Target: Why Blame The Victim Of The Crime?
When retailer Target was attacked, the CIO Beth Jacob had to resign. Sean Michael Kerner thinks we shouldn’t be blaming the victim of a crime
US retail giant Target lost its CIO, Beth Jacob, on 5 March. The story is that Jacob (pictured below) resigned after being at the company 12 years.
Target, of course, is at the centre of the largest retail data breach in recent memory. On 9 December, Target reported that 40 million credit and debit cards were compromised in a data breach. That number expanded to more than 70 million in a subsequent disclosure from Target in January.
Remember, Target was the victim
While much of the focus ever since the data breach was first disclosed has been to look at where Target may have failed, I think it’s critically important to remember here that Target is the victim.
Someone, or some hacker group, stole from Target. Target did not steal from its own customers or willingly give information to attackers; Target was attacked and is the victim of a crime here.
In most crimes of which I’m aware, the victim doesn’t take blame and doesn’t need to stand up and apologize for being a victim.
Yet that’s what has happened with the Target data breach. Target has apologised for being a victim, and the resignation of Jacob is just the latest step in that apology. Surely, there needs to be accountability and the CIO does inevitably have some responsibility to bear, but still Target is the victim.
For the 12 years Jacob was at Target she, no doubt, did the best job she could. Considering that to the best of my knowledge Target was not the victim of a data breach at any point in the last 12 years and did not suffer any other major IT meltdown, Jacob did an admirable job.
If you leave the keys in your car with the doors unlocked and your car is stolen, are you at fault? Yeah, you’re not a genius, but the car thief is still the criminal.
I’m not saying that’s exactly what happened in the Target case, and that no one was minding the cash register. We still do not definitively know what precisely happened at Target though there is widespread speculation. The general speculation is that some form of memory scraping malware was present and that somehow magnetic card strips also played a role.
The Payment Card Industry Data Security Standard (PCI DSS) includes multiple layers of provisions that are intended to protect retailers and their customers from data breaches. At some point, Target was PCI DSS-compliant, and the general speculation is that, at some juncture, they fell out of compliance, which is how the breach occurred.
A cautionary tale
Overall, though, the fact that the CIO of Target had to metaphorically fall on her sword should serve as a very cautionary tale for all IT security professionals. Even though Target is the victim here, it is also responsible for its own security and the security of its customers.
IT security professionals and now even the CIO in organizations will be held accountable for data breaches, and as such, an exceptional level of diligence and rigour will be required to provide real security. For IT execs, security is no longer a feature or an operational imperative; it is now quite literally a critical component of staying employed.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
How well do you know Internet security? Try our quiz!
Originally published on eWeek.