Credit Card Breach at Target Corporation - Case Study Example

CREDIT CARD BREACH AT TARGET CORPORATION (Student Name) (Course No.) (Lecturer) (University) (Date) Credit Card Breach at Target Corporation Target Corporation is a business company based in United States of America (USA) and Canada operating in providing essential and merchandized beautification products at a discounted price. Since its founding in 1902 and establishment of its first store in the Minnesota, the corporation continues to pride itself of outstanding services especially in the USA, receiving a ranking of second position after the largest, Walmart stores. Through the enactment of the Canadian subsidiary program, the corporation spread to Canada in 2013 operating in 127 locations. Over time, the activities of the corporation rose to 133 stores in Canada until late in 2013 when it announced closure of its services in the region (Elgin, 2014, par. 5). By the onset of April 2015, the last store in Canada closed contributing to approximately 17, 000 individuals losing their jobs. Target Corporation faced a great incident in 2013 that led to loss of trust in its security regarding online shopping. The shoppers received the unwelcoming information on December 2013 of incident that led to the stealing of the 40 million Target shoppers’ credit cards occurred between November 27 and December 15. The hackers accessed the data on the point of sale (POS) systems. Later on, Target confirmed the incidence with the number rising to 70 million individuals believed to have lost private data to the hackers (Bluepassport, 2014). Regardless of constant reporting of customers who suffered from the breach, the managerial team of the corporation did not take any serious action until contacted by the Department of Justice concerning the incident. Target did not receive any alert from their security system. Attempts by various adversaries to access and retrieve their credit card data from the corporation’s system caused a breakdown in detection contributing to the loss of more data. Target Corporation suffered from one of the worst incident in December 2013, which totally affected their operations with approximated number of 10 million customers losing their shares. The corporation faced a data breach. In the event, business and government agencies lost their records from hacking and security mishaps (Alexander, 2004, 122). During the period, an estimated number of 110 customers compromised their payment cards affecting the pertinent operational structures of the corporation. The breach occurred during the annually held month of thanksgiving, therefore, a greater population suffered the consequence. The hackers extracted all the essential data from credit card swipe machines in the Target’s systems (D'Innocenzio, 2014, par. 2). In fact, the hackers even extracted the encrypted Pin numbers from every debit card. The effect hit a greater population making the customers loose trust in their services especially their electronic data security. The occurrence of the ordeal especially corporate system hacking created a negative perception of the electronic system of operational business to the extent of affecting the business performance of other organisations too. For instance, visa recorded a decline in its income in the subsequent year prompting a hit by the reluctance of people to operate on digital platforms. Different records later showed that the software that hacked the POS system of the Target Corporation was commercially accessible in Cybercrime forums (Economic Club, 2013). People questioned the essence of such forums in the country seeking compensation. This greatly affected the corporation making it bankrupt in the end. The hacking of the Target system affected several other financial institutions. For instance, Citibank announced the replacement of all debit cards to limit chances of financial harm to their clients. However, some thought that changing their PIN numbers would work, but in the end they were not effective posing other better measures. Being that Target Corporation did not form part of the Information Sharing and Analysis Centres and the National Retail Federation, many claimed that the hacking received backing from the managerial team of the corporation. Some maintained that, the corporation formed part of the Organized Retail Crime. This affected the operations of the corporation posing greater challenges on its reemergence in its operations (Griffin et al., 2003, 110). Nevertheless, the corporation later reestablished. Presently, it is again one of the largest retail stores in United States with other stores in different regions. The occurrence of the incidence attracted different suggestions especially in regards to the cyber security level of Target. Some believed that the reconnaissance process by the hackers involved Google search on the information related to the operations of the corporation especially on how it interacts with its vendors. The process also included an understanding of the Microsoft virtualization software, which the corporation employs in most of its activities. Upon the understanding of such crucial operational systems, an email with the malware was sent to the refrigeration vendor prior to the breach facilitating the extraction of the Target’s system via Fazio mechanical’s credentials. The installation of the malware on the POS followed gathering information from the credit cards as the customers continuously swiped the cards. Finally, such information accessed through a default username and password. Presently, the shares of Target Corporation remain higher in the global market posting a 52 percent increase in revenue. On the same measure, the corporation in the last quarter of 2015 recorded an increase in their online sales of a net rise of 37.8 per cent from last year. The main contributor to such increment is the rising demand for home and beauty products. In addition, the corporation adopted a free delivery scheme for online purchases attracting more customers. This continues to record a great attraction to different customers who intend to buy from them. Secondly, Target did cut down its annual cost of shipping rate by half reducing the ordering cost by $ 25 in February. However, in April the corporation recorded a decline in sales due to harsh winter weather. Nevertheless, outstanding sales were recorded in West Coast port where Target initiated the subsidized shipping cost in January and February. Target endeavours to provide efficient and quick information to the affected individuals. The norm of a proper management system involves the provision of the expected communication in times of damage and insecurity to regain the public trust (Sampson, 2002, p.123). The company through their experts in the corporate security and damage desk continues to ensure providence of the needed information to their clients. An effective communication remains the strongest method of solving problems within a corporate organisation. The steeps taking by the management of team of Target to address the incidence continue to give it an upper hand in preference by customers to other companies offering the same services (Wang, 2007, 101). Ms. Ein, the company director, involves in continuous conversations with the affected audience ensuring disclosure of essential information to provide a complete picture of the occurrence. In other instances, the Target team carries out assessments aimed at conveying sensitive issues directly to the affected clients. Moreover, over a year the company has been offering credit-monitoring services while reaching out to the affected customers directly. In fact, Gregg W. Steinhafel, Target chief executive, spearheads the initiative of seeking apology from the public. Target continues to employ a risk management system that involves the analysis of security threats and vulnerabilities within the company. The company spends in regular checking and updating of its prioritized systems to prevent possible vulnerabilities that might attack the systems. The hackers do create threat systems on the network and data centres which act as an avenue to reach the POS systems (Capacio, 2014, par.3). Through continuous analysis of the data and an understanding of the company systems, both encrypted and unencrypted, ensure prevention of vulnerabilities that is likely to create possible flaws used by the hackers to access the systems. Unencrypted data in a system memory is accessible by the malicious software making the company to ensure that all its data is encrypted. The company continues to apply critical controls on all its data without giving priority to set of data. According to analysts such as Jason Popp, the determination of the most critical assets contributed to additional logging, monitoring, and log analysis providing avenue for the hackers. Over the past one year, the company established their network and infiltration systems training more staff on network traffic and security analysis. This enables the employees to constantly inspect traffic and account activity from anomalies. The company strives to enlighten its staff on the analysis of network and account and correlation of logs reducing accessibility of such accounts through unexpected resources. Moreover, the company continuously monitors failed login attempts, malformed packets, installation of network reconnaissance tools, unexpected increase in traffic, unexpected shares among other malpractices ensuring prevention of such attempts of hacking. In addition, Target restricts accounts to a given network zone enhancing the process of monitoring of unauthorized access attempts. Protection motivation theory Most businesses often suffer several incidences due to ignorance of the warning signs from previous occurrences or failing to learn from the previous lessons experienced in the past. Therefore, it is important that the organization create programs, which aims at raising awareness and making the organization safer place for the customers. Every business must ensure that it anticipate all the negative incidences it is likely to experience and device various methods of ensuring the impacts do not affect the customers should they occur (Kendrick, 2010, 173). Hacking into the organization’s database and manufacturing of fake cards made the company lose many customers due to reduction in trust. From the theoretical point of view, the company should have applied protection motivation theory that requires companies to anticipate various risks associated with the activities it performs. Moreover, the theory encourages the organizations to portray the ability of taking preventive measures. Even though the company used various methods to protect the cards used by the customers, the hackers were able to retrieve a single card from a customer, which they used as the breakthrough to the organization’s database (Gomzin, 2014, 124). According to the protection motivation theory (PMT), companies should use four basic methods to protect themselves from any form of incident likely to arise. It recommends that businesses should take into account the perception of severity from the threatening event, perceived probability that the incident would occur, efficacy of the recommended preventive measures, and the organizational perceived self-efficacy. The theory stems its foundation from either threat appraisal or coping appraisals. Threat appraisal entails assessing the severity of the prevailing situation and examining the level of the situation while coping appraisal relates to how various organizations respond to different incidents. Social control theory In as much as businesses fight to create a positive brand image in the market, it is important to ensure the customers conform to the required organizational safety standards. Application of this theory within the Target Corporation would improve the safety of the cards and profits likely to be lost by the organization in the future. According to the theory, the organizations are required to integrate its activities that aim reducing insecurity with those of the customers in order to reduce the probability of behaviors considered as risks to the both the company and the customers. Certain behaviors from the customers tend to attract people with ill motives; therefore, it is crucial that the company also ensure that customers’ behaviors do not compromise the safety of the company (Calder, 2005, 98). It is from this point that the customers must conform to organizational safety practices to increase efficiency, effectiveness, and safety. It is from this background that the corporation is affiliating with its customers and educating them on the best methods of ensuring the safety of their cards. The major step taken by the organization after the incident is notifying the millions of the affected customers through their respective emails. Efficient communication is important as it ensures the customers acquire first hand information upon the occurrence of the incidence (Choate, 2008, 184). Consequently, the corporation might use these emails to create a forum of discussion among the customers on the best method of ensuring the recommended solutions are effective and of higher quality. Since the company works closely with various banks, it ensures that the banks monitor the customers’ accounts for the purposes of limiting the amount, which the customers could withdraw from his/her, account and spend in the stores. Besides ensuring that the banks monitor customers account activities, the company also has been able to put in place various methods of ensuring that the incident does not occur again. One of the methods in place is the introduction of the Chip-and-PIN for the credit cards to enhance the level of security of security. References Alexander, D. C. (2004). Business confronts terrorism: Risks and responses. Madison: University of Wisconsin Press/Terrace Books. Bluepassport. (2014, April 25). Target Corporation - MGMT 7160 Capstone Project 2014 [Video file]. Retrieved from https://www.youtube.com/watch?v=zxfSpmaX7Ks Calder, A. (2005). A business guide to information security: How to protect your company's IT assets, reduce risks and understand the law. London: Kogan Page. Choate, P. (2008). Dangerous business: The risks of globalization for America. New York: Alfred A. Knopf. Capacio, S. (2014, March 13). Target breach: Security warning ignored before heist. Retrieved from myFOX9.COM: http://www.myfoxtwincities.com/story/24968693/report-target-ignored-signs-ofbreach D'Innocenzio, A. (2014, 2 18). Target data breach cost banks more than $200 million. Retrieved from THE HUFFINGTON POST: http://www.huffingtonpost.com/2014/02/18/target-data-breachcost_n_4810787.html Economic Club. (2013, April 10). Gregg Steinhafel - Chairman, President & CEO Target Corporation [Video file]. Retrieved from https://www.youtube.com/watch?v=McMkjbpjpOg Elgin, B. (2014, March 13). Missed alarms and 40 million stolen credit card numbers: How target blew It. Retrieved from Bloomberg Businessweek: http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epichack-of-credit-card-data Gomzin, S. (2014). Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions. Indianapolis, IA: Wiley. Griffin, J. M., Ji, X., & Martin, J. S. (2003). Momentum Investing and Business Cycle Risk: Evidence from Pole to Pole. Journal of Finance, 12(3), 101-114. Kendrick, R. (2010). Cyber Risks for Business Professionals: A Management Guide. Ely: IT Governance Pub. Sampson, K. L. (2002). Value-added records management: Protecting corporate assets, reducing business risks. Westport, CT: Quorum Books. Wang, A. (2007). Priming, Framing, and Position on Corporate Social Responsibility. Journal of Public Relations Research, 7(3), 88-112. Read More