Data Breach Autopsy Analysis - Case Study Example

Introduction

Advancement in technology has been a blessing and cursing at the same time. As more firms adopt technology to leverage their businesses, hackers are also strategizing on ways of maximizing their threats. Thus, many organizations have been falling victims to hackers who steals their data for different gains. One of the cases of data stealing is with Target, the second largest retailer in the US. The firm lost over 40 million credit and debit cards used to make purchases in its stores (Dube, 2016). Some of the personal data stolen from other customers were names, telephone numbers, home and email addresses. The theft left a huge negative impact on the firm and its stakeholders that are felt to date. However, when such a huge magnitude of theft occurs, people always ask, how did it happen? In this case, it was a well-planned attack that involved international and local players. In this case, hackers penetrated a point of sale network of the company and installed a malware on the terminals to capture all the data stored on credit and debit cards swiped at the infected terminals (Dube, 2016).

Analysis

Factors that allowed theft to take place

Target had ensured adequate security of its customer’s data by doing all they could to protect it. The firm was a leader in cyber security in the retail industry because it invested heavily on resources to secure its information technology infrastructures. The organization also had multiple layers of its IT system such as firewalls, segmentation, malware detection, software for detecting intrusion among others as well as plans to prevent loss of data (Dube, 2016). Outside consultants, internal and external experts regularly checked the system for adequate security measures. Besides, the organization was certified as being Compliance with the Payment Card Industry Data Security Standard (PCIDSS) (Dube, 2016). However, not all these were enough to deter cyber criminals from attacking Target system.

Obtaining the firm’s user code and password by the cybercriminals is one of the factors that allowed the theft to occur (Dube, 2016). Fazio mechanical services had a remote access to the firm’s network for electronic billing, contract submission and project management. The hackers sent a short email requesting the details and one of the employees responded. This allowed the cybercriminals to penetrate the firm’s network and exploit its vulnerability as well as to access its payment system network lint to point of sale terminals.

Secondly, the firm ignored security alerts from the monitoring team (Dube, 2016). Before the theft, Target had heavily invested on anti-malware system that worked by creating virtual chambers which hackers are drawn and detected before they succeed in penetrating the system. The firm employed a team who worked around the clock by monitoring the results of the system. In many occasions, the monitoring team noticed Target of suspicious activities and it responded by sometimes acting or not taking any action. Target security team had obtained level 1 alert from the monitoring team but took no action not knowing this was the deadliest threat ever reported to them (Dube, 2016). For instance, the investigation revealed that the first alert was issued before first data was transferred. The security software had the ability to prevent the attacks but target experts were not keen on it and instead deactivated it, an act that shows how vulnerable they became leading to the attack.

Consequences of the breach to stakeholders

Target suffered a huge loss when its system were attacked by the cyber criminals. In any case where data privacy is breached, the company and the stakeholders felt the impact. In this case, many stakeholders were involved and they all suffered almost equally or felt the immense effect of the data theft.

Target developed a negative public image after the cyber-attack (Dube, 2016). The announcement by the data breach by the media and other stakeholders dented the organizational image since it was not expected to have that huge magnitude. The stakeholders criticized the firm for not taking seriously the alerts it received and not acting on them. Similarly, the organization was unable to make the breach public initially, and its inability to respond to the customers concerns. Following all these, the organizational brand scored negative in a consumer perception survey. Moreover, the firm’s third quarter results declined by 46% compared with the previous years when it improved its performances (Dube, 2016). The firm’s customer base also dropped because many fear they might be victims of cybercrime through the company. Target also had to use a lot of money in responding to the cyber-attack as it also delayed its expansion plans to Canada.

The overall financial impact of the data breach is huge that many financial analysts are unable to quantify. For instance, Target is facing many lawsuits where the complainants are seeking millions of dollars as a compensation for damages. Some victims are accusing the organization of violating laws, negligence in handling customer’s data information and taking too long to disclose information on data breach making more customers to be vulnerable. Three categories of parties filled the lawsuits and they include the banks, customers and shareholders. Banks want the organization to reimburse them all the cost arising from the breach that includes refunding fraudulent transactions, investigations, customer relations and reissuing of cards among other costs (Dube, 2016). Target must deal with all suitcases that might still keep on increasing as more complaints against the company arise. It must prepare its legal team to solve all these issues and this will require a lot of money being that the organization has a reduced performance as its customers still fear following the recent breach. All these would have been minimized if only the organization paid attention to the cybercrime warning it received. For now, the company has to deal with lawsuits that are pending before the courts.

High turnover among employees holding high cadre position was witnessed in the firm that destabilized its leadership and management positions (Dube, 2016). The Chief Information Officer of the organization resigned from a position he had held over years and brought tremendous improvement in the department. Besides, the firm reorganized its departments by creating new positions. All these required money to implement as well as to recruit the best personnel who has the interest of the company. The organization also let its CEO go who has been serving it for the last 35 years and had all the knowledge about the firm and the industry at large (Dube, 2016). The turnover was because of the failed expansion in Canada and the breach of data that saw the company use many millions dollars to overcome. Similarly, some board members had to leave the organization as it restructured its leadership to ensure those who remained had the capacity to protect it asserts and affirm its position in the market. All these changes caused a disruption in the firms operations, leadership as well as the working culture. Thus, it had to take the new team some time to learn about the organization and familiarize with the new working environment.

The company was also forced to adjust the timeline of its projects it had started implementing a delay that comes with additional costs (Dube, 2016). For instance, the organization had begun implementing chip card and personal identification number payment system that involved replacing of all point of sale terminals and its credit cards with chip card. This project was being undertaken as a security measure against fraud. Although it was a security measure, it would not have saved the company or prevented the theft realized but making it difficult to clone the cards with stolen data. The project could not move as planned because some adjustment had to be made.

Customers or the card holders were massively affected by the theft because they had to contact the merchants and the banks to stop and investigate the transactions that occurred (Dube, 2016). Customers lost their money used to purchase or do unauthorized transaction. Similarly, customers had to suffer from long-term impact of data theft victim as well as begin a process of defending themselves that they were not the actual person who committed the wrongdoing or the unauthorized transactions (Saini, Rao & Panda, 2013). In this case, customers were innocent and they only became victims because they trusted their retail shop. The consequence of this mistrust was heavy and the customers carried the whole burden, which is unfortunate for them.

Lastly, blame games was realized among the stakeholders for failing to put adequate measures to curb such incidences that injured the consumers. For instance, most stakeholders believed that the huge investments required to put up the entire IT infrastructure is the problem and the problem is sorted when it is done. When it is done, all the cards in the circulation must also be replaced. In response to this, various organizations such as MasterCard has launched initiative that forced all players to take action. It began with implementing a law that requires the retailer or the bank to be liable in case a card is used to commit a fraudulent activity. This was to ensure that the players in the industry upgrade their systems to resist such frauds. However, there has not been a rampant move towards implementation of the law as some firms still faces different internal challenges that requires to be sorted first.

Conclusion and Recommendations

Cybercrime is on the rise because of the adoption of technology by many companies. The magnitude of cybercrime depends with the organization that it attacks. As technology advances, organizations must be ready for attack anytime. The attack can be thwarted in case there is preparedness by the organization through putting security measures on their data. Secondly, the organizational leadership must be alert to any information they receive regarding fraud, hacking or any form of cyber-attack. Thirdly, the organization must communicate to the stakeholder in case of a cybercrime (Gordon, 2013). This will lead to prompt action to save the situation and protect customer’s data. Lastly, it is important to secure clients data by only giving limited access (Julisch, 2013). This will limit the unauthorized personnel from dishing information that might lead to the breach.