Briefly describe the incident and then provide an analysis of the way the company handled the issue drawing on the various theories covered in this unit.
Target Corporation Data Breach
With the rising level of competition, many organizations are focusing on the integration of technology in provision of their services. However, there are challenges associated with the integration of technology including data breach issues. There are various disasters affecting the operations of the businesses irrespective of the operational scope: locally and internationally. The disasters that affect businesses occur in every part of the world and results from different sources: natural or human induced. With advanced technology, businesses are incorporating various technological elements without considering employment of services from experts to assist in improving protection of the database (McGrath, 2014). Nonetheless, management scientists and Information Technologists has been in a position of incorporating technology and business though it is vital that business entities note the rising number of illegal activities especially invasions of databases (Ayala, 2016). The chosen business for the report is Target Corporation, who experienced data breach in which the business lost huge sum of moneyfor compensation and the trust of customers. The incident not only lead to loss of money and trust of the customers, but also made the government question securitiesthat safeguard client data.
Target Corporation is a discount retail shop with its headquarters located in the United States, Minnesota. In the United States, there areincreasing number of retail shops, and competition is very stiff that most organizations focuses on the provision of services rather than the welfare of the customers. With its marketing strategies and objectives to provide customer focused services, the corporation managed to acquire its current market position and competitive advantage to be the second largest within the country after Walmart(McGrath, 2014). The corporation serves a wider market scope. Moreover, through the years, Target Corporation has been experiencing growth and change in management, as a result, in 2015, it has an estimated 1,801 outlets across the country. Additionally, to increase its operational scope, the corporations provides services in different methods such as discount store Target, hypermarket SuperTarget, and other smaller franchises including CityTarget and Target express before they received Target branding (Clark, 2014).
Data breach in the corporation
With the rising level of technology use, the corporation was on the forefront of the retail industry integrating various technological elements. However, in the mid-December 0f 2013, the corporation experienced a cyber attack that attracted the headlines of several media platforms. The hackers managed to find their ways through the corporation’s database, which gave them access to credit card and debit card numbers of customers. With such information, the hackers had the opportunity of undertaking various activities illegally on behalf of the affected customers (McGrath, 2014). The hackers mainly targeted personal details. Since the corporation had a customer base of 40 million, all of them experienced the negative effects with the access of their credit and debit cards accounts. However, during the investigation by the corporation, the number of affected customers increased to 70 million after considering other information that the hackers accessed from the database(Clark, 2014). The investigative report revealed that about 42 million of the clients had all their debit and credit card information retrieved with some of the areas experiencing major impact of the hacking including Florida, California, and Texas.
With the advancement of technology, the uses of various malicious programmes
such as hacker tools, key loggers, remote administration tools (RATs), spyware, Trojans, and worms are on the rise with criminals sending such programmes to the management systems of their targeted institution. The hackers use this as their major method in accessing the corporation’s database. Since the hackers had more interest on the payment system, which they installed a malware in the organizational self-checkout lanes. To allow effective investigation, the corporation’s Chief Executive Officer, Gregg Stenhafel had to resign considering the increased level of pressure from the affected customers seeking compensation for their losses. Various institutions undertook the research on the similar event (Joseph, 2015). However, their reports indicated that the hackers had been on the organization system for more than five months with the corporation only realizing later that it had lost its financial system. In addition, the report indicates that between November 27 and December 15 of 2013 more than 40 million potential customers who had been using their credit and debit cards within the United States had some of their personal information retrieved from the organizational system. To establish the reason behind the attack and the mechanism used, the management of the corporation met with the United States Department of Justice on December 13th. Target Corporation took much time to notice and respond to the attack, which increased the level of impact the attack had on the corporation. To ensure effective audit on the attack, the corporation hired the services of a third organization, KrebOnSecurity that conducted forensic audit on the hacking claims of the corporation. From the audit, it was evident that the hackers had infiltrated the database(Ayala, 2016). Furthermore, the report revealed that the hackers accessed the database easily since they had installed the malware programme within the networks of point-of-sale (POS) which made it easy to steal the payment credit and debit cards of the potential customers. The corporation managed to remove all the malware virtually from the stores; however, the public remained in the dark on organizational data breach (Clark, 2014). Institutions such as KrebOnSecurity, Data and Security Blogbrought the information to the public through their reports. As a result, the Country’s Secret Service was aware of the attack and commenced the investigation on the attack on December 18, 213. The day after KrebsOnSecurity reported organizational attack to the public, Target Corporation publicly accepted the breach on its database though cited that it was taking a serious investigation on the manner in which the hackers broke through the system. The corporation also investigated other vital information that the hackers accessed including the numbers of both debit and credit cards, expiry dates of the cards, and the cards that had on indication of interference with their personal information number (PIN).
It is important to note that the hackers are always up to date with the latest technological parameters, which makes controlling their activities difficult. Within the corporation, the hackers implanted the software with the ability of capturing the credit card numbers used for shopping which made the criminal to have command of the institutional server (Manworren, Letwat, & Daily, 2016, 259). Such incident revealed the level of connection among the hackers. Furthermore, the study undertaken by the corporation focused on the level in which the crimes involving hacking has become common and conventional hackers managed to approach the corporation to execute their attack. Approximately six months before the occurrence of the incident, the corporation commenced the installation of a $1.6 million malware detection programme from FireEye (FEYE) which is a computer security firm (CBS Minnesota, 2015). FEYE is better placed to assist the corporation manage its security threat issues considering its association with the Central Intelligence Agency (CIA) and The Pentagon. Institutional reputation made the corporation to choose FEYE. Additionally, Target Corporation has a team of security experts operating from Bangalore assisting in monitoring the systems and computers of the corporation across the globe. The corporation’s security system are designed in a manner that if the experts in Bangalore notices any programme that they consider suspicious, then the system would notify the operations centre of the corporation located in Minneapolis.
Saturday November the 30th, the hackers already made their trap for the corporation and only remained with a single thing to do before executing their attack; planning the escape route for the data. Consequently, the hackers were in a position of uploading exfilteration malware that would assist in moving the stolen credit card numbers. To ensure that they were untraceable, the hackers had to cover their tracks around the United States through spreading their points then into computers located in Russia. Nonetheless, with high technology used in FEYE, the organization was able to sot them and alerted the experts in Bangalore who later had to flag the security threat to team in Minneapolis after validating the report. However, the corporation never took any action on the report. For reasons known to the corporation, the office in charge of security never reacted to the sirens. In addition, the research undertaken by Bloomberg revealed that the corporation used alert systems in the protection of the bond between the retailer and the customers. The corporation neglected the pleas and compensatory damages of the customers; as a result, the affected customers filed different lawsuits against the corporation and the bank. From the law suits, the corporation spent more than $61 million responding to the needs of the affected customers. In a testimony laid before the Congress, Target Corporation confirmed that it only noticed the incident after US Department of Justice notified it on the issue.
Corporation’s Response to the Incident
Advancement in technology increased the level of susceptibility of businesses. Nonetheless, the mechanisms used to handle the situation determines that the level at which the business regains the loyalty and trust of the potential customers. Target corporation established its brand for more than 50 years based on trust of the customers(Bovée, 2003). However, in handling the incident, the corporation failed to involve its potential clients. Restoring the confidence of the customers is inevitable. Data breach at the corporation contributed to decline in corporation’s image(Clark, 2014). In addition, the corporation had to pay $61 million for various activities: paying for legal fees, credit monitoring, software update, reimbursements of customers, and others costs involved in cyber attack.
The corporation lost the trust of its customers that led to reduction of sales after the breach. Beside sales reduction, the profitability of the corporation has also declined by 50% in 2014 which resulting in the changes of purchase habits of customers considering that most of them feared losses and trauma associated with data breach. However, the customers who remained loyal to the corporation cited that they are likely to consider using cash rather than their credit or debit cards which clearly reflect reduction in consumer purchase power (O’Neil, 2015, 79). To solve data breach stalemate, the corporation had to investigate the matter seriously to establish if there were workers involved in the hacking activity. Consequently, the corporation involved the services of the Secret Services and the US Department of Justice in bringing the criminals to book. During investigation, the CEO pushed the corporation to embrace the new credit card technology for its consumers around the United States. These new credit cards use technology integrated with a chip and PIN number system replacing the vulnerable ones, which the hackers were able to siphon money from the accounts of the customers (Gray & Ladig, 2015, 125). To some extent, some financial institutions like JP Morgan Chase & Co. managed to place daily limit transactions for potential customers with the debit cards and those affected with data breach. As a security measure, the corporation managed to invest $1.6 million to install a malware programme to assist with the detection of security threats that result from various hacking activities. Considering that the corporation mainly deals with credit and debit payment systems. Additionally, the corporation focused on investing on investigation of various internal processes and systems aim of reducing the probability of such incidents occurring again (Bovée, 2003). According to the corporation, removing the malware virtually would remedy the situation. Reports from the KrebsOnSecurity compelled the Secret Service to investigate the issue, which in turn forced the corporation to announce security breach to its customers.
In the advent of technology, businesses are rushing to integrate various technological components without considering the threats associated with cybercrime. Globally, consumption and purchase behaviours of the customers are changing making businesses to focus on technology to improve efficiency. Target Corporation increased its level of susceptibility to the cyber attacks by failing to take immediate action to remedy the situation after realization(Bovée, 2003). Currently, the decision that the corporation made more than two years ago made it loose trust and confidentiality of the customers. Through collaborating with state agencies such as Secret Service and Department of Justice, the corporation managed to calm the situation and reduced the effect on more customers.
Ayala, L 2016,‘Cyber-physical attack recovery procedures template’,Cyber-Physical Attack Recovery Procedures, Vol. 4, No. 2, pp. 49 – 155.
Bovée, CL 2003,Contemporary public speaking, San Diego: Collegiate Publish Group, viewed 5 October 2016,<http://minnesota.cbslocal.com/2015/03/10/first-wave-of-job-cuts-expected-at-target-corp-tuesday>
Clark, M 2014,Timeline of Target’s data breach and aftermath: how cybertheft snowballed for the giant retailer, viewed 5 October 2016, <http://www.ibtimes.com/timeline-targets-data-breach-aftermath-how-cybertheft-snowballed-giant-retailer-1580056>
Joseph, A2015, U.S. judge certifies class action over Target Corp data breach,Viewed 5 October 2016, http://www.reuters.com/article/2015/09/15/us-target-lawsuit-databreach-idUSKCN0RF2GG20150915
Gray, D., & Ladig, J 2015, The Implementation of EMV Chip Card Technology to Improve Cyber Security Accelerates in the U.S. Following Target Corporation’s Data Breach. International Journal of Business Administration, 6(2), 122-131.
Manworren, N., Letwat, J., & Daily, O 2016,. Why you should care about the Target data breach. Business Horizons, 59(3), 257-266.
McGrath, M 2014, Target data breach spilled info on as many as 70 Million customers, viewed 5 October 2016,http://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#268d1f16bd10
O’Neil, F 2015, Target data breach. Proceedings of the 33rd Annual International Conference on the Design of Communication — SIGDOC ’15, 4(2), 74-88.