Yes, Target ignored security alerts warning them of massive data breach. Target installed FireEye tool to detect malware in their system and hired security specialist team to monitor the system round the clock. It is reported that FireEye detected an exfiltration malware uploaded by hackers and the security specialists received a security breach alert. The security specialists immediately alerted Target’s headquarters, but the warning wasn’t acted upon. Target ignored security alerts from the security team it had contracted to monitor their system.
Based on the video, it is evident that Target allowed the security breach on their system because it never heed to alerts from their cyber security experts and they disabled a part of FireEye. The disabled feature was an automated system whose function was to detect and remove the bad software-the malware. That feature was disabled on the system.
Target took various actions to remedy the situation namely: notifying financial institutions and authorities immediately about the unauthorized access; putting all the necessary resources to fix the security flaw; compensating victims of fraud. In addition to these, Target implemented amendments made to the company’s security policies. Those changes include: appointing information security chief, acquiring data security program that will develop metrics to determine the system’s security and keep record of possible security risks, and train the employees on systems security.
Legally, the measures taken by Target were enough because they compensated hacking victims and changed their security policies to shield their system from future security breach. They contained they breach and installed a security program that monitors the whole system for security risks.
Steps Target could have used to prevent information theft was to use more than one anti-malware/spyware protection, offer system security training to its employees and update their system software . Another step was to use encryption. Encryption does not protect against personal information being stolen: rather, it aims to render any information that lands into wrong hands incomprehensible thus useless.
Procedure to protect personal information is to 1) identify information requiring encryption 2) determine useful lifetime of the information data identified 3) appropriately choose encryption technology to be used 4) set procedures and policies detailing how these data and encryption technology are modified and destroyed 5) identify the key access criteria to be used in encryption and decryption process 6) install the best encryption technology 7) create key escrow and keys mechanisms 8) train users on how to detect anomalous activity with their account.
Epstein, R. A., & Brown, T. P. (2008). “Cybersecurity in the Payment Card Industry,”. University of Chicago, 203-223.
Joerling, J. (2010). “Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer. Washington University Journal of Law and Policy, p.485.
Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have. SANS Institute, pp. 7-25.