back to article Target tosses US$148m onto data breach barbecue

Target's infamous 2013 data breach, which resulted in the company being relieved of 40 million credit card numbers, has cost the company another US$148m according to its latest quarterly finance report. The retailer dedicates a whole section of its quarterly statement to the breach, and says that “In second quarter 2014, the …

  1. frank ly

    At last?

    Maybe now they'll realise that poor security hits them on the bottom line. Most of them need this kind of clue stick.

    1. Michael Wojcik Silver badge

      Re: At last?

      Well, yes. But one of the interesting, and unfortunate, aspects of the Target breach is that it wasn't the sort of obviously, stupidly poor security, as we saw with e.g. the TJX unencrypted-wireless-PoS breach some years back.

      The infection came indirectly through a third-party supplier, and was spread by Target's over-engineered Windows-based PoS system. Those are architectural security issues, not simply a matter of "hey, turn on network encryption, stupid". Harder to spot and significantly harder to fix.

      Then Target's outsourced intrusion-detection team did spot malicious activity, and informed Target as they were supposed to - but the second-line team sat on the information instead of investigating and escalating. That's a procedural failure, but again it's not obvious or easily fixed - it's not a case of Target not having any monitoring at all.

      What it really demonstrates, once again, is that security is hard, and prominent victims (like large retail chains) won't have anything close to adequate security even if they make a good-faith effort to check the obvious boxes. They need someone in the C-suite whose remit is solely IT security; they need a formal process that includes threat modeling, penetration testing, and systems review; they need clear, well-documented procedures that create incentives for failing to a secure state rather than an insecure one. That's a very expensive proposition. Is it more than 148M USD expensive? Hard to say.

  2. Anonymous Coward
    Anonymous Coward

    Is that all?

    That's only $3.50 a card, so this must surely be addition to some much larger provision they've previously made? If they just had to settle with the card issuers for the cost of cancelling and replacing cards it would come to a hell of a lot more than that, then there's free credit monitoring for their customers. And that's without having to compensate any victims of fraud resulting from the breach, or the inevitable class action suit over all the stress and worry. They're in for more of a reaming than $148m.

    1. Gene Cash Silver badge

      Re: Is that all?

      They're not doing free credit monitoring for me, and my Chase card was one of the ones snaffled.

  3. Velv
    Pirate

    Another US$148m this quarter. Ongoing. Increasing.

    And yet so many large businesses are continuing to scrimp and save on little bits of security "because it'll never happen to us"

    Is your security as good as it could be. If you just answered "yes", prepare to be boarded. What was the best last week is old news and vulnerable. Security is a moving target and if you don't keep looking at ways of improving it you will be a victim.

    1. Michael Wojcik Silver badge

      Is your security as good as it could be. If you just answered "yes", prepare to be boarded. What was the best last week is old news and vulnerable. Security is a moving target and if you don't keep looking at ways of improving it you will be a victim.

      "security as good as it could be" is a meaningless phrase anyway - you don't have to invoke the "moving target" argument. Security is only meaningful in the context of threat models, costs to attackers, and costs of defenses. There is no "security" in an absolute sense.

      And defense budgets are limited. Worse, security costs are asymmetric - across a broad threat model, defense will be much more expensive than attack. There's no point in saying "keep looking at ways of improving [security]"; without context, that's not useful advice. Someone has to decide how to allocate the defense budget to increase the attack cost of the cheapest and most probable attack vectors, analyze the system for new attack vectors and update the threat model, detect violations, etc.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like