This is a case study analysis of the HBR case "Cyber breach at target"

1. CYBER BREACH AT
TARGET

2. INTRODUCTION
• Target was established by George Dayton as a discount store
focusing on customers who could not afford the high priced
departmental stores.
• The first Target store was opened in 1962 by the Dayton
Company, at the same time of Walmart and Kmart.
• Target’s USP was selling quality products at lower prices in an
upscale environment and it embodied the slogan “Pay Less,
Expect More”
• Target is the 8th largest retailer in USA having 1800+ stores
across USA and sells items like household essentials, food,
beverages, apparels, accessories etc.

3. WHAT IS DATA BREACH?
• According to Investopedia, “A data breach (also known as data
spill or data leak) is unauthorized access and retrieval of sensitive
information by an individual, group, or software system. It is a
cybersecurity mishap that happens when data, intentionally or
unintentionally, falls into the wrong hands without the knowledge
of the user or owner.”
• Target had suffered a data breach in November 2013, which was
one of the largest cyberattacks in history.
• Hackers stole credit and debit card information of 40 million
customers, and 70 million records of personal information
including their email id and home address data.

4. Sep’13
15th-28th
Nov’13
30th
Nov’13
2nd Dec’13
onwards
14th-15th
Dec’13
12th
Dec’13
Hackers, unknown location -
initiate a phishing email
campaign against one of
Target's external vendors, Fazio
Mechanical Services. Hackers
stole all of Fazio's passwords
Hackers gained access to
Target's using Fazio's
credentials, attacked a
small number of POS
(Point-of-sale) systems
The majority of Target
POS systems had been
affected.
Malware installed –
Citadel
RAM Scraping attack
method
Exported the
collected data to an
external server
based in Russia
US dept of Justice contacted
Target about the breach. JP
Morgan Chase began alerting
credit card companies of a pattern
of fraudulent credit card charges
initiated at Target.
Target hired a third-
party forensics team to
investigate the breach.
The internal team
confirmed the attack
and Target removed the
malware from its
systems
18th
Dec’13
Krebs on Security, an
online security blog
gave the first public
indication of the breach
TIMELINE OF THE CYBER BREACH

5. TARGET ANNOUNCES THE
BREACH
19th Dec’13 20th Dec’13
21st-22nd
Dec’13
25th Dec’13 27th Dec’13 10th Jan’14
Target posted on its
corporate website and
press release - Aware of
unauthorized access to
payment card data.
Target denied theft of
PIN numbers, offered
free credit and theft
monitoring for
affected customers for
a year
10% employee
discount offered to
customers
shopping in Target
stores
Payment executive
familiar with the
breach stated the
breach of
information
Target reversed its earlier position to
confirm the theft of PIN information, in
addition, CVV numbers and expiration
dates had been compromised
Outlined the fact
that personal
information was
also part of the
breach.

6. WHAT WENT WRONG?
• FAZIO MECHANICAL SERVICES: Target did not monitor the security
arrangements of Fazi while, Fazio used a free version of security product
called "Malwarebytes Antimalware “
• FIRE EYE.inc : cybersecurity monitor raised an alert which was ignored
Automatic malware detection and deletion option had been turned off by
target' s security team.
• SECURITY TEAM: Non compliance with the PCI 2.0 norms which were the
bare minimum standards. Weak controls within Target' s network which
made it easier for the hackers to crack the system. The data was then moved
from target’s network and stolen data was aggregated at a different proxy
network.

7. WHO CAUSED THE ATTACK?
• Data theft of this magnitude are usually the work of an organized crew of
cybercriminals specializing on stealing data from vulnerable sources.
• The preparators behind this attack were from Russia, Ukraine and Romania,
a similar crew was responsible for another such attack on ‘Home Depot’ in
2014.
• Once the stolen data was moved target’s network it was shifted to a server
in Moscow, the stolen data was traded in cryptocurrency on rescator.so
(dark web).

8. CONSEQUENCES OF THE DATA BREACH?
Financial Losses incurred by Target :
• Q4 sale fell by 6.6%, net earnings dropped by 46%.
• Stock price fell 8.8% within 6 weeks of the breach announcement
• $162Mn incurred in costs by the end of 2014
• Reached a settlement with the customers( $10,000 for documented
expenses)
• $67Mn settlement with Visa and $40Mn settlement with Mastercard and
other banks
• Additional legal consultation costs
• Costs incurred towards customer retention

9. CONSEQUENCES OF THE DATA BREACH?
• Faced scrutiny by various investigation agencies, govt. institutions , media
etc.
• Lost customer trust and holiday season sale opportunities
• Lawsuits from customers , banks , credit cards services, and investors
• Individual lawsuits against the board of directors
• Major loss of brand reputation

10. SOLUTIONS
• Monitoring vendor’s security arrangement.
• Abiding with Payment Card Industry (PCI) standard.
• Firewall Configuration
• Ensuring only allowed ports, services, IP addresses are communicating with
the network.
• Segregating payment processing network from other non-payment
processing networks.
• Implementing hardware-based point to point encryption.
• Eliminating unneeded default accounts.

11. CONCLUSION
With the increasing data breaches and cyber crime in recent years, it is the
responsibility of the firm to adhere to industry standards in building and
maintaining firewalls, protecting sensitive information, monitoring their
networks, be attentive to security warnings and correct unsound practices.

12. THANK YOU