Cyber Breach at Target: Case Study

Cyber Breach at Target: Questions to be answered:

1. What is the primary issue in the case? What is the author(s) trying to resolve?
2. What’s your diagnosis of the breach at Target – was Target particularly vulnerable or simply unlucky?
3. What if anything, might Target have done better to avoid being breached? What technical or organizational constraints might have prevented them from taking such actions?
4. What’s your assessment of Target’s post-breach response? What did Target do well? What did they do poorly?
5. To what extent is Target’s board of directors accountable for the breach and its consequences? As a member of the Target board, what would you do in the wake of the breach? What changes would you advocate?
6. What lessons can you draw from this case for prevention and response to cyber breaches?
7. How would you characterize your role as a director in relation to cybersecurity at your organization? What are some concrete things that you can do as a director to oversee this domain?
8. What do you think companies can do better today to protect themselves from cyber breaches and in their post-breach response?

Primary Issue / Author is Trying to Resolve:

The main issue in this case study revolves around the company Target Corporation, which became the victim of the history’s largest cyber-attacks in 2013. The company confidential financial information about its customers was hacked. The credit and debit card information along with other personal information of around 40 million and 70 million other customers of Target was hacked. The incident led to intense criticism of the accountability of the Target board of directors, its Audit Committee, and its Corporate Responsibility Committee. The author is trying to resolve the issue that to how much extent the board was accountable for such high magnitude breach (Srinivasan, Paine, & Goyal, 2016).

Diagnosis of the Breach at Target

The breach was revealed by Target I December 2013 which was until then one of the largest cyber breaches of all time. The breach led to legislative inquiry investigations, reputation loss, and accountability of the board. The attack started from one of the HVAC vendors of Target who got a standard phishing attack. One of the employees clicked on the attachment, and the vendor got infected with the malware. The hackers used the password of the vendor to access Target portal which provided access to the internal network of the company. The malware was installed on the network, which collected data on credit cards. The weakness of the network security of Target led them to move inside the network. Target ignored multiple alerts from its security setup which shows the vulnerability of the Target system (Srinivasan, Paine, & Goyal, 2016).

How the breaches can be avoided

Target should have implemented a better cyber security alliance and compliance plans with its vendors. The emergency repose system notifications should have been taken seriously. Vulnerabilities of the system should have been identified beforehand. The vendors should adhere to the compliance system, and strict control should have been implemented (Srinvasan, 2016).

Post Breach Response

The response after the breach was reported came in very late. However, it meant ultimately well. The compensation was well developed with investment in security research and credit card fraud watch. New position development for security chief was also a good step. But as mentioned it was all done too late. The company could have expressed more sympathy through internet mediums. They also made false assurances which made it worse.

Accountability of BOD & Changes to be made

The board was sued for negligence. The board needs to be on top of issues like this. The right set of questions needs to be asked. The interest in the process of management of cyber risk by the board is necessary. The vulnerability of the most important assets of the company should be checked periodically. Penetration tests should be conducted. Internal threats should be identified (Srinivasan, Paine, & Goyal, 2016).

Lessons Learned:

The main lesson to learn from this case was that better regulation is to be implemented to limit the fallout of such a crisis. There are so many external parties involved with one organization. A weakness of one party becomes a problem for everyone linked with it. The companies should make their organizational structures efficiently enough to cater to risk management protocols.

Role of Director in Cyber Security

The role of the director is to update the entire stakeholder on the security of the assets of the firm and any measures which the company is taking to strengthen it. The most vital step would be to incorporate vendors and all externalities in adherence to the security protocols. Better training of the staff would be essential too (Srinvasan, 2016).

Preventive Suggestions for Companies

The organizational strategy of staying silent when the story was broke cost its reputation drastically. Other than the securing of the network for any possible malware, the control system after the crisis should also be strengthened. The detection system of the Target internal network was not efficient enough. Other than this, the employees and vendors were not trained enough to identify and respond and report the serious alerts on time. The network security was so weak that it lets them roam for two weeks. The organizational issues were also not set up to help speedy response to problems like this. The access to the vendor of the payment systems should not have been provided as well.

References

Srinivasan, S., Paine, L. S., & Goyal, N. (2016, October 27). Cyber Breach at Target. Retrieved from https://www.hbs.edu/faculty/Pages/item.aspx?num=51339

Srinvasan, S. (2016, December 21). Target’s Expensive Cybersecurity Mistake. Retrieved from https://hbswk.hbs.edu/item/target-s-expensive-cybersecurity-mistake