Target's data breach settlement sets a low bar for industry security standards

The terms spelled out in the settlement might encourage some to improve data security efforts, but they do nothing to improve response.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Target’s multistate data breach settlement over its 2013 data breach outlines the kind of security measures enterprises should have in order to not be found negligent with customer data. The problem is, the settlement doesn’t go far enough to improve organizational security. For the pro-active CSO, the settlement should indicate the bare minimum and not what they should aspire to.

Tom Kellermann, CEO of Strategic Cyber Ventures and the former CSO of Trend Micro, called the terms a “slap on the wrist” for Target and said they were insufficient as they focused on keeping attackers out and not on improving response. Modern security needs to focus on reducing the amount of time between a compromise when detection, and making it harder for attackers to carry out their operations. While network segmentation and two-factor authentication will slow down attackers, the bulk of the terms are still defensive in nature.

“They [settlement terms] represent yesterday's security paradigm,” Kellermann said.

To briefly recap, criminals stole credentials from a third-party HVAC vendor and gained access to Target’s network, and then proceeded to infect payment systems with data-stealing malware just before the beginning of the holiday shopping season back in 2013. The malware skimmed credit and debit card information belonging to about 40 million consumers, along with personally identifiable information (PII) for 70 million people. While Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach.

[Related: -->Ira Winkler: 6 failures that led to Target hack]

To its credit, Target since then has toughened its security posture and made significant improvements, and many in the industry tout the retailer as a good example of how to recover from a data breach. The settlement gives Target 180 days to “develop, implement, and maintain a comprehensive information security program,” but most of the terms refers to the changes the retailer has already adopted.

"[The] settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers," Illinois Attorney General Lisa Madigan said in a statement.

The reference to industry standards suggest that future breach-related lawsuits may use the Target settlement to try to prove the organization did not go far enough in protecting personal information and other sensitive data. The settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network and implementing stricter access control policies to sensitive networks and data.

To continue reading this article register now