Sophos Cloud Optix
Following its recent epic breach, Target has announced that it’s putting its technology through the wringer.
Its CIO, Beth Jacob, has already gone down the drain.
The beleaguered US retailer announced on Wednesday that it’s going to overhaul its information security practices.
At the same time, Target announced that Jacob has resigned – the first high-level executive to leave following a breach over the Christmas holiday shopping season.
That breach led to the theft of some 40 million credit and debit card records, along with another 70 million customer records.
That’s a total of at least 70 million records, given that some of the two data sets may be duplicates. Naked Security took no pleasure in doing it, but given the likely size of the breach, we ushered Target into the "100 million plus" club, along with Adobe and Sony.
Target told Reuters in an email on Wednesday that it plans to replace Jacob with an external hire.
In January, Target admitted that there was malware on its point-of-sale (PoS) registers – what Naked Security’s Paul Ducklin has assumed is a specialized botnet, designed to hook together Target’s PoS registers into a network of data-stealing Trojans under criminal control.
Jacob had her hands on the reins during a time when, it turns out, a thorough security review had been advised by at least one analyst just months before the breach, prior to Target’s planned upgrade of its payment system.
We don’t know if the review actually happened, or whether it was lost in the cacophony of warnings security teams and government agencies constantly put forth.
But the buck, apparently, stopped at Jacob’s desk.
Jacob has already been wiped from Target’s leadership roster, but a cached corporate bio says that she was first hired in 1984 as an assistant buyer.
She went on to become director of Target’s guest contact centers and promoted to vice president in 2006. In 2008, she was promoted to the position she held when the massive breach went down: executive vice president of Target Technology Services and CIO.
Target Chief Executive Gregg Steinhafel reportedly said that the retailer plans to elevate the role to chief information security officer as part of its plan to tighten security. It’s also creating a new position: chief compliance officer.
Steinhafel said that the security consultant Promontory Financial Group will be advising Target as it evaluates how it’s doing things.
From his statement, as quoted by the Los Angeles Times:
While we are still in the process of an ongoing investigation, we recognize that the information security environment is evolving rapidly.
To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target.
Image of Target courtesy of Shutterstock.
maybe they should hire somebody with an IT security background this time. instead of promoting a sales manager. just a thought.
People at her level, in a company the size of Target, are mostly business (money) and people oriented and do not know about the departments that they oversee. They rely on the directors and managers of the departments below them to tell them what they need and then the CIO decides if there is money for it.
Without knowing the whole story (had she turned down security measures due to budget issues, IT security training, was she even told about the poor security, etc) I would fire the director who should have known how relaxed their security was.
Unfortunately in today world, someone has to lose their head over a breach this size.
Why di companies keep putting people in these positions that no nothing of IT or have an IT background!
I don’t agree! Even if they are managing Directors it is the CIOs job to know what is important, and withou knowing anything about IT you are not going to know how to manage and give direction to the directors and managers! She should not have been in that position!
Maybe the person who hired her to be CIO should also be fired because that bio doesn’t say anything about a technology background.
I was thinking the same thing.. But, being in the IT field for so long, I’ve seen people who know nothing about IT or technology being hired all the time, then they hired me to fixed the problem they created, got on my case for taking a while to fix it, and with a lower salary, off course..
Most It leaders are under experienced. That is what massive lack of best practices does. it creates an industry and leaders who have no idea what best practice is or the courage to do it.
“A cached corporate bio says that she was first hired in 1984 as an assistant buyer. She went on to become director of Target’s guest contact centers and promoted to vice president in 2006. In 2008, she was promoted to the position she held when the massive breach went down.”
Did she go back to college some time during 1984-2008 to be qualified to become Target’s CIO? That’s a huge leap from working in the buying department of a company to becoming the Chief Information Officer. I hope the media checks her background to see if she’s was qualified for the position or was it just a way of rewarding a loyal long term employee to a title with a larger salary. Sadly, this happens to often in large corporations.
2014 DISCLAIMER: In no way did I make this comment because of her sex. I would have made the exact same comment if it was a man.
As a former executive in the Corporate IT field I can say with certainty that IF her background is as stated, she was in NO way qualified to handle the sophistication of securing of an IT network against malware or other types of security attacks.
Looks like she shouldn’t have been the CIO. She didn’t have the background at all […] Here’s an example [from Minneapolis/St. Paul Business Journal]:
“What’s a misconception people have about CIOs?
A lot of people think the most important skill set of a CIO is that of a techie. While you absolutely have to have highly skilled technology talent on your team, as CIO you’re in a role that demands great business breadth, because you’ve got to understand strategies from across the entire business and know how to act upon them.”
It probably would not have mattered. Most commercial experienced CIO/CTOs are not qualified either. Your best practice performance is usually very poor.
While it would not hurt for the CIO to have a strong tech background, the reality of large companies is that they are not hands on and just (try to) manage the technical experts. Finger pointing is easy and frankly I am disappointed to hear she resigned rather than hearing details about what really happened.
The really pathetic thing to me is that the POS got infected, yet they talk about moving to smart cards. Won’t their systems retain user data even when smart cards are used? What if they get hacked again? Forgive my not being up to speed on how smart cards would help in post terminal exploits.
I do applaud Target offering free credit monitoring to “everyone” and not worrying about some people who are not customers taking advantage. Putting the customer first is the right thing to have done.
Smart cards could, or could not help with one part of the security breach. I say this as someone who worked in the Smart Card industry for 10 years. The “chip and PIN” credit cards that most of the world outside the US uses now work by encoding the private information on the card against a public key belonging to the credit company. As Target is not likely to force Mastercard and Visa to roll out such cards in the US, they are likely talking about moving their loyalty card system to “smart cards”.
Smart Cards are not created equal; some cards are basic memory cards that just store data on the chip. However, they do mention that they’re using processor cards, which means that the chip itself will have both memory and a CPU — which is much more secure if implemented correctly.
The security that these cards would add is that instead of the track 2 data being read unencrypted off of the card into the POS machine, the chip card would send already encrypted data to the POS machine — preventing it from being RAM scraped. The processor cards are able to do some of the cryptographic lifting themselves, meaning that they even protect against “hash matching”, as the encrypted stream can be different each time the POS machine reads it, but the server DB can still verify the personal information stored on the card.
However, all this solution does is protects this data as presented to the terminal for loyalty cards that are using a chip. For all cards currently deployed with magnetic stripes, to do this correctly, they’re going to have to refuse to honor those cards and instead trade them for chip cards. For anyone paying by credit or debit, if they’re using a mag card, Target will still have to honour the card, and it will still dump the private info into the POS terminal. Not only that, but chip cards conforming to the EMV standard “fall back” to track 2 verification if reading the chip fails for some reason — meaning that if a crook can somehow force the terminal to fail to read chips, the data will once again be sent in the clear.
And as you point out, either way, the database on the back end will still hold the same customer information. There are ways to set up a DB so that this information is not easily accessible, but they haven’t really mentioned what they’re planning to do to secure their back office. Hopefully, they’ll make this information available as well so we can have confidence that the system — end to end — is safe.
If done correctly, this could actually be really good publicity for Target; if they take the time to secure things correctly and publicize what they’ve done, they could become a poster child for responsible merchant information management, and gain a larger market of people who feel that due to transparency, they are now one of the most trustworthy places to share your personal info.
Small bit of self-publicity if people don’t mind – the problem, mentioned above by Andrew, of old-style POS systems having “end-to-end encryption” that doesn’t start until after the card data hits the cash register (which is really somewhere in the middle!) gets a short airing in our RSA Conference Special podcast (only 8′ long):
http://nakedsecurity.sophos.com/sscc-136-5-rsa-2014-conference-special
Well, good thing for Target they got breached and it became public, so weaknesses like this could be exposed. Too few companies “put their technology through the wringer” or “overhaul [their] information security practices,” without some spurring incident that suddenly makes everyone religious about it (at least for a while).
Beth reminds me of Jen, from the IT Crowd. Jen was the “manager” of the IT department, but didn’t know jack about IT, or even what IT stands for. But at least she knew how to send and receive emails and browse the internet.
Have you tried turning it off and on again?
I bet some of their competitors are just as bad or worse.
How about outsourcing some more security & IT jobs
Hopefully the folks in the C suites now understand that – you cant outsource security.
Companies are outsourcing themselves out of business. But hey, at least the stock went up for a few quarters.
Even though Beth ‘resigned’, I believe that the Chief Exec (as captain if the good ship Target) is ultimately responsible for the business’ failings and should be sacked by the board
The root cause of your breach is not your CIO specifically. It is the massive lack of best practice used in commercial IT as a whole. If you don’t realize this you will just hire another CIO with the same lack of experience and courage. In this area go ask IT to provide the following (and make sure you give them less than 15 minutes so they can’t make it up). Show me metrics on back ups and images for all major systems. Show me how I KNOW our DR plan works. When did we practice it? Show me data on system performance. And not just CPU and memory times when the web is banged by Loadrunner. Look for database data for reads and writes. And look for workflow times to see if that has been degrading over time. Also ask them how closely the test environments mirror Prod. Usually it isn’t close to performance testing is not only invalid but gives a false sense of security. Put $ into creating simulators so those environments mirror prod. Lastly ask them to show you the EVM data on every project.
If they cannot do all of those things, if they try to tell you those things are not value added, don’t apply to them etc – fire them. Now go find someone who knows they should be done, knows how to do them and has the courage to make them and many other things probably not being done happen.
Go dig into these areas at the major banks, insurance, healthcare and other companies and see what you find out. Most will be a mess. Target is only the tip of the due diligence iceberg.
(Those other areas being lack of project management and software development best practices)
Wow. It would take you 15 minutes just to put all those questions to your CIO, let alone for him/her to come up with the sort of detailed answers you seem to expect. I’m also not convinced, even if you could find a CxOs who would be able to answer all your questions in a way you would accept, that you would necessarily learn very much about their attitude to security.
In other words, even if they survived getting fired as a side-effect of your inquisition…you still might not have an organisation that cares about security as a whole.
It sounds a bit like arguing that someone who can’t lap the Nürburgring in under 8′ would make a poor instructor for suburban road safety.
I left security off because I do not have a deep background in it. What I do know though is patterns matter. It is rare for best practice to be isolated to only one area. Having said that do they have their systems tested for each type of infiltration? From outside and within? Are roles/access updated routinely?
As for my questions they are on point and deserve zero leniency. They are literally run of the mill practices in DoD and some other best practicing companies. The practices are easy. low cost and artifacts can be retrieved in minutes.
Your stating it is an “inquisition” is a symptom of the problem. That infers I am being too hard on them. Raising the bar to an unfair level. Not at all. What I am raising is poor or mediocre practice at best to good or best practice. If you had actual experience in these you would know how ridiculous it is to complain they are over the excessive.
You are making my point for me and would in no way be qualified for the role.
Target gets what they deserve. “The apple doesn’t fall far from the tree” I bet a lot of managers and higher ups in that company also have no experience in their positions. I never really liked the store anyhow, now my intuitive thoughts are validated..