Target reportedly knew it had a problem BEFORE the Breach

Target has acknowledged that its computer security system (by FireEye, Inc.) had detected suspicious hacker activity and alerted the company. However, Target chose to ignore the information about the hacker’s infiltration of its system. This failure-to-act ultimately resulted in a Breach impacting in the ballpark of at-least 110 million individuals – 40 million initially and then another 70 million a few weeks later. In the 4th quarter of 2013 alone, Target spent $61 million and with more to come according to company executives. In a move that didn’t surprise many, Beth M. Jacob, Target’s most senior technology executive, resigned after the Breaches became public.

Holy cow! What were they thinking?


As a reminder, it is imperative that entities with financial and medical information follow a protocol at-least as comprehensive as the following:

  • Immediate notice (generally from IT)  to the privacy staff in the event of a Breach or suspected Breach;
  • A periodic review of attempted attacks and analysis of trends;
  • at-least quarterly review of systems, processes and reporting capabilities; and
  • at-least annual security risk assessment – preferably by an independent party. If help is needed, let know.

Privacy staff must understand the system reports and act accordingly.


One of the most common shortcomings of systems marketed as “HIPAA Compliant” is the failure to comply with reporting requirements.  Put another way, what good is a security system or encrypted data if you aren’t informed of what’s happening? Once you know, avoid the same mistake as Target. Make certain that your systems and processes are complete from a compliance perspective. Sometimes entities need assistance in the monitoring of these types of activity reports. If help is needed, let know as there are options.