Target CEO Gregg Steinhafel has promised to fix the damage caused by a major data breach, and attempts to recover its reputation by the creation of a coalition aimed at improving understanding of consumer-based scams.
In an open letter posted at A Bullseye View, the chief executive wrote that after the firm's data breach took place in December, an investigation -- which is ongoing -- revealed the private information of customers was stolen; including names, credit and debit card information, addresses, phone numbers and email addresses.
"I know this breach has had a real impact on you, creating a great deal of confusion and frustration. I share those feelings. You expect more from us and deserve better.
We didn’t live up to that responsibility, and I am truly sorry."
In order to try and salvage the firm's reputation, the CEO said Target is taking 'active steps' to make sure the security failure does not reoccur, and so the following changes have been made:
1. Closed the access point that the criminals used and removed the malware they left behind.
2. Hired a team of data security experts to investigate how this happened. That effort is ongoing and we are working closely with law enforcement.
3. Communicated that our guests will have zero liability for any fraudulent charges arising from the breach.
4. Offered one year of free credit monitoring and identity theft protection to all Target guests so you can have peace of mind.
In addition, Target's CEO says that the company will soon announce a coalition to "educate the public on the dangers of consumer scams." The company will also "accelerate the conversation–among customers, retailers, the financial community, regulators and others–on adopting newer, more secure technologies that protect consumers," although no details on how this will be achieved have been disclosed.
Point-of-sale systems are vulnerable to cyberattack, and the educational drive is nothing if not ironic. The problem is while consumers can be savvy enough to ignore phishing scams and not download malicious software, there is little we can do if a company responsible for so many customers suffers a data breach.
Education might be useful for the average consumer, but personally I would have liked to see the investment that will go into the drive -- prompted no doubt by panicking PR-types to thrust Target back in to the public spotlight in a position manner -- instead used to boost their security teams and security-software development, a factor sadly lacking on the list of changes.
What is the point of hiring data security experts to investigate the breach without hiring to bolster your own defenses, which appear to be sadly lacking?