Attacks/Breaches
1/22/2014
02:45 PM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Target Mocks, Not Helps, Its Data Breach Victims

The only thing consumers did wrong is to shop at Target. Why are they being blamed for the retailer's security failings?

At face value, Target's $5 million contribution to organizations that educate consumers on computer safety makes sense. There was a computer compromise -- one that compromised weak computer security -- so Target should look to strengthen it. Unfortunately, the error pointed out a weakness in Target's security efforts, not those of its customers. The only thing that consumers did wrong is shop at Target.

If Target wanted to help its victims, it would have contributed $5 million to resources that help victims of the crimes that resulted from Target's own security failures. For example, the funds would be much more effective in the hands of the Identity Theft Resource Center, a nonprofit that provides counseling to victims of identity theft, which Target's customers have become.

Instead, Target mocks and marginalizes its victims by sending a message that everyone -- consumers and retailers -- has equal responsibility when it comes to data breaches. To a limited extent, that is true, but the donation is a blatant attempt by Target to repair its image without taking responsibility for its security failings.

Worse, the action implies that, if customers (the victims of the identity theft) had only engaged in better security practices, they would not have been attacked in the first place. If Target were truly interested in repairing its image, it would reframe the discussion and take responsibility for the fact that its own internal weaknesses compromised user data.

More class, less action
Some make the case that it's not wrong for Target to make a large donation to some very good organizations, but the truth is that Target knows that it will likely have to donate money to some nonprofit as part of a class action settlement when the dust settles. If it pays that money now, while it is in the middle of a public relations nightmare, there's really no down side.

The reality of class actions is that consumers rarely benefit from them. Yes, it sounds good that Target will ultimately pay tens of millions of dollars in settlement fees. But what I've discovered, after researching many such lawsuits, is that most consumers walk away with nothing tangible. Let's assume, for example, that Target agrees to pay $30 million for consumers to obtain a year of free credit monitoring. Many people already have this service, and few take advantage of it. So Target will likely end up paying less than $5 million of that sum.

Target will also probably give some discount coupons or credit vouchers that let customers believe they will receive $50 million in payouts. These payouts will require consumers to go through extensive measures to prove they suffered a loss. Then they will be required to go into and spend more money at Target. Assuming consumers actually take advantage of the payouts, that spending could represent a net gain for Target. Then there is the $5 million donation, which is a drop in Target's marketing budget. Of course, the big money -- $10-$20 million or so -- will probably go to the attorneys supposedly representing the class in the action

Well-meaning but irrelevant nonprofits help Target mock its victims while attorneys get rich filing paperwork. Target needs to stop implying that its victims are to blame. It needs to start providing real help that repairs the real damage it caused through its failure to provide adequate security for its customers' data.

Ira Winkler is co-founder and president of Secure Mentem Inc. and president of the Internet Security Advisors Group. Described as a modern day James Bond, he began his career at the National Security Agency and is recognized as an expert in Internet security and cybercrime.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
dak3
50%
50%
dak3,
User Rank: Apprentice
1/22/2014 | 5:16:25 PM
Re: Credit monitoring
In fact, Target has already offered all of its customers a year of free credit monitoring. And I, for one, applaud their action in attempting to help educate the vast number of consumers who have no clue about security - how can that be a bad thing?
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Moderator
1/22/2014 | 4:46:28 PM
Credit monitoring
The whole notion of credit monitoring as a service is offensive because it shifts responsibility for data integrity from the data gather to the consumer. If you're going to compile data, you should be obligated to maintain it and represent it accurately.
<<   <   Page 3 / 3
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.