US retail giant Target lost its CIO, Beth Jacob, on 5 March. The story is that Jacob (pictured below) resigned after being at the company 12 years.
Target, of course, is at the centre of the largest retail data breach in recent memory. On 9 December, Target reported that 40 million credit and debit cards were compromised in a data breach. That number expanded to more than 70 million in a subsequent disclosure from Target in January.
While much of the focus ever since the data breach was first disclosed has been to look at where Target may have failed, I think it’s critically important to remember here that Target is the victim.
Someone, or some hacker group, stole from Target. Target did not steal from its own customers or willingly give information to attackers; Target was attacked and is the victim of a crime here.
In most crimes of which I’m aware, the victim doesn’t take blame and doesn’t need to stand up and apologize for being a victim.
Yet that’s what has happened with the Target data breach. Target has apologised for being a victim, and the resignation of Jacob is just the latest step in that apology. Surely, there needs to be accountability and the CIO does inevitably have some responsibility to bear, but still Target is the victim.
For the 12 years Jacob was at Target she, no doubt, did the best job she could. Considering that to the best of my knowledge Target was not the victim of a data breach at any point in the last 12 years and did not suffer any other major IT meltdown, Jacob did an admirable job.
If you leave the keys in your car with the doors unlocked and your car is stolen, are you at fault? Yeah, you’re not a genius, but the car thief is still the criminal.
I’m not saying that’s exactly what happened in the Target case, and that no one was minding the cash register. We still do not definitively know what precisely happened at Target though there is widespread speculation. The general speculation is that some form of memory scraping malware was present and that somehow magnetic card strips also played a role.
The Payment Card Industry Data Security Standard (PCI DSS) includes multiple layers of provisions that are intended to protect retailers and their customers from data breaches. At some point, Target was PCI DSS-compliant, and the general speculation is that, at some juncture, they fell out of compliance, which is how the breach occurred.
Overall, though, the fact that the CIO of Target had to metaphorically fall on her sword should serve as a very cautionary tale for all IT security professionals. Even though Target is the victim here, it is also responsible for its own security and the security of its customers.
IT security professionals and now even the CIO in organizations will be held accountable for data breaches, and as such, an exceptional level of diligence and rigour will be required to provide real security. For IT execs, security is no longer a feature or an operational imperative; it is now quite literally a critical component of staying employed.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
How well do you know Internet security? Try our quiz!
Originally published on eWeek.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Target was the victim because they allowed themselves to be the victim. The security responsibility was fragmented within the company and it was reported this morning that Beth Jacob has a sales background and apparently never had the IT depth to be a CIO.
If you're going to use the rather shaky analogy of "If you leave the keys in your car with the doors unlocked and your car is stolen, are you at fault? Yeah, you’re not a genius, but the car thief is still the criminal" you need at least to extend it to include the detail that the car is full of other people's belongings, with which you are entrusted. By leaving the keys in the car with the door unlocked you've failed in your obligation to protect those belongings, and you can't expect to say to them "Hey, I'm the victim here - leave me alone".
The failed website launch was also on her watch...that was a very significant meltdown..As stated above...she was non IT background, and was allowed to surround herself with her hires for 12 years...this is the type of fruit that tree will bear...sounds like target recognizes it's mistake with the repeated statement of an external hire to replace her.