Target’s consumer data breach was massive in scope and impact – 70 million consumers had their payment information hacked/stolen, along with other personal information. Federal and state regulators are now picking through the morass to assign blame, responsibility and extract penalties and promises of reforms and improvements.
Recent press reports have revealed that Target’s senior management had been warned internally about vulnerabilities in its payment card system. Members of Target’s computer security staff raised concerns about this specific issue weeks before the hacking attack occurred.
Target’s failure to act is just another example of second-guessing senior management and Board oversight in the wake of a corporate scandal. Each senior manager now will be asked why he or she did not take these warnings seriously, assuming they were even aware of the specific warnings.
In many cases, the failure of a company to react to important information raised by managers and employees can be a very important indication of information sharing and management processes.
A company like Target can take this information and review it for how they can do things better in the future. It is important to analyze where the information breakdown occurred. Was the information accurately communicated in the organization? Did the recipients of such information appreciate the importance of the warnings? If not, why not?
Senior managers have to assess their own performance in the handling of such important information. When a warning of a data security issue is known, what are the expectations for how such information is reviewed, assessed and acted upon?
Mistakes can lead to improvements in corporate decision making. Information flow is the key and companies spend millions of dollars analyzing their own information sharing and assessment systems. As reflected by the Target scandal, it is money that is well spent.
The Target attack was a sophisticated hacking that was directed at a well-known vulnerability in its system. The hackers entered Target’s payment system through a Target vendor and crossed from the entry system over to Target’s payment system, an event that should have been prevented by basic techniques used to wall off a retailer’s payment system from other parts of its computer network.
The attack against Target occurred because of this specific vulnerability. This strategy is referred to as “segmentation.” In Target’s case, the payment system should have been segmented from other components of its software system.
In the aftermath of most corporate scandals, companies usually find that key actors involved in the incident failed to appreciate the information or were never given adequate information to prevent a problem from occurring. Sometimes companies find that key functions have been compartmentalized and prevented key actors from having access to critical information needed to identify a problem.
In the Target case, it seems like the problem may be a little different – key decision makers failed to respond to important warnings. The information was available but no one reacted or took responsibility for responding to the warnings.
Not all failures to act are the same – they can differ in how the underlying process unfolded – who knew or did not know the important facts? Who acted or failed to act in response to the important facts? These are the usual questions and they usually generate some interesting responses.