Amazing. The Target outage started mid morning on Saturday, June 15, 2019 when every POS system across the United States went down. The system came back online a few hours later. That part isn’t amazing. Stuff happens. What’s amazing is the reaction and headlines across the United States.
Tweets were everywhere. So were headlines. From the Minneapolis Star Tribune: “Target systems crash strands shoppers.” On the St. Paul Pioneer Press front page above the fold: “Target says IT glitch shut down registers.” Newspapers across the United States ran stories. So did national news TV stations.
Target is not sharing details about what happened, but from looking at zillions of tweets, apparently the scanners at the checkout stations failed and store clerks had to enter SKUs by hand. But this is clear as mud, because other POS systems apparently were completely dead. A POS (Point of Sale) system is a 21st century cash register, usually connected to a central server. Since all of Target’s POS systems went down, and they all came back alive a few hours later, it’s not rocket science to conclude that something in common to all those POS systems failed.
[Update Monday, June 17, 2019] I want to thank my friend, Ted, for showing me this USA Today article from June 15, 2014 about another Target outage, five years to the day before the 2019 Target outage. The June 15, 2014 outage had the exact same symptoms as the June 15, 2019 outage. Five years, to the day, earlier.
That timing cannot be a coincidence. Armed with this new information, it’s reasonable to speculate that digital certificate expirations caused both the 2014 and 2019 Target outage incidents. The cure, in both cases – renew the certificates. And Target should put in a calendar reminder for early June, 2024 to proactively renew them again if they have a five-year life. For a lesson in why digital certificates are important, see this presentation for how trust on the internet works.
I imagine some top Target execs are lamenting their fate today. Back in 2013, Target suffered one of the first sensational data breaches that made headlines. It was a big deal; headlines were everywhere. I even modeled my first novel, Bullseye Breach, after the 2013 Target incident – not to pick on Target, but to educate the public on how this stuff works.
Bigger incidents from other organizations followed, but Target led the way. And now, the 2019 Target outage leads the way again with another cybersecurity story in the headlines.
Nobody is suggesting an attack triggered today’s Target cybersecurity story. Cybersecurity is a triad, encompassing confidentiality, integrity, and availability. The cyberattack stories we usually read about are about confidentiality. This one is about availability.
Why is the 2019 Target outage a big deal? Because today, information technology is like flush toilets, lights, and dialtone. The public expects it all to just work. Which means good IT is fundamental to doing business. Today’s Sunday headlines and news reports across the country proved it.
Here is an anecdote. I graduated from Wabash College in 1979. Wabash is a liberal arts college and Wabash professors looked down their noses at technology forever. But starting fall, 2019, Wabash is offering a Computer Science major. When even Wabash College acknowledges information technology is fundamental to modern society, something must be going on.
And that leads to lessons for Target and others.
As Jesse Jonsen from Bullseye Breach would say, Target has an opportunity to turn this lemon into lemonade. No doubt, Target will investigate this incident internally. But just like the FAA publishes post-mortem reports of aircraft incidents, Target should publish what happened with this outage. Most of the public won’t understand the report, but that’s okay. Most of us don’t know anything about flying airplanes, but we can draw on experts to interpret the reports. Same with Target. Transparency is good. So is leadership. Target has an opportunity to lead.
Educating the public is also good, and Target can use a public post-mortem report on this outage as a basis for a public educational outreach. The public thinks technology is magic and too many people remain too ignorant about how any of this stuff works. That’s why scourges such as identity theft and ransomware happen so often. Target can help address that problem by showing what’s behind the technology curtain. And a public educational outreach might offer a material ROI by bringing a few more shoppers into stores.
Equipment will always break and software will always have bugs. Business needs to deal with them better.
Some how, some way, the infrastructure behind the Target POS systems also needs more redundancy. In this era of management directives to do more with less, I’ll ask Target’s management how much this outage cost. Probably a few $million. If Target had invested, say, $1 million on redundancy, it may have saved several $million from the outage.
Sometimes skimping on IT spending inconveniences customers. Other times it leads to data breaches. Or worse. Managers should think about this tradeoff when they create their annual budgets.