What the Target data breach can show us about human-centric data security processes

The laws on data security and privacy have tightened in the last 5 years, but that has not led to a fall in the number of data breaches – in fact we have a data breach epidemic. A new books suggests that simple solutions may be effective at limiting many opportunistic attacks as the same mistakes keep happening.

The Target experience

Target, the second largest discount retailer in the US, employed over 300 data security staff when they became the victim of the largest retail hack in history, in the busy run up to Christmas in December 2013. Only 6 months before, they had updated their malware detection system. The weak link in their approach was one 3rd party vendor who opened an attachment but that shouldn’t have been the downfall of Target. A number of alerts were raised that could have made the error little more than a blip in the system.

Target executives had a problem acknowledging that something had happened. The Target security team in Bangalore were the first to pick on the problem, as millions of records were compiled ready for transfer, in other words, before the data had even left Target’s system. Their concerns were ignored. Automated malware detection that could have prevented the data leaving had been turned off by management, who opted for a human oversight model. The malware was unsophisticated, easy to detect. It was so simple that the logins and passwords of the hackers were visible in the malware code. Yet it would be two weeks before the Justice Department finally got the attention of executives, armed with a list of stolen credit card details that had turned up on the web.

Are we all just one careless 3rd party employee away from data breach shame?

It’s easy to suggest that it was one slip by a 3rd party vendor that led to the largest retail breach in the US, a thought that rightly might leave data officers with a few problems sleeping, given the complex supply chains that we work with. Ransomware attacks are reaching epidemic proportions with ransomware as a service removing the technical skills barrier previously needed to carry out such attacks. But the problem was different. There were systemic failures in the Target team that could have stopped this breach.

A new book looks to redress the balance by moving the focus away from cyber security and focusing instead on a much smaller subset of the issue, data security. The authors, Daniel Solove and Woodrow Hartzog argue from a legal perspective that not all data breaches are equal. They also argue that the law currently focuses almost exclusively on what to do in the event of a data breach, rather than legislating around the other factors that contribute to the breach and put forward a model of human centric security that takes into account how people actually think and act.

Breached! Why Data Security Law Fails and How to Improve It, Daniel J Solove and Woodrow Hartzog, Oxford University Press, 2022.

Related Articles

Datacamp - Learning Tracks

All IoA members can use the installation-free Data Camp environments to build, practice and test your skills in Data Camp. We have two custom built tracks to allow you to ensure your training is on course to fulfil your career goals. We’ve recommended two tracks of knowledge and analytics study aligned to all of the 7 first years in the Data Competency Framework.

Which Track is for me?

Business analyst with R: This track will take you through spreadsheet skills and BI tools in the early years, and build up your coding skills to use R environments in the later years with more challenging data projects.

Python analyst: This track goes straight into Python coding and will take you all the way to working with unstructured data and deep learning techniques.
Look for the track name and year when you search for a course.
With our custom tracks, we’ve selected the skills that we know employers are looking for but remember that you can also take any of the 300 courses and assessments and projects any time you want and add that to your CPD records, too. You can find a post discussing the aims and structure of the tracks here.

Datacamp - Learning Tracks

All IoA members can use the installation-free Data Camp environments to build, practice and test your skills in Data Camp. We have two custom built tracks to allow you to ensure your training is on course to fulfil your career goals. We’ve recommended two tracks of knowledge and analytics study aligned to all of the 7 first years in the Data Competency Framework.

Which Track is for me?

Business analyst with R: This track will take you through spreadsheet skills and BI tools in the early years, and build up your coding skills to use R environments in the later years with more challenging data projects.

Python analyst: This track goes straight into Python coding and will take you all the way to working with unstructured data and deep learning techniques.

Look for the track name and year when you search for a course.

With our custom tracks, we’ve selected the skills that we know employers are looking for but remember that you can also take any of the 300 courses and assessments and projects any time you want and add that to your CPD records, too. You can find a post discussing the aims and structure of the tracks here


View Learning Tracks


Go To DataCamp