Cyber security breaches are common these days. It is also well understood that none can ensure 100 per cent cyber security for their cyber infrastructures. However, with prudence and due diligence, cyber incidences can be minimised to maximum possible extent. Similarly, coordinating with the national and international cyber security authorities is an essential requirement whenever a serious cyber attack or cyber threat is detected.
The requirement of cyber security breach notification originates out of this condition that needs a good legislative backing to make it effective. Countries around the world are formulating laws to make cyber security breaches disclosures mandatory. India has also proposed mandatory cyber security disclosure norms but till now they have not been formulated. However, sooner or later cyber security breach disclosures would become mandatory in India and companies must be prepared for the same in advance.
For instance, recently National Security Council Secretariat (NSCS) requested Reliance Jio Infocomm to share potential cyber security threats on India’s telecom networks. Almost all telecom companies of India are complying with this requirement by creating the Information Sharing and Analysis Centre (ISAC). This (ISAC) is an agency that will collate all classified industry feedback on potential cyber threats and vulnerabilities in telecom networks across technology platforms.
Recently Target was targeted by cyber attackers and consumer information of mass proportion was leaked and stolen. According to Slate, 40 million credit card numbers and personal data from 70 million customers were stolen during an attack on Target that lasted from Nov. 27 to Dec. 18, when the big box store finally shut it down. Now the crucial question is whether Target failed to observe cyber law and cyber security due diligence?
Bloomberg Businessweek reports that Target officials could have been made aware of the attack on Nov. 30 and again on December 2. On both days malware detection software sent an alert to Target’s security monitors in Bangalore, India, who then contacted Target’s security team in Minneapolis. But for some reason, they apparently didn’t respond to either alert.
Congress is now investigating the situation, and congressional testimony shows that federal law enforcement officials got in touch with Target about the breach on December 12. Businessweek spoke to 18 people who either worked on Target’s cybersecurity in the past or have specific internal knowledge of the breach. Target’s chief financial officer, John Mulligan, told a congressional committee in February that the company began investigating December 12, when the U.S. Justice Department warned the company about suspicious activity involving payment cards.
“With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different,” company spokeswoman Molly Snyder said in a statement.
When asked to respond to a list of specific questions about the incident and the company’s lack of an immediate response to it, Target Chairman, President, and Chief Executive Officer Gregg Steinhafel issued an e-mailed statement: “Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience. While we are still in the midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards. However, as the investigation is not complete, we don’t believe it’s constructive to engage in speculation without the benefit of the final analysis.”
Let us wait for the final outcome of all investigations and how/whether target would be held accountable for the loss of consumer data and personal information.