It just wouldn't be the holiday season without a report of another major security breach.
This time Target is the victim and, true to form, the shame and blame game follows. At this point it shouldn't come to anybody's suprise that compliance doesn't equal secure. Even though the full details of the attack are unknown, you can bet that Target was PCI Compliant and was doing alot of things right. I think the more interesting story is how it was first reported by Brian Krebs on December 18th.
What I find interesting is that the breach was first reported after the cards started showing up on the black market. This seems to indicate that a large data exfiltration occurred and went largely unnoticed by the security practices at Target. I often say that security requires 3 P’s, People, Process, and Product, I would wager a guess then in this case there was a failure in all three and unfortunately this is a major difference between being compliant and being secure. Having a process is not the same as having the ability to verify the process is actually working.As I mentioned at the beginning of this post, this is not about assigning blame, I do hope the details become more public and we collectively resist the urge to focus on everything that could have been done, but instead be able to collectively learn from this event so another organization doesn’t suffer a breach in the same way. Target’s was not the first and will certainly not be the last …
Have a happy holiday season and check your card statements, I know I will.