Attacks/Breaches
1/22/2014
02:45 PM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Target Mocks, Not Helps, Its Data Breach Victims

The only thing consumers did wrong is to shop at Target. Why are they being blamed for the retailer's security failings?

At face value, Target's $5 million contribution to organizations that educate consumers on computer safety makes sense. There was a computer compromise -- one that compromised weak computer security -- so Target should look to strengthen it. Unfortunately, the error pointed out a weakness in Target's security efforts, not those of its customers. The only thing that consumers did wrong is shop at Target.

If Target wanted to help its victims, it would have contributed $5 million to resources that help victims of the crimes that resulted from Target's own security failures. For example, the funds would be much more effective in the hands of the Identity Theft Resource Center, a nonprofit that provides counseling to victims of identity theft, which Target's customers have become.

Instead, Target mocks and marginalizes its victims by sending a message that everyone -- consumers and retailers -- has equal responsibility when it comes to data breaches. To a limited extent, that is true, but the donation is a blatant attempt by Target to repair its image without taking responsibility for its security failings.

Worse, the action implies that, if customers (the victims of the identity theft) had only engaged in better security practices, they would not have been attacked in the first place. If Target were truly interested in repairing its image, it would reframe the discussion and take responsibility for the fact that its own internal weaknesses compromised user data.

More class, less action
Some make the case that it's not wrong for Target to make a large donation to some very good organizations, but the truth is that Target knows that it will likely have to donate money to some nonprofit as part of a class action settlement when the dust settles. If it pays that money now, while it is in the middle of a public relations nightmare, there's really no down side.

The reality of class actions is that consumers rarely benefit from them. Yes, it sounds good that Target will ultimately pay tens of millions of dollars in settlement fees. But what I've discovered, after researching many such lawsuits, is that most consumers walk away with nothing tangible. Let's assume, for example, that Target agrees to pay $30 million for consumers to obtain a year of free credit monitoring. Many people already have this service, and few take advantage of it. So Target will likely end up paying less than $5 million of that sum.

Target will also probably give some discount coupons or credit vouchers that let customers believe they will receive $50 million in payouts. These payouts will require consumers to go through extensive measures to prove they suffered a loss. Then they will be required to go into and spend more money at Target. Assuming consumers actually take advantage of the payouts, that spending could represent a net gain for Target. Then there is the $5 million donation, which is a drop in Target's marketing budget. Of course, the big money -- $10-$20 million or so -- will probably go to the attorneys supposedly representing the class in the action

Well-meaning but irrelevant nonprofits help Target mock its victims while attorneys get rich filing paperwork. Target needs to stop implying that its victims are to blame. It needs to start providing real help that repairs the real damage it caused through its failure to provide adequate security for its customers' data.

Ira Winkler is co-founder and president of Secure Mentem Inc. and president of the Internet Security Advisors Group. Described as a modern day James Bond, he began his career at the National Security Agency and is recognized as an expert in Internet security and cybercrime.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
JeniferS511
100%
0%
JeniferS511,
User Rank: Apprentice
1/23/2014 | 2:07:46 PM
Re: Ideas?
There are a lot of things I think Target couldv'e done differently to alleviate the frustration of its consumers. 1) Instead of waiting at least 4 days after discovering the breach and allowing another news source to break the breach, Target should have immediately released the news. 2) At the time that they knew the breach had occured all of their Red Cards (debit and Credit) should have been cancelled and new cards should have been issued. All banks should've been immediatly notified. 3) Target should've been specific into how this security breach occurred. It's been nearly 3 months after the timeline they gave for the breach and it is only coming to light now that they had malware installed on their server. Along with being specific on how it occurred, their should've been specifcs on they fixed it. Just saying it's been taken care of doesn't instill confidence that the problem has actually been tcorrected. 4) Although we all should be checking credit reports yearly, placing the onus back on us to make sure we aren't the victim of fraud when it was their fault that our information was stolen in the first place is not a good way to do business. You are essentially saying that if our information is used then it was our fault for not being deligent enough to stop it. No one has pointed out that all of the information that was stolen has been carved up and is currently being sold on black markets based on regional information. So if you live in S. Ca your information that was stolen is going to be sold to someone in S. Ca, this way if they use the stolen numbers it doesn't raise flags immediately because this is the area that you do your shopping in anyway. The other issue is that it could take months or even years to go through the millions of numbers that were stolen, so yes it is good that Target is giving you a free year, but it could be a year and half or 2 years before a theif might come across your number to use it if it is still available. Bottomline, Target was not proactive in reporting, containing, and solving the problem. It is the handling of the breach that has caused me to forgoe shopping with them, not the breach itself.
JBonfield
50%
50%
JBonfield,
User Rank: Apprentice
1/23/2014 | 1:30:45 PM
Re: Credit monitoring
Regarding Target educating anyone- They first need to get their own house in order and be able to really make their customers, partners, employees feel secure spending their money in the stores.

As of right now, I refuse to go to Target as I do not know how it happened to begin with, and whether or not they have fixed their security system enough to keep it from happening again.

I think security teams and companies who have fixed issues like this, and the hackers that have been caught need to be out there educating the businesses on what might happen, what could happen, and how to keep it from ruining their business.
JBonfield
50%
50%
JBonfield,
User Rank: Apprentice
1/23/2014 | 1:25:11 PM
Target Info Breach- Target not helping anyone but themselves
Our accounts are affected, our lives turned upside down for various amounts of time (week, month, months, year) depending on the situation. For me, it was two weeks of being inconvenienced, and now another two weeks of my bills being held up and held back, and eventually an onslaught of bil payments ripping through my account. I get to live on peanuts for the next week, which would not have been the case had my account not been compromised.

What do we get for the lack of security on behalf of Target? We get a free year of credit monitoring. What does this include? NOTHING other than being able to see what is already happened, and how it affects your credit.

In order to get credit reports along with the monitoring or any kind of real service out of the deal, you have to submit a credit card and pay!

Isnt that what got us in this mess in the first place?

I personally agree with some of the states that are filing class-action suits against Target on this issue. I am praying that my own state does as well, or there is some way for me to be included in any of the other ones.

I have sworn off Target for the time being. I do not forsee my shopping there anytime soon. I have plenty of other stores to go to where my information was not breached.

Thanks Target!

Jonie Bonfield, Madison, WI
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 12:18:50 PM
Re: Credit monitoring
Well based on what Brian Krebs reported last fall -- that  an identity theft service that sold SS and drivers license numbers purchased much of its data from Experian -- I wouldn't be too eager to share that information. 
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
1/23/2014 | 10:03:50 AM
Re: Credit monitoring
I shopped at Target during the period of the breach, and my bank issued me a new card. I was thinking of taking up Target on its offer of the free credit monitoring, but I was just looking at the site and saw that I need to give Experian (the company that will monitor my credit) with my social security number. That bothers me, because I don't really trust Experian to keep my information safe.

Just curious to get some opinions on whether the credit monitoring is worth it in exchange for my SS#.
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
1/23/2014 | 9:42:04 AM
Re: Credit monitoring
Security education is all well and good -- to argue against it is like arguing against teaching kids math and science. But it misses the point here. Target needs to take full responsibility for the breach and ensure that it will never happen again -- through better technology, practices...and customer, partner, and employee education. Spare us the PR campaign. 
BobH088
50%
50%
BobH088,
User Rank: Apprentice
1/23/2014 | 9:29:11 AM
data loss solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel after one of the tags was responsible for getting my lost laptop returned to me in Rome one time. You can get them at mystufflostandfound.com
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 8:45:41 AM
Re: Credit monitoring
There is nothing wrong with Target educating users about best security security practices. But how about Target educating retailers about the lessons they learned about how they got hacked in the first place. That would require a level of transparency that is rare in the industry.
Mathew
100%
0%
Mathew,
User Rank: Apprentice
1/23/2014 | 5:31:12 AM
Re: Credit monitoring
Agreed. Even better would be allowing data breach victims to bill the offending party -- at a suitably high hourly rate -- for the time that they (or better, a designated third party) have to spend cleaning up the mess. 

ID theft monitoring is watching for criminals putting your stolen card details to use. Had the breached business properly safeguarded that information, customers wouldn't be stuck with having to watch for fraud -- through no fault of their own.

And it's a reminder to never, ever use a debit card except in an ATM, if you can help it.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
1/22/2014 | 7:53:14 PM
Ideas?
Readers -- what would you have rather seen Target do?
<<   <   Page 2 / 3   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.