Business leaders entrusted with the protection of sensitive customer data must be having nightmares as details about Target Corp’s data debacle trickle out. Between news this week of a scathing Senate Committee report and the first of the lawsuits filed against Target and its security firm Trustwave, a bright new light is shining on the importance of vendor management for companies with sensitive data on their computer networks.
To date, two banks have filed lawsuits against Target and its security firm Trustwave Holdings. The banks, Trustmark National Bank and Green Bank N.A., have named Target and Trustwave as defendants in the suit, which is seeking more than $5 million in damages.
The plaintiffs allege that the security company did not detect or prevent security vulnerabilities present in Target’s systems. The data breach, which occurred during the Christmas shopping season of 2013 and which saw the theft of around 40 million payment-card records and an additional 70 million other records of customer information, exposed Target to intense scrutiny about flaws its data security and vendor-management practices. Industry watchers expect many more lawsuits from banks and other parties seeking to recover the costs of fraud, notifications, and card replacements that resulted from the breach and the lax vendor management.
A Senate committee (Commerce, Science, and Transportation Committee) issued a report this week entitled “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach.” According to the report, Target did not heed warnings and signals from its automated security system that malware was being installed and that data-exit channels were being established. Additionally, the report criticized the company for granting network-system access to an HVAC vendor based in Pennsylvania who did not follow security protocols, which resulted in their credentials being stolen through “phishing” attacks in their email. According to the Senate report, “Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.”
The repeated oversights and ignored warnings mounted from there. While Target has apologized to Congress for the data breach, they have declined to share full details until they have completed their own forensic investigation of the breach.
The Target breach illustrates the extraordinary importance of vendor management and vetting by companies and financial institutions that have highly sensitive data. AML Partners has been working on the challenge of vendor management and screening both in its SURETY-CDD tool and in InDuro, which facilitates customized workflow, risk, and process management. Our vendor-management vertical provides users with the opportunity to screen for negative news and sanctions and to collect and track all desired data for every vendor. The Target data disaster likely has a lot of institutions taking note of the high stakes and labyrinthine interconnectedness of risk elements in this networked world.
