Some thoughts on how a Grinch stole Target’s Christmas
There was a time when "activist investor" Carl Icahn actually owned and ran businesses, one of which was TransWorld Airlines (TWA), eventually sold to American Airlines. In an attempt to cut costs, TWA under Icahn outsourced reservation service to a call center built in a prison with prisoners on the phone. When you called to book travel you were giving your credit card number to a felon and telling him when you’d be away from home. Smart move, Carl, and very akin to what may have caused the post-Thanksgiving theft of 40 million credit card numbers from Target, the U.S. discount retailer.
Target used to do its IT all in the USA, then to save costs they moved IT to a subsidiary in India. Care to guess where the Target data breach came from? I’m guessing India. I’m also guessing that there will never be any arrests in the case.
It could have started anywhere, I suppose. Certainly there are plenty of thieves in the USA. But the possible link to offshoring can’t be ignored. Most big U.S. corporations have some IT work being done offshore. This greatly limits oversight and introduces huge new risks to their businesses -- risks that are consistently underestimated or even ignored. The data that runs these businesses and most financial transactions are in the hands of workers over whom the America customer has little management control and almost no legal protection. Even the ability to verify skills or do real background checks is difficult.
But offshoring is far from Target’s only mistake. Target CIO Beth Jacob, whose background is in operations, not IT, told ZDnet last month that Target was especially proud of its quick customer Point of Sale experience. That suggests a lot of IT attention to POS, which of course is exactly where the credit cards were grabbed.
Mary Alyce, my young and lovely wife, was in our local Target store yesterday and saw them replacing every POS terminal in the place. No pun intended.
Let’s guess what actually happened at Target sometime around November 15th. There are a couple concepts in the management of IT systems that are relevant to this issue. The first is configuration management -- managing how you have the components of your IT shop installed, configured, etc. The second is change management -- how you manage changes to those configurations. While both concepts are important and critical to an operation like Target, it is an area where tools are sorely lacking. For either to work well there needs to be an independent process of verification and checking: if you changed something, did the change work? Was the device or system changed outside of the change process? While it is great to tout good processes, ITIL, etc. You can’t assume people will do their jobs perfectly or follow the processes to the letter. There will be mistakes and sadly, there will be mischief. How do you know when this happens? At Target I’m guessing they didn’t know until it was already too late.
Someone probably made an out of process change to Target’s POS system and nobody noticed.
This is an excellent example of why everything in your IT shop should not have access to the Internet. Clearly Target’s POS terminals had access to the Internet. If they were on a secured private internal network, this crisis may not have been possible. Just because a machine has an ethernet connection, it doesn’t mean it should have connectivity to the Internet.
One final question: Where is the NSA in all this? Are they using all their technology to investigate and deal with this crisis? I don’t think so. This attack on Target is nothing less than a major cyber attack on the USA banking system. Show me the metadata!