The laws on data security and privacy have tightened in the last 5 years, but that has not led to a fall in the number of data breaches

What the Target data breach can show us about human-centric data security processes

The laws on data security and privacy have tightened in the last 5 years, but that has not led to a fall in the number of data breaches – in fact we have a data breach epidemic. A new books suggests that simple solutions may be effective at limiting many opportunistic attacks as the same mistakes keep happening.

The Target experience

Target, the second largest discount retailer in the US, employed over 300 data security staff when they became the victim of the largest retail hack in history, in the busy run up to Christmas in December 2013. Only 6 months before, they had updated their malware detection system. The weak link in their approach was one 3rd party vendor who opened an attachment but that shouldn’t have been the downfall of Target. A number of alerts were raised that could have made the error little more than a blip in the system.

Target executives had a problem acknowledging that something had happened. The Target security team in Bangalore were the first to pick on the problem, as millions of records were compiled ready for transfer, in other words, before the data had even left Target’s system. Their concerns were ignored. Automated malware detection that could have prevented the data leaving had been turned off by management, who opted for a human oversight model. The malware was unsophisticated, easy to detect. It was so simple that the logins and passwords of the hackers were visible in the malware code. Yet it would be two weeks before the Justice Department finally got the attention of executives, armed with a list of stolen credit card details that had turned up on the web.

Are we all just one careless 3rd party employee away from data breach shame?

It’s easy to suggest that it was one slip by a 3rd party vendor that led to the largest retail breach in the US, a thought that rightly might leave data officers with a few problems sleeping, given the complex supply chains that we work with. Ransomware attacks are reaching epidemic proportions with ransomware as a service removing the technical skills barrier previously needed to carry out such attacks. But the problem was different. There were systemic failures in the Target team that could have stopped this breach.

A new book looks to redress the balance by moving the focus away from cyber security and focusing instead on a much smaller subset of the issue, data security. The authors, Daniel Solove and Woodrow Hartzog argue from a legal perspective that not all data breaches are equal. They also argue that the law currently focuses almost exclusively on what to do in the event of a data breach, rather than legislating around the other factors that contribute to the breach and put forward a model of human centric security that takes into account how people actually think and act.

Breached! Why Data Security Law Fails and How to Improve It, Daniel J Solove and Woodrow Hartzog, Oxford University Press, 2022.