No Surprise

I’ve never worked at Target.

Sure, not the retail operation – but sometimes I feel like I’m one of few people in Twin Cities information technology contracting/consulting circles that hasn’t done at least a brief hitch doing something at the Minneapolis-based retail behemoth.

Target, of course, was beset over the holidays by a massive data breach.  You’ve heard the details; hackers installed malware in Target servers that captured tens of millions of credit card numbers.

The thing is – according to Bloomberg – it could have all been prevented, and very, very easily (emphasis added):

On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …

Nothing happened.

For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweekspoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.

Now, I know plenty of good people at Target. But I’ve had exactly two contacts with Target management. One, of course, is from various interviews for contracting and consulting jobs; they do like to lowball.

But the other was at a different Twin Cities Fortune 1000 company, whose IT department found itself largely middle-managed by ex-Target people…

…and, over the course of a few years, spinning itself into complete uselessness.  No, I’m not naming names – but those middle-management Targetoids inadvertently taught me a lot, I think, about Target’s IT culture.

And I can totally see any of them blitzing on a simple boring phone call from Bangalore.

That’s a personal observation based on my own impressions.  Not “journalism”.

But I think we all arrive at the same endpoint.

5 thoughts on “No Surprise

  1. Being in the IT business myself, I have heard the same things. Further, their entire IT Department always had a reputation as being arrogant know it alls. It was also interesting that their newly departed CIO, did not have an IT background.

  2. I worked for Target for the better part of a decade. It’s a bizarre corporate culture.

  3. I can’t speak for Target, but having worked for companies with over 10,000 employees, I can say emphatically that in such companies, middle management tends to become rather “gelded”, going along to get along, even when there are known big problems. Combine that with the personality set often common in IT–introverted–and you’ve got a recipe for problems.

    But with Mr. D., I’d guess it’s not just an IT problem at Target. It’s a general corporate culture issue where the nail that stands up gets pounded down, and these were nails that stood up. Kinda like the U.S. government under the current president.

  4. In large companies it’s rare for anyone in middle levels to be willing to be the first make noise about problems, especially if the alarm is coming from Bangalore. I have no doubt the grunts saw the alarms and told management, but the game of telephone should tell you what happened as the alarm went up the management chain to increasingly technically incompetent managers.

    Really, to get a good IT department you need one of two approaches. You need to either hire extremely technically competent folks up the management chain who are also good managers of people and resources. Or you can make the IT organization very, very flat so that warnings go up the chain without losing impact. Most big companies try the first method and fail horribly.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.