Major US retailer Target has started its fight-back from the disastrous loss of tens of millions of customer credit card and other records just before Christmas – only to run into criticism from a leading UK cyber security expert over its response.
Target this week launched a press relations blitz, promising to adopt more secure technology, apologising for the attack in full-page adverts in newspapers across the US, and donating $5 million (approximately £3.04 million) to a campaign to educate the public on the dangers of online scams.
But Dr Guy Bunker, senior VP of products at UK cyber protection firm Clearswift, said in a statement to SCMagazineUK.com: “$5 million is a start – but they need to work out what it is they are trying to educate people on. This wasn't consumers getting it wrong, it was them!”
Bunker added: “So consumers will need to be educated on how to spot fraudulent use of their credit cards. Of course it could be wider than this, how to spot phishing and other cyber attacks – both at home and when at work.”
As reported by SCMagazineUK.com, Target is reeling from one of the biggest credit card losses ever reported. In December it admitted data from about 40 million customer credit and debit cards could have been stolen from its stores between 27 November and 15 December. Last week, it conceded more personal data - including the names, email addresses, mailing addresses and phone numbers - of 70 million more individuals had also likely been hacked. The theft came through malware installed on Target's point-of-sale registers.
In response, Target chairman and CEO Gregg Steinhafel said in a TV interview earlier this week that the company wants to adopt more secure technology, by leading the US retail industry's move to chip and pin payment card technology.
But Dr Bunker advised that Target needs to take much wider action to secure its customer data.
“They need to put in place three rings of protection: one, prevent the infection in the first place (using anti-virus and white-listing); two, detect the infection when it's there (through network packet analysis); and three, prevent the information leaving the organisation (deep content inspection and data loss prevention),” said Bunker.
“For number three, they should also be considering advanced technologies, such as adaptive redaction, to ensure that even in ‘everyday' business, where you don't want business to be interrupted, no critical information is transferred outside the organisation.”
Bunker said Target should also be looking at “regular network and application security penetration testing, to check there are no – or fewer - holes in their security, and that none are inadvertently opened up in the future”.
Steinhafel apologised to Target customers in an open letter published in US newspapers this week. He said: “Our top priority is taking care of you and helping you feel confident about shopping at Target, and it is our responsibility to protect your information when you shop with us. We didn't live up to that responsibility, and I am truly sorry.”
Steinhafel added that Target has “closed the access point that the criminals used and removed the malware they left behind” and “hired a team of data security experts to investigate how this happened”.
He confirmed Target customers will have “zero liability” for any fraudulent charges arising from the breach and that the company is offering one year's credit monitoring and ID protection for all customers.
Target's $5 million donation is going to a US cyber security education campaign run by the National Cyber-Forensics and Training Alliance (NCFTA), National Cyber Security Alliance (NCSA) and Better Business Bureau.