Targeting Target

A 100 Million Dollar Data Breach

Cyber Security Case Study

EPGP & ITMA Group 1

EPGCITMA-07 EPGP-11
Pradeep Vishwakarma David Boodala
Joseph Bakht Singh
Moiz Mohammed Gudapati
Akhil Gopu G S Faisal Ahmed
Sreelekshmi M V Parthasarathi Mohanty
Joyeeta Pattnaik Rahul Jain
Paramjoat Rajput Bhargav
Sandilya Annapurna Prasad
Garimella Darshan Jagdish Danda
Agenda

1 Target Introduction & Background

8 Lessons for Target CIO
1
References
3

2 Target Cyber Attack & Phases 9 Proposals for Next Step 14 Contribution

3 Weakness in Target security 10 Consumers behavior toward data breeches

4 Does it was information system failure?

11 Takeaway

5 Accountability & Reaction to Situation

12 Conclusion

6 CEO Responsivity toward Customers

7 Lessons for Target CEO

 Target Introduction & Background
 George Dayton founded Dayton-Hudson Company around 1902
which started Target corporation a general merchandise retailer
store in 1962 at Minneapolis MN USA, aim for good quality at a
low price.
 With 1000 stores across 47 states , Target moves online with
Target.com at year of 1999,also launched its bullseye Dog logo
and Market Pantry an in house brand
 Target started its pharmacy in year 2005 as ClearRx, an
innovative pharmacy concept that improves the way people take
medication
 Target started offering credit card in year 1995 & Renamed the
same to REDcards in 2004
 In year 2013 Target opens 123 stores in Canada also opened
many new stores across USA & reached ~2000 stores mark(1800
in USA).
 Under Gregg Steinhafel in 2013 Target reported record sales (73
Billion $) , Same year Target reported a big 110 million users data
breach
 2014 Target revamp its POS & RedCard security with Chip & PIN
technology , also Brian Cornell took over as CEO
 Sold Target Pharmacy to CVS pharmacy in year 2015 & closed
Target 123 stores in Canada
 Post overcoming with data breach losses, Today Target operating
in all 50 states of USA with around 1871 super & medium retail
stores
 Target ranked 38 in fortune 500 companies with 75.4 billion $
sales in 2019 and have 350K employees
Target in house Products & Brands

 By 2013 Target was established brand for clothing , grocery ,

Pharmacy & its inhouse brands, also ranked 36 in fortune 500
companies.
 Target Cyber Attack & Phases
Cyber Attach / Data breach Phases
 In Nov’13 Fazio Mechanical Services provider attached with
an email ‘‘phishing’’, whose information was available
online and have access to Target systems (Contract , project
& billing).
 Post getting access credential attacker used malware
package called Citadel (Olavsrud 2014) to gain access to
target systems
 On 12th Nov 13, the attackers gained access to Target’s
internal network by common executable file
 15th and 28th Nov’13, Deployed Kaptoxa malware to POS
terminals & tested access & malware
Target Preparedness for Attack
Target was not really prepared for cyber attack, there were many security
weakness, here are some of the points outlined.
1. Hacker were able to upload malware without any detection
2. Ignored FireEye malware detection warning & came to know attach by
Banks & US government
3. Vendors information were available online , who had more access to
target systems , also not not contracted to use adequate security
measures
4. Target POS & RedCard were running on old technology
5. ‘‘White list’’ of authorized processes was also not maintained

 Exfiltration malware file updated on 2nd & 4th Dec’13 to

start the POS data transfer

 Between 2nd – 12 Dec’13 hacker transmitted payloads of

stolen customer & POS data to a FTP server located in
Russia
CEO’s responsibilities and Ethics

As per my opinion :

 CEO’s responsibility is to inform customers about the data breach because the CEO being the head of the company should take
accountability and responsibility of the data breach and it in fact reinstates the importance of the issue when a person of that stature
makes an announcement as it is heard seriously by everyone.

 Would most definitely agree that CEO is the right person in the company to make an announcement to its customers since there is
lot of sensitive information that is already jeopardized and if the CEO informs the customer, the least they would think is that CEO
was accountable enough to take responsibility and ownership of the issue at hand and any assurance given.

 CEO would at least mitigate the anger and anxiety that the customer would have. Moreover if I was the CEO, I would have some
counter actions in place as such incidents can occur to any company as no company is 100% hack proof.

 Also CEO is the one who makes decisions and approves any financial decisions related to security, he/she should also be involved
in processes to determine the security partners and address cyber security threats.
Way forward proposals
Conclusion
Referred Content

• Target.com
• https://www.slideshare.net/mslgroup/the-target-data-breach-3-lessons-for-pr-pros/7-7The_Target_Data_Breach_What