News

By Bryan Ellenburg

Target, still reeling from its late-2013 security breach, where the credit card information of approximately 40 million customers was stolen after malware was installed into the company’s security and payments system, is doing everything it can to make sure it doesn’t happen again.

Since its investigation into the breach began, Target has come up with several changes for its security, including:

• Enhanced monitoring and logging, which involves the implementation of additional rules, alerts, centralizing log feeds and enabling more logging capabilities.

• The installation of application whitelisting point-of-sale systems for all registers and point-of-sale servers.

• The development of point-of-sale management tools; the review and streamlining of network firewall rules; and development of a comprehensive firewall governance process.

• The decommission of vendor access to the server impacted in the breach, and disabling select vendor access points, including FTP and telnet protocols.

• The reset of 445,000 Target employee and contractor passwords, more two-factor authentication, expansion of password vaults, disabled multiple vendor accounts and reduced privileges for certain accounts.

Additionally, starting in early 2015, all of Target’s branded credit and debit cards will use MasterCard’s chip-and-PIN solution, with new supporting software and next-gen payment devices installed in stores by this September.

“Target has long been an advocate for the widespread adoption of chip-and-PIN card technology,” said John Mulligan, EVP and CFO for Target. “As we aggressively move forward to bring enhanced technology to Target, we believe it is critical that we provide our [Target-branded card] guests with the most secure payment product available. This new initiative satisfies that goal.”

Chris McWilton, president of North American markets for MasterCard, said the upgrade to the chip-and-PIN system should make consumers feel more relaxed using their cards at Target.

“Our focus, together with Target, is on safety and security,” he said.

Target has also joined the Financial Services Information Sharing & Analysis Center (FS-ISAC), a nonprofit private sector initiative developed by the financial services industry that’s set up to detect, prevent and respond to cyber attacks and fraud activity.

Lastly the company has hired a new EVP and CIO to oversee its information technology transformation. Bob DeRodes comes to Target with more than 40 years of experience, most recently as senior information technology advisor for the Center for CIO Leadership, the U.S. Department of Homeland Security, the U.S. Secretary of Defense, and the U.S. Department of Justice.

“Establishing a clear path forward for Target following the data breach has been my top priority,” said Gregg Steinhafel, Target chairman, president and CEO. “I believe Target has a tremendous opportunity to take the lessons learned from this incident and enhance our overall approach to data security and information technology. Bob’s history of leading transformational change positions him well to lead our continued breach responses and guide our long-term digital strategy,”

DeRodes added: “I look forward to helping shape information technology and data security at Target in the days and months ahead. It is clear to me that Target is an organization that is committed to doing whatever it takes to do right by their guests.”