Target Corporation in the United States That Experienced the Data Breach - Case Study Example

Name Professor Course Date of submission Introduction There are several disasters affecting most businesses globally almost on a daily basis. However, it is important to note these incidents are either naturally occurring or induced by human activities. With the rising use of technology and its advancement, most businesses are shifting to technological uses to reduce the management cost without considering the underlying factors associated with technology. Although scientists and researchers have been able to incorporate technology and business management, it is important to note that several malpractices have also been able to erupt with most businesses exposed to hacking activities. With the introduction of e-commerce, most corporate companies intend to use internet facilities such as website, communication media, and emails to reach the clients (Weise n.p). It is from such background that the research would be focusing on Target Corporation, which experienced the data breach. The breach led to losses of organizational resources as well as those of the clients. Moreover, the incidents greatly affected the corporation compelling it to compensate the affected clients. Organizational Description Target Corporation is a discount retailer in the United States with its headquarter in Minneapolis, Minnesota. The Corporation is the second largest in the country after Walmart reflecting the number of clients that it serves. Through the years, the corporation has experienced growth and change of management to an extent that as of 2015, it operates in about 1,801 across the United States (Businessweek.com n.p). Furthermore, the retail operates in several formats including the hypermarket SuperTarget, discount store Target, and other smaller formats previously known as CityTarget and TargetExpress before undergoing Target branding. The Corporation manages more than 40 million credit cards owned by the customers (Target Pressroom n.p). Data breach in the corporation In the mid-December of 2013, the hackers managed to find their ways into the organizational system, gained access to the unique credit and debit card numbers of the customers within the database (Ax n.p). Some of the clients’ information retrieved from the system include the names, mailing addresses, phone numbers, and email addresses. The incident affected as many as 40 million credit and debit card accounts. However, the number of people affected increased to 70 million when the organization took into consideration the other personal information retrieved from the system. Unfortunately, the affected groups mainly included the holiday shoppers from November 27 to December 28 of 2013. According to the estimates from the corporation, about 42 million clients had information concerning the credit and debit cards retrieved with areas experiencing much of the impact include California, Texas, and Florida. More importantly, the hackers were able to retrieve card verification value of most debit and credit cards giving them access to the accounts of the clients. The use of the malicious software is also increasing with more hackers sending it the management system of the target institution. Probably, this was the method used to hack the system of the corporation. The hackers installed the malware into the payment system in the self-checkout lanes of the corporation (CBS Minnesota n.p). The incident saw the organizational Chief Executive Office Gregg Steinhafel resigning over the mounting pressure as people demanded their compensation. Several reports indicate that the hackers took into the system for about five months with the organization noticing that it had lost its financial system. Between November 27 and December 15 of 2013, reports indicate that the 40 million customers who were using the credit cards and debit cards in the United States had some of their personal information retrieved from the system. On December 13, the management of the corporation met with the United States department of justice to report the malpractices that were taking place in the corporation. However, it took the organization much time to notice and accept the hacking activities (McGinty n.p). As a result, it hired the third party to conduct a forensic audit of the hacking claims within the corporation. Upon receiving the results, it was clear that the criminals infiltrated the system. Furthermore, the report indicated that they installed the malware program into the networks on the point of sale and stole the payment credit and debit cards of the customers. The corporation managed to remove all the malware virtually from its stores, but the public remained unaware of the breach. KrebsOnSecurity, data and security blog, managed to make the first report on the security breach, which saw The Secret Service investigating the matter on December 18, 2013. The following day, after KrebsOnSecurity reported the incident, the corporation publicly acknowledged the breach adding that it was undertaking a serious investigation on how the criminal got into the system. Moreover, the corporation announced that it was also investigating the accessed information such as debit and credit card numbers, card expiry dates, and those cards with no indication of interference with personal identification number (PIN) (CNNMoney n.p). The announcement made the corporation undergo pressure from the customers on their website and customer service hotlines. The implanted software could capture the credit card numbers of the shoppers and saw in the organizational server commandeered by the criminals. The incident measured how these crimes have become common and how conventionally the hackers approached the corporation to effect the attack (KrebsOnSecurity n.p). About six months before the incident, the organization began installation of a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE). The corporation decided to choose the firm due to its associates, which include the Central Intelligence Agency (CIA) and The Pentagon (Clark n.p). Besides, the corporation had a team of security experts in Bangalore to monitor its system and computers around the clock. These security systems are designed in a manner such that if Bangalore notices any suspicious program or activity on the activity, then it would notify the security operations center in Minneapolis. On Saturday, November 30, the criminals had already set their trap and had a single thing to do before commencing their attack, planning the escape route for the data. As a result, they uploaded exfiltration malware that would move the stolen credit card numbers. To cover their tracks around the United States, they spread their staging points then into their computers in Russia. However, FireEye spotted them, alerted Bangalore, which later flagged security threat to the team in Minneapolis (Mariotti n.p). The corporation decided to take no action on the received report. For some reason, the corporation’s office in charge of security in Minneapolis failed to react to the sirens. According to the research conducted by the Bloomberg Businessweek, the organization realized that the corporation has an alert system mainly to protect the bond between the retailer and the customers, which worked properly (Shaw n.p). However, the corporation stood by even as the 40 million credit card numbers and 70 million addresses, phone numbers, and personal information gushed out of the organization’s mainframes. The customers for neglecting their pleas and compensatory damages filed several lawsuits against the Target Corporation and banks. The corporation spent more than $61 million through February 1 of 2014 responding to the breach. In the testimony laid before the Congress, the Corporation confirmed that it only noticed the incident after the United States Department of Justice notified the mid-December (Riley, Elgin, Lawrence, and Matlack n.p). However, the media asked the CEO then to respond to the specific questions regarding the attack and clear rumors that the corporation lack adequate expertise and resources to deal with the situation. As a result, the CEO Gregg Steinhafel issued an e-mailed statement indicating that the corporation was certified as meeting the standard for the payment card industry (PCI) in September 2013. As a result, the corporation was busy conducting the end-to-end review of its processes, people, technology, and understand its opportunity to improve its data management security. Analysis of how the corporation handled the situation Business entities are prone to different incidents. However, the method used in handling the situation determines whether the organization would earn back the loyalty and trust of the customers. Considering the fact that the brand of the corporation has been built a 50-year foundation based on trust of the customers, the corporation failed to involve the same clients. It is important that the corporation restore the confidence of the customers. Data breach at the corporation was dramatic and lead to the reduction in the image of the corporation (Gilbert 230). The corporation spent $61 million paying for legal fees, software updates, credit monitoring, customer reimbursement, and other costs associated with cyber security. Besides, the corporation has also been hit by more than 140 lawsuits, which greatly contributed to the resignation of the CEO over security failures and less expansion of the organization in the Canadian market. More importantly, the corporation lost the trust of the customers, which contributed to reduced sales after the breach. In addition, the profitability also reduced by 50 percent in 2014 and changed the buying habits of the customers, as most of them fear the loss and trauma they went through following the breach. Most customers who remained loyal to the corporation said they would be more likely to use cash instead of credit cards, which reflect reduced spending power. In a bid to resolve the stalemate, the corporation decided to investigate the matter thoroughly to ascertain if there are employees who are working closely with the hacking criminals (Townsend n.p). As a result, the corporation involved both the Secret Service and the United States Department of Justice to bring the culprits to book. While the investigations were on, the CEO was pushing the corporation to embrace the new credit card technology for the consumers around the United States. The new credit card had a chip and PIN number system to replace the vulnerable one that the hackers were able to siphon money from the customers’ accounts. To some extent, other financial corporations such as JPMorgan Chase & Co. decided to place daily limit transactions for its clients with debits cards and influenced by the breach at the corporation. Besides, JPMorgan Chase & Co. began reissuing the cards and opening more branches on Saturday to assist the affected customers of the corporation. As a security measure, the corporation invested $1.6 million installing a malware tool that would assist in detecting security threats to the organization associated with hacking practices. Since the corporation deals in credit and debit payment systems, it has a special unit in Bangalore to monitor its activities associated with system management. The Corporation also invested in the investigation of its internal processes and systems required to reduce the likelihood if such incident taking place again. Moreover, the corporation collaborated with a third party security firm to establish the fact about the hacking activities. Upon receiving the result, it decided to hide the truth from the customers, which made the criminals found another way of updating their malware. The corporation assumed that by removal of the malware virtually on its system across the United States would remedy the situation. However, the KrebsOnSecurity published its blog on the incident and reported the matter to the Secret Service to investigate the issue further. These activities compelled the corporation to announce publicly that its security had been breached, and criminals were able to access the credit and debit card numbers of the customers. If the corporation came out upon realizing the malicious activities, then it would have reduced the number of clients affected by the incident. Conclusion Cybercrime is a criminal activity that is not only affecting the private business but also the state departments. The corporation increased the susceptibility of more customers by failing to take an immediate action after realizing the hacking activity. Currently, the decisions made almost two years ago are greatly affecting organizational performance with more customers failing to trust organizational management. With increasing technological use and advancement, business entities need to be prepared for any incident especially the rising number of cybercrimes. Collaborating with the Secret Service and the United States Department Justice made it easier for the corporation to reduce the effect on more customers. Works Cited Ax, Joseph. "U.S. Judge Certifies Class Action over Target Corp Data Breach." Reuters. Reuters, 15 Sept. 2015. Web. 18 Oct. 2015. . Businessweek.com. "Why the Target Data Hack Is Just the Beginning - Businessweek." Businessweek.com. Businessweek.com, 16 Jan. 2014. Web. 18 Oct. 2015. . CBS Minnesota. "Grim Tuesday At Target Corp. As 1,700 Lose Their Jobs « CBS Minnesota." CBS Minnesota. CBS Minnesota, 10 Mar. 2015. Web. 18 Oct. 2015. . Clark, Meagan. "Timeline of Target's Data Breach And Aftermath: How Cybertheft Snowballed For The Giant Retailer." International Business Times. International Business Times, 5 May 2014. Web. 16 Oct. 2015. . CNNMoney. "Target Will Pay Hack Victims $10 Million." CNNMoney. CNNMoney, 19 Mar. 2015. Web. 18 Oct. 2015. . Gilbert, Sara. The Story of Target. Mankato: Creative Education, 2015. Print. Kedmey, Dan. "Target Expects $148 Million Loss From Data Breach." TIME.com. TIME.com, 6 Aug. 2014. Web. 18 Oct. 2015. . KrebsOnSecurity. "The Target Breach, By the Numbers — Krebs on Security." Krebs on Security. Krebs on Security, 14 May 2014. Web. 18 Oct. 2015. . Mariotti, Steve, and Caroline Glackin. Entrepreneurship: Starting and Operating a Small Business. Upper Saddle River: Pearson/Prentice Hall, 2013. Print. McGinty, Kevin M. "Target Data Breach Price Tag: $252 Million and Counting." Privacy & Security Matters. Privacy & Security Matters, 26 Feb. 2015. Web. 18 Oct. 2015. . Riley, Michael, Ben Elgin, Dune Lawrence, and Carol Matlack. "Target Missed Warnings in Epic Hack of Credit Card Data - Businessweek." Businessweek.com. Businessweek.com, 13 Mar. 2014. Web. 18 Oct. 2015. . Shaw, Hollie. "Target Corp to Exit Canada After Racking Up Billions in Losses." Financial Post. Financial Post, 15 Jan. 2015. Web. 18 Oct. 2015. . Target Pressroom. "Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores | Target Corporate." Target Pressroom. Target Pressroom, 19 Dec. 2013. Web. 18 Oct. 2015. . Townsend, Matt. "Target ‘lost’ Before Data Breach Occurred." Las Vegas Review-Journal. Las Vegas Review-Journal, 31 May 2014. Web. 18 Oct. 2015. . Weise, Karen. "Sally Beauty Data Hack: Another Day, Another Retailer in a Massive Credit Card Breach." Businessweek.com. Businessweek, 5 Mar. 2014. Web. 18 Oct. 2015. . Read More