Target Aims to Lock Doors to Future Security Breaches
For the last five months, retail giant Target has had its security practices under a microscope as it has struggled to recover from a devastating data breach at the end of 2013. Now Target has found itself a new CIO and is outlining significant new steps to reinforce its security to help prevent another data breach.
Target first disclosed on Dec. 19 that approximately 40 million customer accounts were compromised between Nov. 27 and Dec. 15. In January, Target revealed that the scope of the breach was even wider—affecting 70 million consumers.
One casualty from the data breach was Target's Chief Information Security Officer Beth Jacob, who resigned March 5. Target has now named a new CIO, Bob DeRodes, who is set to start on the job May 5. DeRodes has had a long career in IT and has been an adviser to the U.S. Department of Justice and the U.S. Department of Homeland Security.
"Establishing a clear path forward for Target following the data breach has been my top priority," Gregg Steinhafel, Target chairman, president and chief executive officer, said in a statement. "Bob's history of leading transformational change positions him well to lead our continued breach responses and guide our long-term digital strategy."
Chip and PIN
One of the primary areas of concern in the Target data breach has been the use of magnetic stripe credit cards. Chip-and-PIN credit cards, widely used outside the United States, have been seen as one possible solution to help limit the risk of future breaches. Target is accelerating its own timeline for adoption of chip and PIN.
Starting in 2015, Target's REDcard branded credit and debit cards will include MasterCard's chip-and-PIN technology.
"As we aggressively move forward to bring enhanced technology to Target, we believe it is critical that we provide our REDcard guests with the most secure payment product available," John Mulligan, executive vice president and chief financial officer for Target, said in a statement. "This new initiative satisfies that goal."
The Retail Industry Leaders Association (RILA) is applauding Target's accelerated move to chip-and-PIN technology. "The security features associated with chip-and-PIN technology will reduce the risk of fraud in the United States as they have done around the world where this enhanced fraud-prevention technology has been in place for years," Sandy Kennedy, president of RILA, said in a statement.
Improved Security Policies
Overall, since the data breach occurred, Target has undertaken a number of steps to improve its security. Passwords were reset for 445,000 Target team members and the use of two-factor authentication was expanded.
One potential weakness in Target's infrastructure was system access by third-party contractors. A report in February alleged that the attackers in the data breach gained access through Target's heating, ventilation and air-conditioning (HVAC) vendor.
Target has now blocked that path to exploitation. Company officials noted in a press release that it has decommissioned vendor access to the server impacted in the breach and disabled select vendor access points.
Target officials also noted that it has added enhanced monitoring and logging capabilities as well as permission-based whitelists for applications running on its point-of-sale (POS) systems.
All told, Target is taking multiple steps to prevent another breach from occurring. The practical reality, however, is that the Payment Card Industry Data Security Standard (PCI DSS) likely already has provisions in place for all of the areas that Target is now reinforcing.
PCI-DSS, however, is just a compliance standard.
Bob Russo, general manager of the Payment Council Industry Security Standards Council (PCI SSC), said back in February that PCI DSS tells you that you need to put a lock on the door, but the people part of the equation means it's up to you to actually lock the door.
Let's hope that Target is now doing its part to make sure the door is actually locked.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.