Target needs to take full responsibility for the breach and ensure that it will never happen again -- through better technology, practices...and customer, partner, and employee education. Spare us the PR campaign. 
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
1/23/2014 | 10:03:50 AM
Re: Credit monitoring
I shopped at Target during the period of the breach, and my bank issued me a new card. I was thinking of taking up Target on its offer of the free credit monitoring, but I was just looking at the site and saw that I need to give Experian (the company that will monitor my credit) with my social security number. That bothers me, because I don't really trust Experian to keep my information safe.

Just curious to get some opinions on whether the credit monitoring is worth it in exchange for my SS#.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 12:18:50 PM
Re: Credit monitoring
Well based on what Brian Krebs reported last fall -- that  an identity theft service that sold SS and drivers license numbers purchased much of its data from Experian -- I wouldn't be too eager to share that information. 
JBonfield
50%
50%
JBonfield,
User Rank: Apprentice
1/23/2014 | 1:25:11 PM
Target Info Breach- Target not helping anyone but themselves
Our accounts are affected, our lives turned upside down for various amounts of time (week, month, months, year) depending on the situation. For me, it was two weeks of being inconvenienced, and now another two weeks of my bills being held up and held back, and eventually an onslaught of bil payments ripping through my account. I get to live on peanuts for the next week, which would not have been the case had my account not been compromised.

What do we get for the lack of security on behalf of Target? We get a free year of credit monitoring. What does this include? NOTHING other than being able to see what is already happened, and how it affects your credit.

In order to get credit reports along with the monitoring or any kind of real service out of the deal, you have to submit a credit card and pay!

Isnt that what got us in this mess in the first place?

I personally agree with some of the states that are filing class-action suits against Target on this issue. I am praying that my own state does as well, or there is some way for me to be included in any of the other ones.

I have sworn off Target for the time being. I do not forsee my shopping there anytime soon. I have plenty of other stores to go to where my information was not breached.

Thanks Target!

Jonie Bonfield, Madison, WI
Page 1 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?