Back to all blog posts

Lessons Learned (or Not) From the Target Breach

My shopping list was eclectic: a birthday toy for my nephew, shampoo, dog food, and some holiday themed hand towels.  I needed to make the most of my time and budget during this particularly hurried time of the year.  The most logical answer?  Yes, you guessed it.  Target.   As  much as I wanted to resist patronizing the store that had become the pariah of the privacy world, I gave in.  The giant red bulls eye beckoned me, promising to contain everything I needed (plus other items that I didn’t know I needed until I saw them on the endcaps), all in one convenient location.

Marie Simonelli is a Privacy Specialist at CO3 Systems, developers of collaboration software that brings people, process, and technology together to prepare, assess, manage, and mitigate security and privacy incidents.

As I perused the aisles, it occurred to me that I would be using my credit card at checkout.  Naturally, my thoughts led to the breach.  As a privacy professional, I shuddered to think about what it must’ve been like to be a part of their incident response team a year ago.  I also envisioned the many articles and blogs that I read at the beginning of 2014 that predicted what lessons we would learn from the Target disaster.

Many said the Target breach will give lawmakers the necessary push to finally pass a federal breach notification law and uniform minimum security requirements for business that hold personally identifiable information.  It didn’t.  Many said other retailers will learn from this.  They didn’t.  Many said the public won’t shop there anymore.  They still do.  Many said the Target breach would be the biggest corporate catastrophe we’d see from a security perspective.  At the moment, I think I’d have to give that title to Sony.

So what, if anything, did we learn from the Target breach?    I think the greatest lesson here is that incident response is something all organizations need to prepare for.  Make sure your team is ready by conducting fire drills and tabletop exercises, and know who is responsible for carrying out the various tasks associated with an incident. In addition to the security and forensics aspect, plan for how the appropriate information will be communicated to customers and the general public.  We know that not all breaches are preventable, so how we respond to them is a key factor in how well we recover.

One final takeaway from the Target breach and perhaps the most meaningful from a personal perspective:  Bring enough cash.