Data Breach case

profileStamp
Background.docx

Background:

Target Corporation, which was formerly known as Dayton Company, and Dayton-Hudson Corporation is a commercial retail corporation that operates large-scale foodstuff and general products discount stores. The company is among the biggest discount retailers in the United States. Its corporate headquarters are located in Minneapolis, Minnesota. Target Corporation, then known as Dayton Company, convened its first store in 1962 and then expanded its operations in 1969 after assimilating with the J.L Hudson Company to become the Dayton-Hudson Corporation (Tybout, 2017). By 1975, Target, then known as Dayton-Hudson Corporation had become a prominent revenue producer, and by 1979 their yearly sales had gone up. The first Target store offering a wider products section compared to a standard Target store was convened in 1990. In 1995, the first super Target store was convened in Omaha that was inclusive of a grocery store, pharmacy, restaurants, and a photography studio (Ainsworth, 2016).

introduce Target as a company .

The Dayton-Hudson Corporation changed its name to Target, to replicate the new emphasis on its Target stores. Target has grown into a reputable brand that is distinguished from its competitors because it offers stylish products at prices that are affordable, special edition clothing lines that are available through partnerships with reputable fashion designers including Jason Wu and Zac Posen that are popular with its customers. Target's first city Target which attended to urban consumers in stores two-thirds lesser than its usual locations. Target had a great year in 2012 when its total sales and diluted earnings went up following its investments in American and Canadian businesses. On top of the corporation’s financial successes, the company achieved operational milestones including launching its first city target store located in Chicago, San Francisco, Seattle, and Los Angeles, and extended its fresh-food remodel program. The company hoped to pursue more in 2013 when the data breach happened. Target Corporation has a wide consumer base including kids, women, families, and young singles. Its customers are well-educated, average-to-better income families living active lifestyles.

breach timeline

Start with the actual breach (September), move to the attack on the POS system and malware fully installed (November), Target systems alerts triggered (December), cyber criminals take credit card data (December), Department of Justice involvement and Target top management takes action (December), etc., etc.

everything that Target did wrong .

Target Corporation is not the only corporation that suffered data breeches until 23rd September, there were multiple reports of data breaches that were reported in 2014 (Shu, et al., 2017). Although there are multiple theories regarding how hackers hacked into the target corporation, none of them has been established by Target. Attackers first got into Target’s network with infiltrated passes from Fazio Mechanical. The attackers then probed the Target network and acknowledged the company’s weak points to exploit. Some susceptibilities were utilized to access delicate data, while others were used to develop the bridge transmitting data out of Target. Resulting from the weak dissection between non-sensitive and sensitive networks inside Target, the attackers were able to access Target’s point of sale.

The Fazio Mechanical Service system was infiltrated by a Citadel Trojan which was initially connected through a phishing attempt. The poor security training and systems of the third party led to the Trojan giving the malicious party full control over the systems of the company. Fazio Mechanical had admittance to the external billing system of Target or Target’s business unit network. Resulting from Target’s poor network segmentation, the only thing the attackers required to gain access into the whole system of Target Corporation was to get access to the corporation's business section. From the market section, they accessed other parts of the network including parts containing the corporation’s sensitive data. Once they were able to access the network, the malicious attackers began test connecting malware onto Target's point of sales devices known as BlackPOS.

Once the malware was installed, updated, and tested, it began scanning the point of sales memory to read the track data, primarily card numbers belonging to cards flick through card readers linked to the point of sales gadgets. The card numbers were then encoded and transferred to external repositories comprising of compromised machines from the point of sales devices. During the data breach process, the attackers controlled servers on the corporation’s internal network and chose a username, Best 1_user, and its password BackupU$r, usually created by IT management software. During the high sales of the day, the malware would send the information on credit cards in bulk to the file transfer protocol servers. This information stolen from credit cards was amassed at a server located in Russia. During the November and December 2013 data breach, the attackers collected 11GB of data (Saleem, & Naveed, 2020). The target breach credit cards were identified on black market platforms for sale and it was not clear how the sellers were connected with the stolen credit cards and personal information.

You can shorter this part

impact of the data breach on Target

The data breach on Target came at the height of holiday shopping and hit a significant percentage of the United States population. The company’s image suffered a major blow following its announcement on the data breach. The customers hugely criticized the company for failing to act on the initial alerts and for the delay in making the data breach public and for the failure of the customer service to respond to its clients (Greene, & Stavins, 2017). In December, of the same year, the data breach happened Target scored negatively in consumer perception surveys for the first time. The customer's negative perceptions were also reflected in the fourth-quarter results of the company and recorded a 46% decline in profits and a 5.3% drop in revenue which resulted from fearful shoppers (Dube, 2016).

The loss of customers and the costs related to the data breach affected both the quarterly and the yearly results. The company also had to put in extensive expenses to remedy the consequences of the data breach including cyber insurance held by the company, reimbursement of the bank for reissuing cards, all activities that involve communication and customer management, non-compliance fines for failing to meet the standards due to vulnerability of the authentication method of the external vendor, credit monitoring costs for the many customers who were affected by the breach, and the major legal costs that would follow the company later.

Target suffered numerous lawsuits, each lawsuit seeking millions of dollars for compensation of damages. These lawsuits include class-actions suits and victims accuse Target of acting in violation of negligence when handling customers’ data and waiting for a long time to disclose the breach publicly, therefore, increasing the vulnerability of its customers (Pigni, et al., 2018). The banks are at the core of these lawsuits and hold the view that Target should compensate them for the costs that arose from transactions and investigations following the

Analysis Alternatives: explain a few paragraphs on every bullet point

· Targets should segment its networks to limit vulnerability you don’t have this part?

· develop a more effective security alert system you don’t have this part?

· Implement a continuous training program security training program for all employees you don’t have this part?

· Create a cyber-Fusion center you don’t have this part ?

· be very strict with third party vendors, vetting vendor

Target should have been very strict on its third-party vendors because these vendors do not take strict precautions as they are expected to. This gives a chance for hackers to attack, like in Target’s case, the opportunity for an attack came through the Fazio Company (Kassner, 2015). Attackers look for an easier target among a company's third-party vendors instead of attacking a company directly. Compromised subcontractors like Fazio can easily be turned into a point of entry by malicious actors. The root cause of the security risks associated with third-party vendors is the lack of visibility and control. Most companies lack the full picture of how their third-party vendors handle their sensitive data and have limited control over these third parties. It is a company’s key responsibility to ensure that their vendors follow all the necessary cybersecurity requirements, which is something Target lacked to do with the Fazio Company. It can be Shorter just 1-2 paragraph is good

· you need a better POS system; POS means point of sale those are the cash registers

· Have special cyber security policies for executives

· Continuous security assessments perform continuous security

· Data encryption

Another important step that Target missed is data encryption. Data encryption ensures security by encoding data that can only be decrypted or accessed by a user bearing the appropriate encryption. Encrypted data appears unreadable or scrambled to persons who try to access the data without authorization. Had Target encrypted all its sensitive data, it would have proved difficult for the attackers to access and decode the sensitive data that put their customer’s personal information and other sensitive data on the line. The attackers easily decoded the sensitive data accessed on the systems of the corporation because the data was easily accessible and was not properly protected. Advanced algorithms of data encryption provide discretion, reliability, and non-repudiation. This would have helped Target prevent the theft of sensitive data and the introduction of malware from the malicious actors. It can be Shorter just 1-2 paragraph is good

· always upgrade your technology for security reasons you don’t have this part ?