Target suffered a major data breach in late 2013 that compromised the payment card and personal information of up to 110 million customers. Hackers were able to gain access to Target's systems by phishing a vendor for credentials and installing malware that stole payment card data. Target failed to properly respond to warnings from its security systems about the breach. The breach had short-term negative impacts for Target's stock price and brand reputation, and resulted in lawsuits and settlements totaling tens of millions of dollars. Key lessons highlighted include the need for strong network segmentation, oversight of third party vendors, effective log monitoring and analytics, and accountability from executives for cybersecurity practices.

1. AUTOPSY OF A DATA BREACH
The Target Case
Allison Linder
Lysanne Loucel
Sreejith R. Nair
Todd Williams

2. Target Data Breach
• Target Corporation is the second-largest discount store retailer in the United States.
• Target was considered one of the leaders in cybersecurity in the retail industry.
• In December 2013, a data breach of Target's systems affected up to 110 million
customers. Compromised customer information included names, phone numbers, email
and mailing addresses
• In March 2015, Target reached a class-action settlement with affected consumers for $10
million (plus class-action attorney fees).
• In May 2016, Target settled with affected banks and credit unions for $39 million (plus
class-action attorney fees), of which $19 million would be disbursed by a MasterCard
program.

3. The What's?
• What is Data breach ?
• What steps did the cybercriminals follow in committing this theft?
• What factors allowed this theft to takes place? Or what were the vulnerabilities?
• What were the consequences for the stake holders?
• What control or measures can the business take to protect itself?
• What lessons can be drawn from this security incident ?

4. Data Breach
• What is Data breach ?
A data breach is the intentional or unintentional release of
secure/private/confidential information to an untrusted environment.
 Device theft or loss
 Document errors
 Weak and stolen credentials
 Internet spyware
 Vulnerable systems and applications

5. World's Biggest Data Breaches
1. Yahoo! 1 billion, December 2016
2. Yahoo! 500 million, September 2016
3. MySpace 360 million May 2016
4. LinkedIn 100 million, May 2016
5. Scottrade, 4.6 million, October 2015
6. T-Mobile (via Experian), 15 million, October 2015
7. Ashley Madison, 32 million, August 2015
8. Anthem 80 million, February 2015
9. Office of Personnel Management, 21.5 million, July 2015
10. UCLA Health 4.5 million, July 2015
11. Home Depot, 53 million, September 2014
12. EBay 145 million, May 2014
13. Target, 110 million, November 2013
14. JP Morgan Chase, 83 million, October 2013
15. Sony PlayStation Network, 77 million, April 2011
16. TJ Maxx, 45.7 million 2007
17. AOL, 92 million, October 2007
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

6. Vulnerabilities & Crime
• A phishing email sent to Target's HVAC vendor, Fazio Mechanical Services who had
remote access to Target’s network for things such as billing and PoS.
• The response to the email gave the attackers the Fazio’s user code and password.
This allowed them to install Malware that steals credentials.
• The attackers disguised the malicious component as a legitimate one to hide it in
plain sight ("hiding in plain sight" tactic)
• Once the malware obtained the credit card data, it created a remote file share
remotely, and it would periodically copy its local file to the hacker’s remote share.

7. Ignorance
• Target’s FireEye advanced monitoring system had noticed suspicious activity and
alerted Target on the first data transfer and alerts escalated from there. Target had
chose to do nothing in response.
• The software itself could have prevented the attack but Target chose to deactivate
this part of the software as it was new and unfamiliar.
• Target’s own anti-virus system had detected fowl activity and these warnings were
also ignored.

8. Market Reaction
NYSE: TGT – Nov 2013 – Dec 2015
The breaches had a short-term effect on the market, little impact on the long term. Industry analysts
have inferred that shareholders are numb to news of data breaches.

9. Breach Aftermath
• Target CEO Gregg Steinhafel Steps Down
• COO John Mulligan attended U.S. Senate hearings where his company was grilled for
the way it handled the breach.
• Target Vendor Fazio Mechanical Services acknowledges Breach.
• CIO Beth Jacob resigned on March 5
• Target elevated a new role/position, Chief Information Security Officer.
• The Consumer Lawsuit - The claim in the consumer lawsuit is that the breach was
avoidable and occurred because Target did not take proper precautions in protecting its
computer systems.
• The Bank Lawsuit - The claim in the bank lawsuit is that Target's actions and inactions
- disabling certain security features and failing to heed the warning signs as the hackers'
attack began - caused foreseeable harm to plaintiffs.

10. 6 Steps To Prevent A Data Breach
1. Stop incursion by targeted attacks.
2. Identify threats by correlating real-time alerts with global intelligence.
3. Proactively protect information.
4. Automate security through IT compliance controls.
5. Prevent data exfiltration.
6. Integrate prevention and response strategies into security operations.

11. Lessons Can Be Drawn From This Case
• EMV Technology Alone Is Not Enough to Stop Fraud
• Network Segmentation Is a Necessity
• Third-Party Oversight Is Part of Compliance
• Log Monitoring Needs Analytics
• Executives, Boards Are Accountable
• Retailers May Be Liable for Breaches
• Cyberthreat Intelligence Sharing Must Improve

12. Citations And References
• http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-
hacks/
• https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices
• http://info.rippleshot.com/blog/everything-you-need-to-know-about-the-target-data-
breach-lawsuits
• http://www.cio.com/article/2600345/security0/11-steps-attackers-took-to-crack-
target.html
• http://quotes.wsj.com/TGT
• https://www.forbes.com/sites/sungardas/2014/01/17/five-lessons-for-every-business-from-
targets-data-breach/#6b78f7c16563

13. THANK YOU
Allison Linder
Lysanne Loucel
Sreejith R. Nair
Todd Williams