Data Breach in Target

Case Description
Target opened its first store in 1962 in a Minneapolis, MN suburb. The classic bull’s eye logo was selected to convey that “As a marksman’s goal is to hit the center bulls-eye, the new store would do much the same in terms of retail goods, services, commitment to the community, price, value, and overall experience.” In 2013, Target customer personal and financial data was put in a bulls-eye by hackers despite strategic investments in information technology (IT) security covering its over 1,800 stores and 130 distribution centers worldwide. Lessons learned from the breach of 110 million records (historical record for retail store breaches at the time) are still pouring in, and will have far-reaching effects beyond Target’s 361,000 employees.

Right on target 
Target seemed to be, well, right on target. From 2006 – 2013 Target invested heavily in the very data security technology, procedures, and expertise that should have protected it from data breaches of this magnitude. Unlike many retail chains, Target invested in a designated large-scale securities operation center (SOC) to centrally manage overall IT infrastructure security. The SOC housed scores of security analysts continually monitoring networks transmissions, server traffic, and device-level alerts. In order to perform security monitoring 24 by 7, another security team in Bangalore (India) monitored security alerts and would notify the SOC group of any anomalies.

Don't use plagiarized sources. Get Your Custom Essay on
Data Breach in Target
Just from $13/Page
Order Essay

Six months prior to the cyber-incident, Target implemented a $1.6 million data breach and malware detection platform from highly regarded IT security firm FireEye. Target had been thoroughly impressed with FireEye’s reputation in both the public (CIA, Pentagon) and private (customers Yahoo!, Adobe Systems and EBay) sectors. The FireEye solution was designed to create a simulated, virtual IT infrastructure on which malware and data breach attempts could be detected prior to attacks on real operational devices and networks. Target spent months testing out the security platform to ensure its validity, as well as smooth the transition for Target’s 300 IT security professionals. Target’s IT infrastructure itself was also segregated – with more sensitive databases being positioned behind additional layers of security.

Despite these substantial investments in time, talent, and money, Target’s business data was stolen – including 40 million credit card records, and 70 million personal information records (e.g., residential address, phone number, email account). Numerous press reports indicated the initial area of vulnerability was actually not Target’s network or point-of-sale (POS) systems at all – but its vendor management. A service provider for Target facilities was cited as having been the victim of an e-mail-triggered malware attack through which cyber-criminals were able to obtain legitimate Target network access credentials. This attack was reported to have taken place around the end of September.

With network credentials in hand, cybercriminals were able to infiltrate Target’s secured servers and load malicious software that then hooked into POS systems by November 28 (Thanksgiving Day). According to reports from Krebs on Security, Bloomberg Business Week, Dell Secureworks, and the Wall Street Journal, the attack was not fully addressed until the middle of December.

Once inside the POS system, the thieves had the ability to skim credit card and personally identifiable information from all U.S. Target stores just in time for the Christmas purchase rush. Opportunities to successfully accomplish the breach stemmed from conditions in Target’s cyber and physical environments. The Christmas-related increase in POS transactions and the resulting uptick in Target telecommunications traffic made responding to all network security alerts challenging. The increase in customer in-store foot traffic made enhancing security procedures (like additional checking for potentially compromised credit cards) an expensive proposition. Instead, malware was not only installed on POS systems, but also on servers within Target’s IT infrastructure. Using the stolen credentials, the hackers were able to commandeer additional Target computing equipment in order to provide a centralized staging ground for the stolen data prior to being uploaded to non-Target servers also controlled by the thieves.

As reported in the press, Target was actually well-positioned to minimize the effects of the breach. On November 30 security alerts were triggered when the cybercriminal group attempted to plant malware for the exfiltration (exit route) of the stolen data (see Figure 1 below – provided by Dell SecureWorks). The security team in Bangalore, as expected, advised the SOC in Minneapolis of the security alert. Target’s investments in antivirus security seemed to be working as expected also. According to Bloomberg reporting, Target’s Symantec Endpoint Protection tools identified suspicious behavior over several days around Thanksgiving and actually identified issues with the same server identified by the FireEye security alerts.

At that point Target security pros could have followed the stolen data to three staging grounds: U.S.-based, criminally controlled, sets of servers in CA, UT, and VA respectively. Whether they could have gained access to those servers and deleted the stolen data remains part of the follow-up investigation. Even if not, the damage in terms of customer loyalty, public trust, and regulatory scrutiny at that point would have been minimized had the floodgates been closed.

Instead, the security alert was not responded to by Target’s SOC and the daily theft of POS data continued unhindered for more than two weeks. The cyber-thieves extracted datasets on a daily basis and were careful to conduct their exfiltration/downloading during heavy traffic hours to reduce the likelihood of detection. Another factor complicating intrusion detection was that the cybercriminals incorporated labels into some of their software code that superficially appeared to be from a legitimate middleware vendor.

Target management publicly indicated that it was only after U.S. Department of Justice agents notified them on December 12 of the stolen data’s existence that the breach was fully recognized and a formal internal investigation completed to figure out what happened. Three days later, the malware was finally removed from Target’s POS systems and IT infrastructure and the cyber gates were closed…but not before the theft of 40 million credit and debit card records, and 70 million records of personal information (e.g., name and e-mail addresses).

Missed the mark?
Target publicly confirmed the data breach December 19. As of the end of 2013 Target had executed the follow post-breach activities:
⦁ Hired a team of data security experts to investigate how the breach happened (ongoing).
⦁ Put services in place to ensure customers would have zero financial liability for any fraudulent charges arising from the breach.
⦁ Offered one year of free credit monitoring and identity theft protection to all Target customers for “peace of mind.”

In its wake, Target Chairman, President, and Chief Executive Officer Gregg Steinhafel issued a statement including the following: “We are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience.” January 13, 2014, Target additionally apologized for its data breach with ads in the Wall Street Journal, New York Times, the Star Tribune and other newspapers in their largest U.S. markets. In an attempt to express remorse, Steinhafel got personal and stated in the Open Letter ad, “[I]t is our responsibility to protect your information when you shop with us. We didn’t live up to that responsibility, and I am truly sorry.”

The aftermath of business results was generally negative. Lawsuits are being filed against Target by customers and banks for negligence. Customer anger was not only fueled by the original breach impact, but also by stories of fraudulent credit cards being used in Target stores even after the breach was addressed and stolen credit cards numbers were known. This anger spilled out to public sector officials. Target executives, including Chief Financial Officer John Mulligan, were called to testify in February before the U.S. House of Representatives’ Committee on Oversight and Government Reform. The Committee is mandating that Target produce additional documentation regarding their investigation regarding the data breach and human or technology-related failures.

Target spent $61 million through February 1 responding to the breach (according to its fourth-quarter report to investors) – including dedicated customer response operations. Target’s profit for the holiday shopping period fell 46 percent (vs 4th quarter 2012) and their transaction volume suffered its biggest decline since 2008. Target Chief Information Officer, Beth Jacob resigned on March 5.

To stem the tide, Target committed to establishing a coalition to help educate the public on the dangers of consumer scams. In addition, Target planned to accelerate the implementation of smart chip-enabled credit card by six months (i.e., to early 2015). Target press releases cited smart-card technology as a means to dramatically reduce the potential for fraudsters to skim data from POS systems. Smart cards are harder to counterfeit than magnetic strip technology (itself in use since the 1960s) for both POS and ATM transactions. As of 2010 there were over 1.2 billion chip-based cards in use globally. Target committed to spend $100 million for POS and other technologies to support adoption of the new cards.
To further bolster private sector cyber security, Target committed to invest $5 million dollars in a cybersecurity coalition and the company officially and joined the Financial Services Information Sharing HYPERLINK “https://www.fsisac.com/”& HYPERLINK “https://www.fsisac.com/” Analysis Center (FS-ISAC) on March 6, 2014.

Not all the news was bad for Target. The retailer received strong backing from U.S. Senator Sheldon Whitehouse, who publicly claimed the company had robust IT and security practices in place. In addition, in early March its stock was trading near $61 – almost unchanged since the day it disclosed the hack. By comparison, shares of FireEye more than doubled from November 2013 to February 2014.

On a related note, Krebs on Security reported that the website deemed most active in selling the stolen Target customer credit cards was itself hacked into sometime in early March 2014. The website was vandalized, and a data breach resulted in the publishing of logins, passwords, and payment information of those who frequent the criminal marketplace. The identity of the perpetrator (whether retaliator or competitor) has yet to be confirmed

Addendum: Target CEO Gregg Steinhafel resigned May 2014, as first quarter 2014 charges mounted to a net $18m ($26m in total costs were partly offset by insurance reimbursements).
Sources
⦁ Target, Corporate websites.
⦁ Riley, Michael, Elgin, Ben, Lawrence, Dune, Matlack, Carol, Kopecki, Dawn, and Wallbank, Derek, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” Bloomberg BusinessWeek, March 13, 2014 Bloomberg ⦁ Video: Hacking Timeline: What Did Target Know and When?
⦁ Krebs, Brian, “Email Attack on Vendor Set Up Breach at Target,” http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
⦁ Herships, Sally, “Target credit hack relied on failings of magnetic strip,” Marketplace, December 23, 2013.
⦁ Kendall, Brent, “Congress on Data Breaches: Lots of Hearings, Little Consensus,” Wall Street Journal, Washington Wire blogs, February 5, 2014.
⦁ Steinhafel, Gregg, “Dear Target Guests,” Open Letter – Advertisement, January 13, 2014.

Case questions
⦁ Describe the investments in people, process, and technology that Target had in place prior to the data breach incident.
⦁ Describe the nature of the data breach Target suffered. Refer to Figure 1 in the case description, but be sure to also include in your answer any third-party vulnerabilities.
⦁ Assess the reactive steps taken by Target in immediate response (November – February) to the breach. Consider both internal and external stakeholders in your answer.
⦁ Assess the proactive steps taken by Target to help reduce the risk associated with future data breaches. Consider both internal and external stakeholders in your answer. For more information on Data Breach in Target see this: https://www.encyclopedia.com/science-and-technology/computers-and-electrical-engineering/computers-and-computing/computer-security

Data Breach in Target

Grab 16% Discount On This Paper
Pages (550 words)
Approximate price: -

Why Choose Us

Quality Papers

ACME Homework provides the best top-grade academic writing services in compliance with our customers’ instructions. Have your paper written by a certified professional online college homework help writer to produce only high-quality essays with zero plagiarism.

Professional Academic Writers

You can now choose from a pool of online college homework help writers. Choose your writer and have them write the best content for you. ACME Homework has, over the years, secured a team of the most reliable, experienced, and qualified writers. You can, therefore, trust that your assignment is in good hands.

Affordable Prices

We know that students have very limited budgets. And for that, we always strive to provide only the best, most affordable online college homework help services to our customers. Our goal is to provide top-quality assignment help services to all customers at the lowest, most affordable prices.

On-Time delivery

At Acmehomework.com, we pay strict attention to deadlines. We recommend you to check out clients’ reviews for assurance that we will complete your assignments within the set deadlines. You can, therefore, trust that your paper will be done within and before the set deadline. Until now, we have not missed a single deadline.

100% Originality

Our Acmehomework.com homework helper experts write only 100% original and plagiarism-free content for all of our clients. We also have a Quality Assurance Department team that goes through all work submitted by our writers multiple times. You can, therefore, rest assured that any signs of plagiarized or unoriginal content will be rejected before it reaches your portal.

Customer Support 24/7

Acmehomework.com expert writers are always available 24/7 for customers who need assistance with using our website. You don’t have to check your watch the next time you want to have your assignment written. Our customer support is always available round the clock and ready to listen to your queries. Feel free to contact us via the Chat window or support email: support@acmehomework.com.

Try it now!

Grab 16% Discount On This Paper

We'll send you the first draft for approval by at
Total price:
$0.00

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

For years now, Acmehomework.com has stood as a leader in providing its customers with the best online college homework help service in the industry. And all you have to do is provide us with the details of your order. Leave everything else to us. We’ve always got you covered.

Essays

Essay Writing Services

Since we launched, Acmehomework.com deserved the best online “college homework help status” thanks to our essay ordering, writing, and delivery process. We deliver nothing but excellence in our results. Our essay writing services include impeccable grammar, zero-plagiarism, proper structure, and conformance to guidelines.

Admissions

Admission and Business Papers

Our top-quality online college homework help services guarantee that you will be accepted into your desired university. You just need to fill out your admission and business papers, and our team of online homework help workers will handle the rest. We will help you achieve and secure the best positions in your admissions forms.

Editing

Editing and Proofreading

At Acmehomework.com, we have a skilled writing and editing team that’s dedicated to creating, editing, and restructuring for all types of papers. Our online college homework help editing and proofreading team will check, paraphrase, and correct any grammar mistakes on your paper before submitting the final document to you.

Coursework

Technical Papers

At Acmehomework.com, we pride ourselves in having writers in almost all fields, even the most technical ones. You never have to worry about your paper being too technical for our certified online college homework help writers to handle. ACME Homework’s team of writers can handle even the most complex writers. We will match your paper to the most competent writer that we believe will handle your paper the best way possible.

                                                                                     Place Order