Five years ago, in December 2013, Target announced one of the largest data breaches ever recorded, in which the credit card data and other private information of 70 million Target customers were compromised. This not only turned into a huge public scandal for the company, but ended with a myriad of lawsuits that forced Target to pay over $18 million in settlements. This article is part 2 in a series of posts on the lessons learned from this massive breach.
Consider Helm’s Deep, one of the most trusted stronghold’s in J.R.R. Tolkien’s Lord of the Ring books. Throughout time the walls of Helm’s Deep were never able to be breached, leaving many to see it as an indestructible fortress. During the great battle against Saruman’s army, however, the orcs exploited a key weakness in the wall: a drainage hole in which they were able to set explosives and send the wall crumbling.\
As fantastical as Tolkien’s world is, this example actually well illustrates one of the biggest problems with Target’s security procedures, one that helped lead to the massive data breach. Simply put, you can spend a lot of money and resources protecting sensitive information, but your protection is only as strong as your weakest link.
According to one report on the breach, “although [Target] systems used encryption, the encryption was rendered useless because the data was accessed in memory where it was unencrypted. Although some level of segregation likely existed, vulnerable configuration and accounts allowed segregation strategies to be bypassed. Despite the fact that they purchased expensive monitoring software, staff was not sufficient, not well-trained or inadequate processes turned those systems into a liability rather than an asset when it was determined that Target was notified, but did nothing to stop the breach.”
What Target lacked, therefore, was a properly layered approach to security. Depth in defense is a cyber security strategy developed by the NSA which uses multiple levels of protections and controls to protect sensitive information. Encryption, for example, is a common tool used to render private information unreadable if attained without the proper access rights. The problem, however, is that this approach is often implemented improperly. Encryption will be useless, for example, if the encryption key is not properly protected.
What the defense in depth strategy emphasizes is therefore not just the quantity of defense strategies, but also the quality of such strategies. A proper defensive strategy needs to focus on both creating levels of protections, but also that each level is not accessible from the next.
For many small businesses spending a large amount of money on data protection is not feasible, but the Target breach makes clear that simply throwing money at the problem will not necessarily protect your company. First, companies should focus instead on determining what their the most sensitive data is, and take steps to segregate and protect that data. This involves, for example, regulating access rights to handle such data, encrypting data at rest and in transit, employing multi-factor identification, and employing a virtual lan with additional security measures to protect their most sensitive data assets.
As the Target breach teaches us, those attempting to breach security walls will not necessarily use brute force, but may instead search relentlessly for a point of weakness within the system and place all their energy in exploiting that one point. Business must therefore be even more relentless in evaluating and strategically layering their security features.
1. Radichel, Teri. “Case Study: Critical Controls That Could Have Prevented Target Breach,” n.d., 8.