May 29, 2014
Yesterday, Institutional Shareholder Services (ISS), a third-party advisor to Target Corp. investors, recommended ousting Target’s Audit Committee because they failed to do appropriate risk management, resulting in a breach of customer data. According to Twin Cities Business Magazine, ISS stated that “… in light of the company’s significant exposure to customer credit card information and online retailing, these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information, especially since it involves shoppers and the communities in which the company operates, as well as the overall impact on brand reputation and brand value.” This suggests a fundamental lack of understanding of both the nature of the breach and who should be held responsible for the outcome.
First, let's understand what really happened here: Target updated their point of sale (POS) systems before the holiday season. There was a known vulnerability in those POS systems that let credit card data travel between the POS system and the register before it was encrypted and sent off to the clearinghouse for approval. Target’s technology team was warned of the vulnerability and DECIDED that the risk was worth accepting – not the board, not the auditors; it was the people involved in the project who accepted the risk of losing 70 million records. When departments accept that level of risk, they in essence, end the conversation. The audit committee and board of directors would be none the wiser. When was the last time you notified your board about how you were disposing of hard drives?
Second, the attackers got to the POS system through a third party’s credentials that had access to system management server (SMS), which, in turn, had access to EVERYTHING, including the POS system. That SMS server had a default password attached to a user account with global administrative rights that wasn’t changed after install. Some would say that the internal auditors should have caught that. But the offending server wouldn’t be part of the scope of a risk-based audit. I will ask again, when was the last time you called a SMS server, which is basically a utility server, a critical application that has an impact on financial reporting or card holder data?
Third, there were notifications from the third party that managed Target’s security monitoring. Those alerts went unaddressed and the chance to mitigate the risk and change the outcome was lost in the lack of attention given by the Target IT department. One more time, when was the last time you let the internal auditors or board of directors know about a security alert that you got two weeks before your busiest day of the year?
If you want to blame the board and the audit committee, blame them for not doing appropriate risk management or due diligence when expanding into the Canadian market, resulting in a $2 billion loss. But you can’t, and shouldn’t, blame them for a breach that was clearly the fault of security and the technology management team. And let this be a lesson to other retailers – PCI compliance is not a vaccine against a breach, it's just an indicator that you are walking on or around the right path. It's just as important to have a strong risk management program deeply embedded inside your technology management department that takes away any vagaries, with appropriate escalation to executive management, right up to the Chief Risk Officer.
Finally, one more question: When will retailers understand that they are just as much a data and technology company as they are a supplier to consumers?
Soon, I hope.