A lot has been written and spoken by general media regarding the massive credit card data breach that occurred within retailer Target’s IT systems. Many have labeled this incident as one of the largest retail data breaches in history as personal information concerning upwards of 40 million shoppers was breached by hackers. Would such a massive breach cause consumers real concerns in their online buying patterns?
We urge our Supply Chain Matters readership to take the time to read the published Bloomberg Businessweek artcle: Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It.
By our lens, the article is a superior example of journalism directed at seeking out what might have occurred, especially since this incident is one that many of the impacted parties are reluctant to publicly speak about. The authors spoke to more than 10 former Target employees and outline a set of events leading-up to the breach, and shortly after this breach. Upon reading the article, one can get the impression that incident appears to have been very preventable. It reports that while the data breach occurred around the November 30th timeframe, the data did not actually move out of Target’s network until two days later, instead being stored on an internal server. Once more, security systems alerted to a potential data breach.
Six months prior to the incident, Target installed a $1.6 million malware detection system from FireWire, along with engagement of a security systems monitoring firm out of Bangalore India. The technology reportedly performed the way it was designed to perform, alerting Target’s IT and security staffers of a potential intrusion among the retailer’s systems. According to the authors, nothing happened. The article states: “Target has said that is was only after the U.S. Department of Justice notified the retailer about the breach in mid-December that company investigators went back to figure out what happened.” Once more the article concludes: “Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen credit card data out of Target’s network.”
Obviously, what actually occurred and why mitigation and response efforts were not initiated after technology alerted to the breach, is a matter that Target and its internal investigation will no doubt uncover. Earlier this month, Target’s Chief Information Officer voluntarily resigned allegedly as a result of this incident.
We wanted to call reader attention to the events outlined in the BusinessWeek article because they are events that retail and manufacturing supply chain operational teams can well relate to. During critical periods of customer fulfillment such as the holiday buying surge when so much of a company’s revenue and profitability results are at-stake, management leaders are often reluctant to be receptive to bad news, especially when such news implies communicating that mission critical systems may need to be temporarily brought to an offline condition to deal with a major problem. Supply chain and B2B/B2C focused IT teams know darn well the adage “if it ain’t broke, don’t’t fix-it” often applies, especially when it implies shutting down customer fulfillment to fix a problem. According to the BusinessWeek article, Target had information security staff numbering 300 people, and that the breach could have been stopped without any human intervention. According to the report, Target staffers had elected to turn-off auto deletion of malware in favor of a human decision. That could be understandable if there were processes in-place to quickly assess, upwardly communicate and deal with such a threat and make the appropriate management decisions for how to both deal with an information security threat while continuing to maintain customer fulfillment. Target’s internal investigation should hone in to this very area,
Reports indicate that Target has already incurred upwards of $60 million in expenses directly related to the retailers response to the credit card information breach. The retailer if now reported to be considering an investment of upwards of $100 million in new point-of-sale and other technology, perhaps RFID enabled, to manage the security of customer credit cards. That is an incredible amount of money coming from an incident that reportedly could well have been avoidable.
There are many lessons to be garnered from the incident at Target, lessons that will reverberate further in the weeks and months to come. We urge supply chain and B2B fulfillment teams to harvest the lessons of the Target incident, especially in the context of management response systems.