Protecting consumers and their data while providing a good shopping experience has always been a challenge for retailers. Security measures such as multifactor authentication or challenge questions create friction in the buying process, but a breach that results in the loss of sensitive customer data could have a much bigger business impact than a few abandoned shopping carts.
Case in point: The 2013 data breach into Target’s payment system affected more than 41 million customer accounts and cost the company $18.5 million to resolve state investigations into the cyberattack. That event triggered Target to review and strengthen its security practices and policies, keeping that balance between security and customer experience in mind. Today, Target’s approach presents a model for other retailers to follow
In 2014, Rich Agostino relinquished his post as GE’s vice president of technology and risk compliance to overhaul and strengthen Target’s approach to cybersecurity, a job he continues to do as the retailer’s senior vice president and CISO. At the same time, Agostino has focused on keeping Target’s web interfaces user-friendly for online customers while keeping security enhancements in the background. For his efforts, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) named Agostino the 2021 CISO of the Year and received its Peer Choice Award for CISO of the Year in 2021 as well.
“Anytime a guest has to answer a security question or take a minute out of the checkout process to do something to make themselves more secure, it can impact the convenience of their shopping experience,” says Agostino. “So, we do everything we can to keep that experience streamlined and positive while keeping our guests secure.”
Drawing the right conclusions about the Target breach
Before overhauling Target’s approach to cybersecurity, Agostino knew he had to draw the right conclusions from the 2013 data breach. What he learned ran counter to popular beliefs. “People tend to think about the 2013 Target breach as being significant because it was the first breach or the biggest consumer breach, but neither of those are true,” Agostino says. “The attack was significant because it was the first time that we saw a level of sophistication aimed at retail that previously had only been seen from nation-states attacking defense contractors and owners of intellectual property. It was really the first time that consumer-facing businesses had been confronted with this level of threat.”