Target tech chief resigns as it overhauls security
Source: AP-EXCITE
By ANNE D'INNOCENZIO
NEW YORK (AP) - Target Corp. (TGT) Chief Information Officer Beth Jacob is resigning effective Wednesday as the retailer overhauls its information security and compliance division in the wake of a massive pre-Christmas data breach.
Target Chairman, President and CEO Gregg Steinhafel said in a statement released to The Associated Press that the company will search for an interim chief information officer who can help guide the company through the transformation.
Jacob had been in her current role since 2008 and oversaw teams in the U.S. and India.
Target disclosed on Dec. 19 that the data breach compromised 40 million credit and debit card accounts between Nov. 27 and Dec. 15. Then on Jan. 10 it said hackers also stole personal information - including names, phone numbers as well as email and mailing addresses - from as many as 70 million customers
FULL story at link.
Read more: http://apnews.excite.com/article/20140305/DACBJIP01.html
gvstn
(2,805 posts)I was just remarking that I hadn't been to Target since the breach was disclosed. And since my bank issued a new card and invalidated my old one, I see no reason to potentially compromise the new one. Target has done little to explain how the breach happened or why it should be trusted with our data now. Until they can do more to reassure, I won't be using any of their POS terminals.
I have to admit the whole scheme has put me off using debit cards at all, especially at big box stores for relatively minor purchases.
LittleGirl
(8,280 posts)was compromised at the cafeteria where he works. Security is something that IT departments try to keep up with but even the virus software companies can't keep up. They are fighting a losing battle it seems.
Xithras
(16,191 posts)Basically, their POS machines run over their internal LAN and WAN. Their stores also have a centralized climate control system (heat/air) with IP based monitoring and management. It also runs over their internal LAN and WAN.
Someone got the network credentials for their air conditioning system and used it to backdoor a way into their network. Once they were into the network, they were able to connect directly to the POS machines and insert hacked code to collect data. Normally the data would be heavily encrypted before it was transmitted over the network to their central servers, but by hacking the POS terminals directly, they were able to grab the raw data before it was encrypted.
Targets major error was that they didn't have any internal isolation on their network. Once someone got onto their network...anywhere...they effectively gained direct access to EVERYTHING. Most businesses would use firewalls and VLAN's to isolate functions from each other to prevent this sort of thing from happening. Air conditioning would run on one virtual network, so that a hack of the air conditioning system would only impact air conditioners. POS terminals would run on another virtual network, isolated from everything else on the network. It would also be common to isolate them on a per-store basis, so that a breach in the POS VLAN could ONLY impact the terminals at that one particular store. Every major network system should have been isolated from every other major network system, and the remote locations isolated from each other, to prevent this sort of thing from happening. Instead, Target had everything running on one big shared network. Once you were in, you could connect to EVERYTHING.
It was a network configured by amateurs. I'm shocked that their CIO was allowed to resign...she should have been fired immediately. That's a career ending blunder, and not one that ANY company should have allowed to happen. A simple, comprehensive security audit would have identified this problem in MINUTES. Either Target wasn't doing them (and they're required to do so, for PCI compliance with the credit card companies), or they KNEW it was an issue and ignored it.
I hadn't seen this information. I'll have to digest it--I always figured the problem was with wireless transmittal of data rather than possibly LAN or VLAN (not really even sure what this is yet).
I'm glad they are addressing the issue and building a stronger network for their POS. I can't say I feel secure using a card at PetSmart though. Their checkout system seems like something from 20 years ago with wires all over the place. Definitely, a stop at the ATM for me before buying cat food.
Xithras
(16,191 posts)LAN: The network in a store that connects all of the devices like point of sale machines and air conditioners. It can be physically wired OR wireless.
WAN: A "super network" connecting the LAN's in all of the stores together. It allows the computers in Store A to connect to computers in Store B, and allows all stores to connect to a central location.
VLAN: A neat trick that allows multiple LAN's to run over a single physical connection. You can have multiple networks (VLAN = "Virtual LAN" running over a single cable and using shared hardware, and yet be completely isolated from each other or unaware that the other networks even exist. This is an incredibly simplified definition, but you get the idea.
In the long run, I think the Target hack may turn out to be a good thing. My employer has already seen an uptick in traffic from retail chains wanting to secure older "flat networks" and avoid a Target-style breach. Target themselves will be investing a massive amount of money to prevent this sort of thing from happening again. A lot of companies have scaled back IT spending over the past decade to cut costs, and their network and security models haven't kept pace with modern advancements and hackers. Network and security models that were modern and secure in 2004 are wide open for attacks nowadays, but most corporate IT departments haven't had the funds to overhaul and replace their systems because the bigwigs were worried that IT spending would eat into their margins. The Target breach seems to have woken a lot of them up and freed some purse strings.
penultimate
(1,110 posts)There's always a few legit hardcore 'geeks' who truly understand the big picture, and they will spot issues and concerns like these. I bet C-level folks were well aware of the issues and chose to ignore it.