Let’s talk about the real victim here

I’m willing to give everyone the benefit of the doubt. I get the whole thing about being on the radio or television or whatever, and trying to be controversial. It makes for good radio, television, etc. But sometimes it really goes a bit too far.

I was in Denver this week driving down the highway and I had NPR on the radio listening to “On Point” with Tom Ashbrook. They were talking about the Target data breach and his guests were Brian Krebs, who broke the Target breach story, Avivah Litan from Gartner, and David Lazarus of the LA Times (you can hear the story here). For those driving down the highway near me it must have been quite a site: this guy in a New England Patriots hat (go ahead – take your shots) with his head spinning around and steam coming out of his ears. Let’s just say that several of the guests and the host were making it clear that Target was a horrible corporate giant who doesn’t care about its customers.

Krebs did a great job breaking this story and has tried to represent the challenge that cybercrime poses to businesses. But the rest of that crew spent 45 minutes taking shots at Target and other businesses that “allow” data breaches to occur. This coverage was by no means the outlier. Almost all the consumer-focused media coverage I have heard has been very negative towards Target and business’ efforts to mitigate the risk of cybercrime.

Could the retail industry (and other industries for that matter) do a better job defending against data breaches? Sure. But let’s try and be realistic here. As I gather with friends in the security business and mull over what we are seeing, many of us are shaking our heads and thinking, if not actually saying, “if Target – a company that really got security – can get hit like that, what’s that mean for the rest of us?” Target is one of those companies that gets security, and they have for as long as I’ve been familiar with them. The fact of the matter is that they were the victims here.

If you’ve seen the news coverage of The Knockout Game in which some degenerate kid walks up to a random person, tries to knock them out with one punch, and then runs off – the Target hack was the cyber version of The Knockout Game. Target knew they were – pardon the expression – a target. They took significant measures to protect themselves. Blaming them is analogous to blaming that person who was knocked out because they should have known they might be the victim of a random act of violence, despite the fact that they were walking in a nice neighborhood (instead of a bad one), they were walking in daylight (instead of at night), they were aware of their surroundings (instead of being buried in a cell phone conversation), etc. You get the point. You know you’re at risk so you “up” your game. Sometimes that just isn’t enough.

Some organizations are sucked into a false sense of security as they blindly follow compliance mandates that don’t really buy them any greater level of security against sophisticated cyber attacks. Was that the case here? Maybe, but after speaking with those familiar with the situation, I don’t believe it is.

The pundits like to blame Target, and other victims of cybercrime. I’ve heard endless discussions from so-called security or privacy experts about how insecure the U.S. card system is because the rest of the world has moved on to chip & PIN while we’re still swiping mag stripes. They pontificate about how businesses should disclose breaches as soon as they have been found, and then lambaste them for having to revise the scope of impact in the weeks that follow. I choke as I listen to legislators call for more regulation and sanctions against the horrible big businesses that allowed this to happen. Well, chip & PIN caught on in other parts of the world because their telecommunications infrastructures was not nearly as robust here in the U.S., where we can use that same infrastructure to do real-time authorizations allowing processors to apply fraud analytics to transactions. As for immediate disclosure, you’re never going to have complete visibility into the full extent of an attack in the first week (or month) – its analogous to coming home to find your house broken into and having an hour to produce a list of everything that was stolen or damaged. Good luck. As for the legislators, these are the same folks that exempted Healthcare.gov from meeting HIPAA requirements.

To steal a phrase, they are all swimming in a sea of hypocrisy.

I wish the average consumer would understand this, but their opinions are shaped by what they hear in the media. Their voices cry with outrage that the Targets of the world don’t care about them, otherwise how could they have let this happen? But at the end of the day they don’t really have much skin in the game. Their credit card liability is $50 max, and I have yet to see a bank make a customer assume that liability. If they were using a debit card, that’s a different story. Who gets hurt the most in all this is Target, the victim. The attackers will build new homes in the Ukraine and vacation on the Med. The lawyers (who wasted no time in filing several class-action lawsuits) will take their one-third and wait for the next breach. The legislators will file more bills aimed to put their boots more firmly on the throats of businesses that allow this to happen. And we’ll continue running, like hamsters on an exercise wheel, running and running but not getting anywhere.