Target Breach Case Study
Added on 2023-02-06
8 Pages3167 Words94 Views
Target Breach Case Study
Executive Summary
Xian Sun
Assistant Professor in Finance
Carey Business School
Johns Hopkins University
To cap things off, we found out that Target was the victim of cybercrooks. Between Black
Friday and December 15, hackers collected credit card details on about 40 million people who
had shopped in person at the popular retail chain.
In 2013, Target Corporation’s (Target) security and payment system was breached,
compromising 40 million credit and debit card numbers, along with 70 million addresses, phone
numbers and other personal information [1]. Target was made aware of this situation in mid-
December when the U.S. Department of Justice informed the company that their system was
being attacked [2]. Target had received notifications prior to this date, but had failed to act.
What happened?
Timeline:
May 2013
FireEye (anti-malware system - $1.6 million) installed but the feature of eradicating
the malware was turned off as mistrusted by Target security personnel
11/27/13 Breach started.
11/30/13 FireEye captured the first malware code and issued an alert that was ignored
12/2/13 Hackers started downloading the collected data to Russia through US servers
12/12/13 Contacted by Dept of Justice and aware of the breach
12/13/13
Target executives meet with US. Justice Department
12/14/13
Target hires a third-party forensics team to investigate the hack
12/15/13 Learned the criminals hacked the system to gain guest credit and debit and card
information including names, mailing and email address, phone numbers.
12/15/13 Closed access point and uncovered the problem and had informed authorities and
1
Executive Summary
Xian Sun
Assistant Professor in Finance
Carey Business School
Johns Hopkins University
To cap things off, we found out that Target was the victim of cybercrooks. Between Black
Friday and December 15, hackers collected credit card details on about 40 million people who
had shopped in person at the popular retail chain.
In 2013, Target Corporation’s (Target) security and payment system was breached,
compromising 40 million credit and debit card numbers, along with 70 million addresses, phone
numbers and other personal information [1]. Target was made aware of this situation in mid-
December when the U.S. Department of Justice informed the company that their system was
being attacked [2]. Target had received notifications prior to this date, but had failed to act.
What happened?
Timeline:
May 2013
FireEye (anti-malware system - $1.6 million) installed but the feature of eradicating
the malware was turned off as mistrusted by Target security personnel
11/27/13 Breach started.
11/30/13 FireEye captured the first malware code and issued an alert that was ignored
12/2/13 Hackers started downloading the collected data to Russia through US servers
12/12/13 Contacted by Dept of Justice and aware of the breach
12/13/13
Target executives meet with US. Justice Department
12/14/13
Target hires a third-party forensics team to investigate the hack
12/15/13 Learned the criminals hacked the system to gain guest credit and debit and card
information including names, mailing and email address, phone numbers.
12/15/13 Closed access point and uncovered the problem and had informed authorities and
1
financial institutions
12/18/13 First time published the breach by a blogger
12/19/13 Target publicly announced and emailed shoppers
12/20/13 Gregg Steinhafel, a message from CEO Gregg Steinhafel about Target's payment
card issues.
12/21/13 JPMorgan Chase & Co. (NYSE:JPM) places daily limits on spending and withdrawals
for its debit card customers affected by the Target breach, begins reissuing cards
and opens some branches on a Sunday to help Target customers.
12/22/13 Transactions at Target fell 3 percent to 4 percent compared to the year earlier on
Thelast weekend of holiday shopping before Christmas. Other retailers report
strong results.
12/23/13 Press release, Target data security media update
Days later Hired security expert at Verizon to probe its network for weakness
12/27/13 An ongoing investigation by a third-party forensics unit finds that encrypted debit
card PIN information was accessed during the breach, but Target says it believes
PIN numbers remain secure.
1/10/13 Target says an additional 70 million customers had personal information stolen
during the breach, including emails. The company lowered its forecast for its
fourth quarter, saying sales were meaningfully weaker than expected after news
of the breach.
1/12/14 CEO confirmed that malware (RAM scraping) installed on POS terminals at
US based stores enabling the theft of financial information.
1/22/14 Target lays off 475 employees at its headquarters in Minneapolis and worldwide
and leaves another 700 positions unfilled.
2/4/14 Target CFO John Mulligan testifies before the U.S. Senate Judiciary Committee,
mentioning the ongoing investigation but offering no new information on who might
have hacked the data. Mulligan says Target has invested hundreds of millions in
data security and rejects claims that its systems weren’t up to par. Other witnesses
discuss the benefits of chip-and- PIN technology, used widely in Europe but not in
the U.S., where banks and retailers have balked at the expense..
A few
weeks later
Second batch of information compromised, personal information of 70 million
people,
Overlap of at least 12 million people in two groups.
2/18/14 Costs associated with the data breach topped $200 million, a report from the
Consumer
Bankers Association and Credit Union National Association finds.
3/7/14 Target lets its employees wear jeans and polos to work in an effort to boost morale
after layoffs and the sales-killing data breach.
4/30/14 Target says it has committed $100 million to update technology and will introduce
chip-and-PIN technology for itsdebit and credit cards by early 2015.
5/5/14 Bob DeRodes, a former tech adviser in several federal government agencies, takes
2
12/18/13 First time published the breach by a blogger
12/19/13 Target publicly announced and emailed shoppers
12/20/13 Gregg Steinhafel, a message from CEO Gregg Steinhafel about Target's payment
card issues.
12/21/13 JPMorgan Chase & Co. (NYSE:JPM) places daily limits on spending and withdrawals
for its debit card customers affected by the Target breach, begins reissuing cards
and opens some branches on a Sunday to help Target customers.
12/22/13 Transactions at Target fell 3 percent to 4 percent compared to the year earlier on
Thelast weekend of holiday shopping before Christmas. Other retailers report
strong results.
12/23/13 Press release, Target data security media update
Days later Hired security expert at Verizon to probe its network for weakness
12/27/13 An ongoing investigation by a third-party forensics unit finds that encrypted debit
card PIN information was accessed during the breach, but Target says it believes
PIN numbers remain secure.
1/10/13 Target says an additional 70 million customers had personal information stolen
during the breach, including emails. The company lowered its forecast for its
fourth quarter, saying sales were meaningfully weaker than expected after news
of the breach.
1/12/14 CEO confirmed that malware (RAM scraping) installed on POS terminals at
US based stores enabling the theft of financial information.
1/22/14 Target lays off 475 employees at its headquarters in Minneapolis and worldwide
and leaves another 700 positions unfilled.
2/4/14 Target CFO John Mulligan testifies before the U.S. Senate Judiciary Committee,
mentioning the ongoing investigation but offering no new information on who might
have hacked the data. Mulligan says Target has invested hundreds of millions in
data security and rejects claims that its systems weren’t up to par. Other witnesses
discuss the benefits of chip-and- PIN technology, used widely in Europe but not in
the U.S., where banks and retailers have balked at the expense..
A few
weeks later
Second batch of information compromised, personal information of 70 million
people,
Overlap of at least 12 million people in two groups.
2/18/14 Costs associated with the data breach topped $200 million, a report from the
Consumer
Bankers Association and Credit Union National Association finds.
3/7/14 Target lets its employees wear jeans and polos to work in an effort to boost morale
after layoffs and the sales-killing data breach.
4/30/14 Target says it has committed $100 million to update technology and will introduce
chip-and-PIN technology for itsdebit and credit cards by early 2015.
5/5/14 Bob DeRodes, a former tech adviser in several federal government agencies, takes
2
over as Target’s chief information officer. Target CEO Gregg Steinhafel resigns.
In November and December 2013, cyber thieves executed a successful cyber attack against
Target, one of the largest retail companies in the United States. The attackers surreptitiously
gained access to Target’s computer network, stole the financial and personal information of as
many as 110 million Target customers, and then removed this sensitive information from
Target’s network to a server in Eastern Europe.
In December 2013, just days after a data breach exposed 40 million customer debit and
credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for
weaknesses. The results of that confidential investigation — until now never publicly revealed
— confirm what pundits have long suspected: Once inside Target’s network, there was nothing
to stop attackers from gaining direct and complete access to every single cash register in every
Target store.
Target spokesperson Molly Snyder would neither confirm nor deny the authenticity of the
documents referenced in this report, but she maintained that Target has made great strides and is
now an industry leader on cybersecurity.
“We’ve brought in new leaders, built teams, and opened a state-of-the-art cyber fusion
center,” Snyder said. “We are proud of where we stand as a company and will be absolutely
committed to being a leader on cybersecurity going forward.”
The American retailing company was a target (no pun intended) for a cyberattack back in
2013, and it has ended up costing the company $162 million (slightly more than £104 million).
Reason:
He cited the 2013 Target Corp. data breach, which eventually was discovered to have come
from a computer of a heating and air-conditioning firm under contract to the retailer. "It's any
vendor, providing any service, that has a link to that firm's data.[2]
Development of the breach [5]
Target gave network access to a third-party vendor, a small Pennsylvania HVAC
company, which did not appear to follow broadly accepted information security
practices. The vendor’s weak security allowed the attackers to gain a foothold in
Target’s network.
Target appears to have failed to respond to multiple automated warnings from the
company’s anti-intrusion software that the attackers were installing malware on
Target’s system.
Attackers who infiltrated Target’s network with a vendor credential appear to have
successfully moved from less sensitive areas of Target’s network to areas storing
consumer data, suggesting that Target failed to properly isolate its most sensitive
network assets.
3
In November and December 2013, cyber thieves executed a successful cyber attack against
Target, one of the largest retail companies in the United States. The attackers surreptitiously
gained access to Target’s computer network, stole the financial and personal information of as
many as 110 million Target customers, and then removed this sensitive information from
Target’s network to a server in Eastern Europe.
In December 2013, just days after a data breach exposed 40 million customer debit and
credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for
weaknesses. The results of that confidential investigation — until now never publicly revealed
— confirm what pundits have long suspected: Once inside Target’s network, there was nothing
to stop attackers from gaining direct and complete access to every single cash register in every
Target store.
Target spokesperson Molly Snyder would neither confirm nor deny the authenticity of the
documents referenced in this report, but she maintained that Target has made great strides and is
now an industry leader on cybersecurity.
“We’ve brought in new leaders, built teams, and opened a state-of-the-art cyber fusion
center,” Snyder said. “We are proud of where we stand as a company and will be absolutely
committed to being a leader on cybersecurity going forward.”
The American retailing company was a target (no pun intended) for a cyberattack back in
2013, and it has ended up costing the company $162 million (slightly more than £104 million).
Reason:
He cited the 2013 Target Corp. data breach, which eventually was discovered to have come
from a computer of a heating and air-conditioning firm under contract to the retailer. "It's any
vendor, providing any service, that has a link to that firm's data.[2]
Development of the breach [5]
Target gave network access to a third-party vendor, a small Pennsylvania HVAC
company, which did not appear to follow broadly accepted information security
practices. The vendor’s weak security allowed the attackers to gain a foothold in
Target’s network.
Target appears to have failed to respond to multiple automated warnings from the
company’s anti-intrusion software that the attackers were installing malware on
Target’s system.
Attackers who infiltrated Target’s network with a vendor credential appear to have
successfully moved from less sensitive areas of Target’s network to areas storing
consumer data, suggesting that Target failed to properly isolate its most sensitive
network assets.
3
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Target Corporation's Data Breath: A Case Studylg...
|2
|387
|260
Issue in POS Systems - Assignmentlg...
|3
|724
|290
Comparison between WannaCry and the Petya cyber-attackslg...
|10
|2592
|344
Case Study: The Home Depot Data Breachlg...
|7
|1152
|186
Data Security: A Review of Major Security Breaches Between 2014 and 2018lg...
|14
|7570
|294
JP Morgan Data Breachlg...
|5
|722
|96