Target CEO Out In Wake Of Data Breach

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
It seems as though Target finally ousted its CEO over the company's massive data breach five months ago.

Target's massive data breach has now cost the company's CEO his job. Target announced Monday that Chairman, President and CEO Gregg Steinhafel is out nearly five months after the retailer disclosed the breach, which has hurt its reputation among customers and has derailed its business.
 
Last edited:
The part that annoys me the most out of the data breach is Target probably had an army of security directors and engineers touting certifications such as CISSP, CISA, CEH and followed PCI-DSS compliance to the strictest nature but still got their ass handed to them. IT executives look at these certifications as "These guys are the cream of the crop and know what they're doing" when these "security professionals" don't know their ass from a hole in the ground. I'd rather trust the foreign blackhat hackers who are the source of most attacks (who probably don't hold a degree or ANY form of certification) with my corporate security policies than these professional idiots who got owned.
 
wow. This should cause some CEOs to take notice and prod the tech guys a little more.
 
The part that annoys me the most out of the data breach is Target probably had an army of security directors and engineers touting certifications such as CISSP, CISA, CEH and followed PCI-DSS compliance to the strictest nature but still got their ass handed to them. IT executives look at these certifications as "These guys are the cream of the crop and know what they're doing" when these "security professionals" don't know their ass from a hole in the ground. I'd rather trust the foreign blackhat hackers who are the source of most attacks (who probably don't hold a degree or ANY form of certification) with my corporate security policies than these professional idiots who got owned.

wow. This should cause some CEOs to take notice and prod the tech guys a little more.

I hear what you two are saying, but it's not like most of the business world knows enough to know what should be expected. Also, a lot of the black hats out there spend tremendous amounts of time figuring out these exploits....so much so that we have whole industries devoted to combating them and usually in a retroactive fashion rather than proactively. Some of those black hats are very smart and/or skilled. I'm not sure how to get the security world up to speed corporately considering how fast technology is growing. It's almost having a shortage of nurses in the medical industry. Even though we have foilks with certs, it doesn't mean they're entirely capable, obviously.
 
Read the article, he will continue serving in an advisory role..so really they just shuffled him around, no real action was taken. This was more of a Public PR move.

Further reinforces the notion that guys at this level are completely untouchable no matter what.
 
Probably got fired for being open about the breach. Multiple stores were involved in that same or similar breach, but they managed to stay out of the headlines at the time. First rule of not protecting your customer's data, don't tell the customers. What they don't know won't hurt us.
 
I hear what you two are saying, but it's not like most of the business world knows enough to know what should be expected. Also, a lot of the black hats out there spend tremendous amounts of time figuring out these exploits....so much so that we have whole industries devoted to combating them and usually in a retroactive fashion rather than proactively. Some of those black hats are very smart and/or skilled. I'm not sure how to get the security world up to speed corporately considering how fast technology is growing. It's almost having a shortage of nurses in the medical industry. Even though we have foilks with certs, it doesn't mean they're entirely capable, obviously.

That is more or less what I said. How do you employ the right security people? Ignore the certs and test them. Testing them however requires the person above them to know exactly what they're doing and have such deep experience in knowing popular avenues for hacking. This never happens though. The vast majority of "security executives" usually hold a well-known certification like CISSP. The certification is a joke and covers security topics at a CEO level. It is even more of a joke that it is regarded as the premier security professional certification.

Whoa whoa whoa, a direct link to the news article?

Fixed version: ousted it's CEO

It would be nice if the direct links got used. The HardOCP page is pointless and just requires you to click another link.
 
Probably got fired for being open about the breach. Multiple stores were involved in that same or similar breach, but they managed to stay out of the headlines at the time. First rule of not protecting your customer's data, don't tell the customers. What they don't know won't hurt us.

If you knowingly get caught withholding this information from customers, you will go to jail.


They should have had penetration tests done by independent security firms. If you do a few tests a year and rotate between vendors, someone *should* have caught this hole and reported it as a vulnerability. If management is aware of the hole and chooses to ignore it, then they should be held accountable when someone exploits it.
 
I really, really hate the fact that I have even thought of this, but I have: isn't this the same CEO that was the target of a boycott by the LGBT community a few years ago for having donated to an "anti-gay"(read: Republican) politician?

And how long ago was that data breach? Why wasn't he immediately booted if that was the reason?
 
It would be nice if the direct links got used. The HardOCP page is pointless and just requires you to click another link.

It's a page view and they need those to get ad revenue to pay for the forum that you're using for free. It's only one more time that you've gotta poke the mousey button.
 
It would be nice if the direct links got used. The HardOCP page is pointless and just requires you to click another link.

It has been explained 3,554,927 times, but I will do it again...just for you. :)

There are many reason we link our forum threads to the front page but, the biggest reason for news posters to link the front page is that, over time, the stories we link will end up turning into broken links. There are hundreds of thousands of links that end up broken on the site over the years. By linking the forum to the content on the front page, you will always be able to get the story/quote/images/video long after the site we linked is gone. -Steve
 
The part that annoys me the most out of the data breach is Target probably had an army of security directors and engineers touting certifications such as CISSP, CISA, CEH and followed PCI-DSS compliance to the strictest nature but still got their ass handed to them. IT executives look at these certifications as "These guys are the cream of the crop and know what they're doing" when these "security professionals" don't know their ass from a hole in the ground. I'd rather trust the foreign blackhat hackers who are the source of most attacks (who probably don't hold a degree or ANY form of certification) with my corporate security policies than these professional idiots who got owned.

1. There isn't a certification or compliance requirement list that is bullet proof and can insure that no attacks will succeed.

2. It's pretty general to say they all "got their ass handed to them." Typically, a leader of a company has the final say, and I can tell you almost no one actually listens to every suggestions, to the letter, that a good security professional sets on the table. And quite frankly, we're used to it. We rarely get everything we want, but we do try to let the business balance how much they want to spend against the risk/cost of an incident.

3. Target probably actually *did not* have an army of security directors and engineers, otherwise they may have designed a better infrastructure. That or it doesn't matter when you talk convenience vs budget vs security, and some manager says they are going to go live despite not taking suggested protections.

4. You'd trust "foreign blackhat hackers who are the source of most attacks" with your corporate policies? Really? I'm not sure if you're in security or even IT, but integrity is one of the key traits for the people who hold the veritable keys to your kingdom. I'm not sure you'd actually give those keys and your trust to a group you've just labeled as criminals.

And if you did, and they ripped you off after you couldn't afford to give them the raise they demanded, your insurance may scoff at you for being negligent and inviting the enemy into your trust in the first place.

I think maybe you meant you'd listen to "foreign blackhat hackers" for their technical advice. The problem is, most of the criminals have 1 or 2 fields of expertise, but know nothing about the rest. And many of them are good at breaking things, but put them on a blue team, and they have just as little clue as most IT admins. And usually without the experience in a corporate environment.

Still, I'm also generalizing, but you're pretty out of your depth here.
 
That is more or less what I said. How do you employ the right security people? Ignore the certs and test them. Testing them however requires the person above them to know exactly what they're doing and have such deep experience in knowing popular avenues for hacking. This never happens though. The vast majority of "security executives" usually hold a well-known certification like CISSP. The certification is a joke and covers security topics at a CEO level. It is even more of a joke that it is regarded as the premier security professional certification.

What specific part(s) of the CISSP do you think is at a "CEO level?" The part about what encryption algorithms are outdated? The part about which backup tape scheme to use? Or RBAC management?

I'm not defending the CISSP cert as something that is hallowed or determines whether someone knows their stuff or not, but it's a gateway cert to at least demonstrate some initiative to understand security concepts and hopefully provide proof of experience.

Disclosure: I do have a CISSP. And no, it's not the be-all, end-all of certs. But don't go bashing crap with gross hyperbole.
 
Read the article, he will continue serving in an advisory role..so really they just shuffled him around, no real action was taken. This was more of a Public PR move.

Further reinforces the notion that guys at this level are completely untouchable no matter what.


He's gone once they find a permanent CEO. Besides, even if it is temporary, would you want a guy who's never been a CEO taking the role cold? The data breach is just the beginning of their problems, they are also losing a ton of money in Canada. Yes, they should have done this months ago, but it's a little cynical to say he was just shuffled around.
 
He's gone once they find a permanent CEO. Besides, even if it is temporary, would you want a guy who's never been a CEO taking the role cold? The data breach is just the beginning of their problems, they are also losing a ton of money in Canada. Yes, they should have done this months ago, but it's a little cynical to say he was just shuffled around.

He is still leaving on his terms and without more than a slap on the wrist at most. Cynical? possible, but then I can have a 5+ year perfect track record at a company and have implemented policies that saved the company untold amounts of money. However one screw up and I'm gone, no severance, no step down when you feel like it..just flat gone. That kind of job loss has the potential to lose me everything I've worked my entire life for. These guys screw up, cost not only their company millions but their customers as well and what do they get? Told to go Golfing for the weekend and think about what they did while being handed a giant golden pacifier.

Yea I'm cynical.
 
He is still leaving on his terms and without more than a slap on the wrist at most. Cynical? possible, but then I can have a 5+ year perfect track record at a company and have implemented policies that saved the company untold amounts of money. However one screw up and I'm gone, no severance, no step down when you feel like it..just flat gone. That kind of job loss has the potential to lose me everything I've worked my entire life for. These guys screw up, cost not only their company millions but their customers as well and what do they get? Told to go Golfing for the weekend and think about what they did while being handed a giant golden pacifier.

Yea I'm cynical.

It is discouraging to know that c-levels look out for their own where as Joe Employee is shown the door immediately.

Probably more afraid of litigation coming from the 1% and hope they go away peacefully.
 
If you knowingly get caught withholding this information from customers, you will go to jail.


They should have had penetration tests done by independent security firms. If you do a few tests a year and rotate between vendors, someone *should* have caught this hole and reported it as a vulnerability. If management is aware of the hole and chooses to ignore it, then they should be held accountable when someone exploits it.

Actually I work for Target and we had an outside company that does Government level security services(don't remember their name but they are HUGE and HARDCORE) that was monitoring out networks and systems for this every thing. They warned Target when the malware first went on our systems( we didn't have the automatic quarantine system set up cause our guys wanted to be able to push a button). They warned up a week later when MORE malware was put on our system... They warned up several more weeks later when the hackers set up the outbound servers (this security company had the IP address and passwords and everything to the scammers website). They warned Target AGAIN when data started leaving our network headed out to these servers... NOT ONCE did Target act on these warnings cause we didn't trust them since they were a new vendor for us... THE WHOLE EVENT could have have been stopped numerous times and at numerous points if only someone at Target had listened to the company we were paying MILLIONS to that was supposed to stop just exactly what happened. IMHO (and as I said I work for them) Target deserves to die in a fire for what they allowed to happen. It was willful negligence on their part. Sadly though nothing will ultimately end up happening to them over this.
 
Fireeye is the company that warned target NUMEROUS times about the issues and Target IGNORED all their warnings.... In fact it was Fireeye that gave the government the IP address and passwords to the intermediate servers the data went to before it was passed to the hackers. By the time they were involved though those servers were already wiped and dead ends.
 
In a statement provided to Information Security Media Group on March 13, Target says: "Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon."
The statement continues: "Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."
 
. All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis.
 
When reviewing Target's log files, digital forensic investigators also found the November 30 alerts, as well as multiple alerts from December 2, all of which tied to attackers installing multiple versions of their malware -- with the alerts including details for the external servers to which data was being sent -- Bloomberg Businessweek reported. Later on December 2, attackers began siphoning 40 million credit and debit card numbers from POS terminals, as well as personal information on 70 million customers. Ultimately, they exfiltrated at least 11 GB of data, according to Aviv Raff, CTO of Israel-based cybersecurity technology company Seculert, which found one of three FTP servers to which the data was sent. From there, the data was transferred to a server hosted by Russian-based hosting service vpsville.ru.
 
Back
Top