In December 2013, Target was attacked by a cyber-attack due to a data breach. Target is a widely known retailer that has millions of consumers flocking every day to the retailer to partake in the stores wonders. The Target Data Breach is now known as the largest data breach/attack surpassing the TJX data breach in 2007. “The second-biggest attack struck TJX Companies, the parent company of TJMaxx and Marshall’s, which said in 2007 that about 45 million credit cards and debit cards had been compromised.” (Timberg, Yang, & Tsukayama, 2013) The data breach occurred to Target was a strong swift kick to the guts to not only the retailer/corporation, but to employees and consumers. The December ...view middle of the document...
Investigators who examined the malware quickly noticed that it was designed to move data stolen from Target’s (then malware-infected) cash registers to a central collection point on Target’s network, a Windows domain called ”\TTCOPSCLI3ACS\”.
Regulatory and Industry Standards
Target, as a whole, is huge corporation/business. As a business, in order to stay open and run functionally, Target has to abide by regulatory and/or industry standards. The two regulatory and industry standards that are required for any financial, retailer, and/or business is Payment Card Industry Data Security Standard (PCI DSS) and Gramm-Leach-Bliley Act (GLBA). PCI DSS is a global industry standard while GLBA is a government regulatory standard. Target has to abide by PCI DSS and GLBA.
According to Kim & Solomon (2014), PCI DSS affects any organization that processes or stores credit card information. The PCI DSS is a comprehensive security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. GLBA requires that financial institutions provide their clients a privacy notice that explains what information the company gathers about the client, where the information is shared, and how the company protects that information. Companies must provide clients with this privacy notice prior to entering into an agreement to do business. (p. 272)
Security Information Technology Issues
Within the Target data breach of December 2013, there were several security information technology issues. A few of the issues were lack of security awareness and training, connection with outside businesses to main the system, and point of sale (POS).
With any business, it is imperative that anyone that works in the security sector (any form: security guard, security analyst, help desk, networking, information technology, etc.) have to have security awareness and training that all need to attend and adhere to. With Target, it became apparent that there was a lack of security awareness and training involved in relation to jumping on the data breach/threat. There was mention of some form of activity prior to December 15 on the Target systems. There are reports that state that security analyst within the corporation saw that there was something going on prior to December 15. However, the security analyst did not act upon the activity to research, prevent, or secure the systems. The breach's activity spread over the days until the notification came that there was a security breach with the Corporation. This could have been prevented if Target had some form of security awareness training.
According to Riley, Elgin, Lawrence, & Matlack (2014), Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun...