Abstract
Target Company is in the limelight due to its effective data security systems. However, in 2013, the biggest data breach changed things for the company due to different consequences. Russia controlled the data breach. Hackers or Cybercriminals, one of the prominent risk sources for Target Company, attacked sales terminals through a phishing email to the business partner’s employees. Despite having security layers in the modern system, hackers were able to steal debit and credit numbers a, customer contact numbers and necessary related information. The company streamlined the consequences of this data breach and contained some key strategic considerations to prevent these incidents in the future.
Key Words: Data Breach, Consequences, Cybercriminals, hackers, Information Security
Introduction
Target’s information security system is effective due to the development of different security measures. However, the data security or information system is to be changed or monitored sharply to prevent data breach. An autopsy of a Data Breach is a target’s case, which indicates a major data breach. The company faced many consequences of the data breach in the competitive retail market. To understand the data breach, causes, loopholes, major players and future strategies, a comprehensive analysis is required.
The analysis is divided into five parts. Summary, risk sources, the impact of the data breach, control measures, and different lessons are five main parts of the study.
Part 1: Summary of Main Events
· What is a data breach?
The data breach is unauthorized access to the information systems of an organization to derive the information. The data breach is a kind of data-stealing process by different cybercriminals. Entering the information system of the organization without an authorization can hurt both customer and company in many ways. Despite having some key data security measures in the company, the information system of big companies such as Target is quite vulnerable (Dube, 2016).
· Major types of data breaches
Different types of data breaches are in the limelight. The management of the company must be aware of these types of data breach to strengthen the security systems. The denial of service is one of the most prominent types of data breaches. The website can be overwhelmed by different users, and it restrains the user’s request. As the name suggests, it denies users the chance to operate on the site. The second type of data breach is malware. It depicts viruses, worms and different types of Trojans. The third type of data breach is Ransomware. It is destructive for many organizations. It takes control on data on the big scale and prevents users from using it. It is a fact that companies have to spend money to restore or regain control. The fourth type of data breach is password attack. This data breach attacks insecure passwords. Interestingly, hackers intend to use several passwords to get the right one and use the important information. Another prominent data breach type is phishing. Hackers use this process to steal information through emails or phone calls. Several levels of misrepresentation are to be used to have access to sensitive information (Hackett, 2015).
· Impacts on consumers, retail organizations and banks
The data breach creates a negative impact on customers, retail organizations, and banks. On customers, the impact is negative. Hackers intend to derive customer information. Personal information of customers can be stolen. It impairs relationships with customers. Customer loyalty can be damaged because the customer can depict frustration. Customers perceive that the company is exploiting their information to gain benefits. Stolen customer information can convert customers. Customers usually depict trust in the company regarding information security. In this digital business world, an immense range of customers around the globe buy products and services from different online platforms. If the information is not secured or it is stolen by cybercriminals, they may find other alternatives. Thus, it can be said that customer conversion can create an impact on sales, perceptions, and the positioning process (Yang & Jayakumar, 2014).
On the other hand, the impact on the organization is also negative. First, the company may lose its customer base, and it can also create an impact on sales and revenues. The retail market is quite competitive, and customers may find platforms which are secure and reliable. The biggest disadvantage that the company can face is the lack of competitive advantage. The data breach can impair the brand image of the company. The data breach depicts the weakness of the information system infrastructure. The cost of the data breach is quite high, which can limit other organizational operational. Ultimately, it can hit the profitability of the firm, which is also a prominent consequence (Reuters, 2017).
Bank operations due to the data breach may also be impaired. The biggest disadvantage that the bank can face is the financial barrier. Hackers may hit financial transactions and impair the flow of the process. Association with different organizations can be overturned. The banking system is based on security infrastructure, and it makes the whole system vulnerable.
· Prevention Measures
Based on the nature of the business and type of operational process, the management of the company may come up with different measures. Despite containing effective data security strategies or systems, the development of prevention measures seems imperative. For Instance, having security software updates frequently is one of the most important prevention measures. These security updates can help the company to derive information regarding advanced data security techniques and features of the software. Having updates indicates the workability of the information security system. Destroy before disposal is another key prevention measure for the company. For Instance, the company can measure the success of the security system through considering the numbers of destruction before disposal. Identification of the threat early by the system frequently in the firm is the best measure regarding the effectiveness of the security a system (Olavsrud, 2014).
· Human aspects of information security
The major human aspect of information security is the training and development of employees. For Instance, the firm can train its employees to develop IT skills. The company can make a team of IT experts to build an infrastructure that may contain strong security layers. The monitoring and operations of information security are possible through the internal workforce. On the other hand, the human aspect can also be negative. In the external business environment, cybercriminals are the main culprits of the data team. Interestingly, these people are also IT experts. However, these humans are intended to damage the systems to gain personal benefits (Newman, 2013).
· Examples of other large-scale data breaches
Many examples are in the limelight regarding the data breach. The data breach has been observed in the adult friend finder. This data breach caused 412 million accounts to be compromised. It is one of the biggest data breaches in 2016. Yahoo faced the biggest data breach, and it caused the loss of 3 billion accounts. Yahoo claimed that this data breach was conducted by the state-sponsored actor. Email addresses, phone numbers and other personal information of users were stolen by hackers. The loss of $350 million hit the financial capability of the company (Dube, 2016).
The adult friend finder was the victim of the data breach in mid-October 2016. Hackers or cybercriminals stole 20 years of data of customers in the form of emails, phone numbers, and home addresses. Similarly, a massive data breach has been observed in eBay Company. 145 million user accounts were compromised in this data breach. Financially, it caused huge damage to the company. Cybercriminals used credentials of different employees of the company to steal the information. In 229 days of the data breach, cybercriminals had access to customer information such as credit or debit card information, transactions, and passwords. It impaired the image of the company (Dube, 2016).
· Understanding the case events
Target Company faced a massive data breach in 2013. The company publicly revealed this massive data breach. Information of 40 million debit or credit cards was stolen by cybercriminals. Personal data, home addresses, emails, and telephone numbers have been compromised, and it caused immense damage.
Several causes are quite visible in this case. To understand the case event, it is necessary to go deeper into the case and derive some key insights.
· Events leading up to the Target data breach
Target Company contained effective prevention measures regarding information security. It is a fact that the target company was the leader in cybersecurity in the competitive retail market. It has been revealed that the company invested heavily in the development of the IT infrastructure. Despite having multiple security layers in the It infrastructure, the system was still vulnerable. Interestingly, an international data security standard was adopted by the company to make the whole system strong and make it less vulnerable. However, unfortunately, despite having these prevention measures or strong IT infrastructure, cybercriminals contained the unauthorized access. Vulnerabilities existed in the IT process of the company, and it is the major factor that provided the lead to the biggest data breach. The information security of the company was triggered by the third-party provider. Also, hackers played an important role in this data breach. Hackers knew system vulnerabilities, and it was also a big lead to get access to customer data. Ineffective data security strategies of the company were also kind of loopholes. It can be said that the firm was over depending on the automated system. Human aspects in this data breach are quite visible. However, the impact or consequence was negative. The whole process of the data breach can help to understand different factors, which provided the lead to the data breach (Hackett, 2015).
· How did it happen?
The story starts from the Fazio Mechanical. This company was a vendor of the company and had access to the network of the target company. The access to the target’s network was purposeful. For Instance, the company has access to electronic billing, project management, and contact submission. It has been observed that hackers or cybercriminals used Phishing as a key data breach type to have access to the system. Cybercriminals send phishing emails to the employees of this company to get the username and password. This username and password were to be used on sales and payment terminals of the company. Unfortunately, the employees responded to that email, and it helped cyber criminals to have unauthorized access. The payment network system was integrated with the point of sales network. Responding to the Phishing email was the biggest event that caused this big data breach. Cyber criminals were able to install their malware in the system and derive the information. It has also been revealed that the company received many alerts from third parties, based in Bangalore. Unfortunately, the firm did not pay attention to these alerts. It is also a big event that is also one of the prominent causes of the security breach. Additional anti-virus or malware systems provided additional alerts for the company. However, these alerts were ignored by the management or team of IT experts. It was unfortunate for the company (Kassner, 2015).
· Who are the bad actors?
Bad actors in this whole data breach were the employee who responded to the phishing email, cybercriminals, IT experts of the company, and the Fazio Mechanical. Interestingly, the security collapse revolves around these bad actors. However, as far as the data breach of Target Company is concerned, it has been observed that the organized team of cybercriminals, based on Russia, was the real bad actor. The main suspect of the company was the 22 years old Ukrainian boy. It was a complete team of programmers, who identified the vulnerability of the target’s system. Interestingly, this group contained a bad reputation due to six successful data breaches, including Home Depot data reach in 2014 (Dube, 2016).
· How was the data breach accomplished?
The data breach was accomplished by getting access to the payment network systems. Interestingly, the data breach was done easily by these by cybercriminals bad actors. They have access to the payment network system of the company through a Phishing email, and further had access to the point-of-sale terminal. Installing the malware to point to the sales terminal depicted the vulnerability of the system despite having multiple security layers. Thus, successfully, cybercriminals got access to debit and credit card numbers, phone numbers and many other home addresses. The data breach was well accomplished by bad actors or cybercriminals (Marks, 2017).
· Events after the data breach
Several events happened after this data breach. For Instance, target management eradicated all software used by cyber criminals. The purpose was to secure the company regarding information. However, the damage was done by cybercriminals. It has been observed that 10% of the debt and credit card circulation was affected due to this data breach. It was the major event because people were restrained from using their debit or credit card due to the information security risk. It seems the big event after the incident that hit the company financially. Also, right after the operation, the company started the customer relation operation. It was the customer relationship campaign for customers convince them. The management wanted customers to reuse their debit and credit cards. They told the customers that all malware or infected systems were removed. However, the damage was too big, and it was tough to regain the sales growth early. After the announcement, an immense range of customers was updated with calls (Dube, 2016).
· What did Target know and when?
Target Company knew about the incident, and therefore, the management of the company revealed it publicly. The data breach occurred in the charismas season, including the black Friday. Target management knew that it was the busiest month of the year, and therefore, they had to take some immediate actions.
Part 2: The Sources of Risks (Analysis of Target’s Risk Sources)
Some risk sources are quite visible when it comes to data breaches in an organization. For Instance, these risk sources are incompetent employees, rogue employees, hackers, business partners, technology components, and main risk sources that jeopardized in the target’s data. The elaboration of all these risk sources is as below.
· Incompetent employees
Employee competency is a major part of employee awareness regarding several information security threats. The employee incompetency in this organization was a major concern. Despite containing the training and development process in the company, employees were not able to assess the information and navigate some key alerts sent by third-party providers. As mentioned, several alerts were sent by other third-party operators. Employees of the company did not pay attention to these alerts. The employee incompetency example can be justified by mentioning the response of an employee to a phishing email. It seems unfortunate that even the third party also suffered from employee incompetency (McCoy, 2017).
· Rogue employees
Rogue employees are a big threat to the target company. It is a fact that the company was criticized due to the failure of the internal data or information security. Rouge employees of the company created some key loopholes for cybercriminals. Despite knowing initial alerts, they ignore and sustain the work process to save time. They had to make the necessary interventions in the system to get things done in favor of the company.
· Hackers
Hackers are a huge risk from the company due to their capabilities, skills, and intentions. Hackers intend to target a big corporation, which contains some prominent loopholes. Hackers, working internationally, are the real threats because they are really bad actors. They know the strengths and weakness of the company and can design malware, which can be injected at any touch point. This big risk that the company is usually contained in the form of hackers is the data transfer. In the Target case, hackers were able to transfer the data to another service, based in Moscow. The quick data breach and execution are enough for the intended damage.
· Business partners
The risk of a business partner is always with the target company. The company has different security layers and data protection systems at a different level. However, the system is always vulnerable if the business partner does not have the prevention measures. The business partner is a big risk for the company regarding the data breach. Fazio Mechanical Services was the business partner of the target. This company did not train its employees in a highly vulnerable IT environment. The business partner usually shares the business operations with the company, and it always makes the system vulnerable. Thus, the combined billing operation was the open risk source for hackers, and it was justified later (Dube, 2016).
· Technology Partners
The technology partner is also a prominent risk source for the company. Usually, technology providers have to maintain the data security system of the company. The technology partner usually has access to the internal environment of the company. The technology partner was Fazio Mechanical Services, and it had access to the online billing system. It was the open risk source for the company because it opened a way for hackers to attack through this way.
· Technology Components
If any organization is using outdated technology or technology components, it contains data risk. Outdated technology can create many loopholes in the information system of the company, and it seems simple for hackers to have access. It can be said that old or outdated technology components provide many options for cybercriminals to attack the company. Technology components are risk-free if they are updated, and it creates a positive impact on the whole information system of the company (McGrath, 2014).
· Main risk sources (vulnerabilities) that jeopardized Target’s data?
Main risk sources that jeopardized the target ‘s data were a business partner, hackers, and incompetent employees. As mentioned, the company had already some prominent security layers at different touch points. However, the business partner, based in Pennsylvania, was the biggest security risk. This business partner also had effective and updated technology for the security and safety of the system. However, still, it had to depict some prevention measures to make the difference and save target from this massive data breach. Another risk source that jeopardized the target’s data was employee incompetency. It was tough for the company to save the information through incompetent employees. Employees, despite having the appropriate skills, were unable to detect initial security alerts. It was the depiction of incompetence, and it restrained the company to create or shape some prevention measure of data security strategies. Hackers also jeopardized the data of the company. The biggest threat that the company experienced was the extraordinary programming skills of these hackers. Interestingly, they are more competent them internal IT experts.
· Who played what role in the breach?
The business partner or third party played a destructive role in this data breach. One of the employees of the company was incompetent because he did not assess phishing email as a key threat to the company. Responding to that email makes the role of the employee in the company controversial. It was tough for the target company to stop unauthorized access from the business partner’s workplace. The internal force of the company, especially in the information security department, also played a negative role in this data breach. The company was dependent on responses to initial alerts to justify the system’s effectiveness. Thus, the role of employees in this data breach is negative.
Part 3: The Impact of the Data Breach
The impact of the data breach was negative. Apart from the cost of the data breach, the firms faced negative consequences in the competitive retail market. Of course, the breach caused the prominent impact and elaboration is as under.
· What impact did the breach have?
The impact of the data breach was not in favor of the company. Failure to act on the initial alerts caused the bad reputation. Right after the breach, the company management failed to sustain its customer service process. The response to customers was a big challenge at that time. In 2013, it was observed that customer perceptions changed with the passage of time after the data reached. The company was no longer trustworthy for all key stakeholders. In all surveys, the brand depicted a negative score due to the negative customer perception. Financially, it also hit the company. The negative score in all surveys created an impact on financial stability. For Instance, the decline in the revenue growth was a major financial setback for this company. 5.3% revenue drop was a big thing to worry about for the management of the company. Another prominent impact on the company was the cost of the data reach. The company spent $61 million on the recovery, and further, it was offset by $100 million due to cyber insurance (Dube, 2016). Apart from the company’s image, the financial capability of the company was damaged due to this data breach. The impact of the breach has been seen in the internal business environment. Many employees of the company have been investigated by company management. The resignation of the chief executive officer was a huge setback for the company. The impact of this data breach on different current projects was not good. Interestingly, the firm decided to put $100 million in the development of the point of sales development instead of competing for the chip and personal identification number system project. The company divided the cost of the project, and it caused the delay. Ultimately, the main victim of this data breach was the customer. Personal information about an immense range of customers was stolen. Even after this incident, customers were struggling in the cancelation of the card. The cost for the financial institutions was $200 million (Dube, 2016).
· Were its effects only negative?
This data breach did not only create a negative impact. The management of the company found some loopholes and many possibilities to strengthen the data security system. It was a big incident, but the company looked determined to reshape the data strategy. All sale terminals were replaced by the company after this incident. The company, despite facing the big cost, took it positively to improve the information system process. It opened new ways for management to improve data security, create some new prevention measures, train employees, and reach hackers for better protection (Yang & Jayakumar, 2014).
Part 4: Control Measures
Several control measures are to be adopted by the management of the company to enhance the visibility of data security. For Instance, some strategies have been executed by the company right after the incident. However, some thoughtful strategic considerations must be taken to make the difference.
· What had Target already done?
Target Company has done the transformation or overhaul of its information security system, infrastructure, and practices. The company intends to change the whole system and replace it along with some new security and control measures. The management of the company has shaped a new security system that helps to centralize all data management or security activities.
· What should it have done?
Target, after the data breach, is aware of the different risk sources. However, some key security controls to enhance data protection are establishing alternative password systems. Instead of using a password as a traditional technique, scanners can be used. Installing an updated firewall, securing all technological devices, including laptops and mobile phones, makes an appropriate schedule of backup. The big thing that the company can do to prevent the data breach is the education of employees. Employees of the company must be trained instead of depending on the third-party provider. Employees must be aware of data security because ultimately, they have to operate systems. Technologies, data, software, and performance of employees are to be navigated or monitored steadily to identify loopholes with the time and make some improvements. Target had a good security system, but it did not evolve with time. Now, it seems a great opportunity for the company to look forward and ensure remarkable data security (Kassner, 2015).
Part 5: Lessons to be drawn from the Target Case
· Learning from the case
Many lessons can be derived from this case study. Target, being one of the most prominent retailers in the world, is aware of different risk sources. The evolvement of the data or information security system is necessary to integrate with new trends in the IT industry. As mentioned, the company was protected due to the additional security layers and advanced IT tools. However, still, hackers found some weak points or loopholes. Thus, improvements or evolvement with time are mandatory, and it seems the major lesson learned from the case. The big lesson that can also be derived from this case is the navigation of the risk sources. It is a fact that any data or information security system contains the risk. The firm has to develop some prevention measures to measure the performance of IT employees and IT systems. The firm must have some key prevention or control measures for business partners as well. The most important thing is to secure the information of the customer at all key touch points. Another learning aspect of the case is the reaction of the company. Remarkably, the firm maintained the consequences and depicted its determinations of further development. The company took this incident as a challenge and regained success. Being a student of business, I must ware of all these business uncertainties and possible consequences to become like a better future leader or manager (Newman, 2013).
· Take Away as a Future Manager
The biggest takeaway as a future IT manager in the company is learning and development by the time. The company was depending on a third-party service provider, which was a big mistake. Being a future manager in the company, I would like to make different segments of teams to centralize the security functions. Traditionally, the firm trains employees to learn the data security systems, operations, and consequences. However, as a future manager, I would like to train employees with the perspective of cybercrime. For Instance, being an IT manager in the target company, I must know possible loopholes in the system. By using technical, cognitive, and administration skills, I can contribute to the success and sustainability of customer’s data in the company.
· Surprising aspects of this case
The surprising aspect of this case is reselling the data on different websites. Interestingly, hackers were operating from Russia, and surprisingly, they were well trained. I wonder how these hackers survived in the highly protected business environment of Russia even after successful data breaches. The most surprising aspect of this case is the capability of hackers. Probably, these are well qualified, skilled, and old employees of any retail company. Targeting an employee who had to respond in the case is a surprising aspect as well. Target has remarkably regained the positive perception of customers in the competitive retail market. Surprisingly, the company responded to this bug data breach effectively despite experiencing the financial loss in the competitive market (Dube, 2016).
Conclusion
In the end, it is to conclude that the target company is quite capable of facing different consequences of the data breach. The firm has to build strong internal and external data infrastructure to avoid or prevent these data breaches. The incident is big for the company, but it can be considered as a lesson to secure the future in the future digital world. In this comprehensive analysis of the case, causes of the data breach, main players, consequences and pertinent strategies have been illustrated along with several insights. Target aims to avoid these data breaches in future to secure the customer information and retain them for the long run.
References
Dube, L. (2016). Autopsy of a Data Breach: The Target Case. International Journal of case studies in management, 14(1).
Hackett, R. (2015, March 27). How much do data breaches cost big companies? Shockingly little. http://fortune.com/2015/03/27/how-much-do-data-breaches-actually-cost-big-companies-shockingly-little/
Kassner, M. (2015, February 2). Anatomy of the Target data breach: Missed opportunities and lessons learned. https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
Marks, S. (2017, February 22). What Target Should Have Done to Prevent Their Security Breach. https://www.business.com/articles/target-done-prevent-security-breach/
McCoy, K. (2017, May 23). Target to pay $18.5M for 2013 data breach that affected 41 million consumers. https://www.usatoday.com/story/money/2017
/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/
McGrath, M. (2014, January 10). Target Data Breach Spilled Info On As Many As 70 Million Customers. https://www.forbes.com/sites/maggiemcgrath
/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#5dc266de7954
Newman, J. (2013, December 19). The Target Credit Card Breach: What You Should Know. http://techland.time.com/2013/12/19/the-target-credit-card-breach-what-you-should-know/
Olavsrud, T. (2014, September 2). 11 Steps Attackers Took to Crack Target. https://www.cio.com/article/2600345/security
0/11-steps-attackers-took-to-crack-target.html
Reuters. (2017, May 24). Target Settles 2013 Hacked Customer Data Breach For $18.5 Million. R https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031
Yang, J. L., & Jayakumar, A. (2014, January 10). Target says up to 70 million more customers were hit by December data breach. https://www.washingtonpost.com/business
/economy/target-says-70-million-customers-were-hit-by-dec-data-breach-more-than-first-reported/2014/01/10/0ada1026-79fe-11e3-8963-b4b654bcc9b2_story.html?utm_term=.ba7df995d190