The fallout from a data breach

Chess pieces

By Dr. Guy Bunker @guybunker

This week we learned the news that Target’s CEO, Gregg Steinhafel has departed after 35 years with the retailer; following the huge data breach that severely affected Target’s reputation among customers and derailed its business - the company’s sales, profit and stock price have all suffered and shares are down over 3% since the breach was disclosed. This follows on from the earlier news that Target’s Chief Information Officer Beth Jacob had also resigned because of the security breach. 

Between late November and mid December 2013, Target was the subject of a data hack at its bricks-and-mortar stores in the US. As many as 40 million customers saw their credit and debit cards become subject to potential fraud after malware was introduced to the POS system in almost 1,800 stores.

In March 2014, Target said in its annual report that the breach has spawned dozens of legal actions and that it could not estimate how big the final financial tab will be, or how long it will take to settle. It also acknowledged separately, that while security software picked up on suspicious activity after the cyber-attack was launched, the company decided not to take immediate action because it believed it did not warrant immediate follow-up. Hind sight is a wonderful thing.

In January 2014, Target made a ‘fight back’ announcement with the promise to adopt more secure technology and the donation of $5 million to a campaign to educate the public on the dangers of online scams. Commenting on the initiative in SC magazine, I advised that firstly, they had to be clear on what ‘education’ exactly they wanted to educate the public on – bearing in mind that they were the ones who made the (huge) mistake, while acknowledging that consumers would benefit from awareness on wider issues, such as how to spot phishing and other attacks, both at home and at work (education = empowerment…) and lastly that three rings of protection must be put in place to secure customer data and avoid further potential breaches.

The stepping down of Gregg Steinhafel, while coming as no surprise, shows the very real impact that a data breach can have on the business and its people - from a professional, reputational and ultimately financial perspective. It also confirms that a breach, of any kind, is no longer the sole responsibility of the IT department but is a boardroom issue. Imagine what would happen to your organization if the CEO and CIO left in a hurry. Critical information protection and the management of it should be a level one priority for businesses, of all sizes – or they must risk the inevitable consequences. As I’ve said before, it is not a case of ‘if’, but ‘when’ a breach will happen. And when it does, every possible step needs to be taken to ensure the least possible damage in its aftermath. Accepting there will be a problem and putting a plan in place to deal with it should be par for the course. Disaster recovery and business continuity plans are all about how to deal with critical incidents albeit usually physical events. Cyber-attacks can, in some ways, be more harmful and yet most organizations don’t plan for them. As with DR/BC, running a scenario to see the effectiveness is imperative, Operation Waking Shark II was just this – but on a bigger scale!

It is also imperative that businesses look at their internal security protection and information governance policies. As I commented recently to the BBC in March on the Morrisons breach in the UK, organizations have to be aware of internal security threats - there are more cyber security challenges from within than without – ‘The Enemy Within’.

Fines are on the way: And, now, following numerous delays - The European Parliament has recently approved a draft data protection law, which, if it were enacted, would mean that companies could be fined 5% of their global turnover in the event of a serious data breach. If you look at many organizations, then 5% could turn into a ‘company killer’ amount of money, from which there would be no return – other than being sold off.

So, all things considered, if you don’t have your information secure within your business – now is the time to do it, it’s time for all business to get serious about security, or risk the many possible consequences.

Carpe Diem.