Over the 2013 holiday shopping season, the retail giant Target Corporation suffered a serious information security breach. It appears that as many as 40 million customer transactions were compromised, including the theft of customer names, addresses, credit card numbers, credit card expiration dates, and credit card security codes. According to a Target spokesperson, the breach occurred during the period from November 27^th through December 15^th. This incident constitutes one of the largest such breaches of security in U.S. history.

At the present time, identify theft and related information security issues in the U.S. are governed by State rather than Federal law. For example, in Massachusetts the Office of the Attorney General and the Office of Consumer Affairs and Business Regulation immediately contacted Target for more details about the break-in. Under Massachusetts State law Target has forty-eight hours to contact both the individuals impacted by the breach as well as appropriate State agencies or face steep financial penalties and even jail time. In this particular instance, Targets notification process was not timely, causing the Attorney General Martha Coakley to initiate an investigation into Targets safeguards to protect customer information.

Since Target operates in numerous locations throughout the U.S. as well as overseas, there will be multiple inquiries along these lines. Target is accountable to each and every state jurisdiction where there is a law on the books about identity theft. The total cost to the company in dealing with this breach could reach one hundred million dollars or more, not to mention the intangible costs associated with damage done to the Target brand and reputation. In addition to fines for late notification to the customers impacted by the breach, Target will no doubt provide remedial services such as a customer hot line for questions, free-credit checks, coupons for future purchases, and the like. They will spend more on public relations and marketing campaigns as well.

As word of the breach circulated, customer inundated Target with questions and reached out to their own credit card providers to protect their current accounts, to check for illicit use of their credit cards, and to obtain replacement cards. They also vented their unhappiness with Target via social media, including Facebook and Twitter. For its part, Target has announced that it has hired a data security forensics firm to investigate the current break-in and to help Target with processes, procedures, and information technology investments to thwart future breaches. Targets public relations firm is also hard at work doing damage control.

As to the crime itself, it would appear that cyber thieves penetrated the chains point-of-sales systems (POS) and cash registers, introducing malicious software that duplicated and rerouted customer credit card information to off-shore servers beyond the reach of U.S. law enforcement authorities. Typically such data would flow directly from the POS to the companys centralized customer transaction system database and would be encrypted for further protection. In the case of Target, the data was centralized but not encrypted. It is possible that a Target employee opened an e-mail message that unleashed malware that either infected the credit card information system or uncovered vulnerabilities in the system that criminals subsequently exploited. As illustrated below, weaknesses in such a system might involve: the level of firewall protection, the failure to encrypt credit card data following both within Targets eCommerce and brick and mortar environments, or the lack of generally security around corporate POS terminals and servers.

As reported in the press, Target was actually well-positioned to minimize the effects of the breach. On November 30 security alerts were triggered when the cybercriminal group attempted to plant malware for the exfiltration (exit route) of the stolen data (see Figure 1 below - provided by Dell Secureworks). Also, Target's investments in antivirus security seemed to working as expected. According to Bloomberg reporting, Target's Symantec Endpoint Protection tools identified suspicious behavior over several days around Thanksgiving.

At that point the Target security team could have followed the stolen data to three staging platforms, namely U.S.-based, criminally controlled, sets of servers in California, Utah, and Virginia respectively. Whether they could have gained access to those servers and deleted the stolen data remains part of the follow-up investigation. Even if not, the damage in terms of customer loyalty, public trust, and regulatory scrutiny at that point would have been minimized had they closed these floodgates. Instead, Target personnel did not respond to the security alert. They failed to follow their own well-documented procedures and ignored the danger. The daily theft of POS data continued unhindered for more than two weeks. Target management publicly indicated that it was only after U.S. Department of Justice agents notified them on December 12 of the stolen data's existence that the breach was fully recognized and a formal internal investigation completed to figure out what happened. Three days later, the malware was finally removed from Target's POS systems and IT infrastructure but not before the compromise affected millions of Target customers.

It is noteworthy that this sort of cybercrime is less prevalent in Europe because they have moved to a chip-embedded credit card standard that changes the security access code with each new transaction. This arrangement more thoroughly encrypts user information on the card, making it more difficult for thieves to exploit credit card information for use in future purchases. Since adopting these new standards, these sorts of cybercrimes have declined in Europe even as they have increased in the U.S. MasterCard and Visa have agreed to move to the European chip-based credit card standard with their U.S. customers in 2015.

Oh and by the way, on May 9, 2014, Boston area television news shows carried the announcement that the CEO of Target Gregg Steinhafel was fired over the affair.

Postscript:

Other recent credit card horror stories:

TJX disclosed in January 2007 that 45.6 million credit card numbers were stolen over 18 months.TJX tried to cover up the break-in which was accomplished by sniffing unencrypted data flowing within a wireless networking environment at TJX headquarters.

Heartland Payment Systems found an additional 100 million cards were at risk in a recent breach of their security systems.

Hannaford Brothers Supermarkets were breached, affecting all of their customers, despite meeting the Payment Card Industry Data Security Standard (PCI DSS).

Footnote: The ChoicePoint Information Security Case and the Changing of State Laws[2]

ChoicePoint, a Georgia-based corporation, provides risk-management and fraud-prevention data (i.e. background check information). Starting with motor vehicle reports, claims histories, and similar data of interest to the automobile insurance industry, ChoicePoint eventually broadened its customer base to include employers of all kinds looking for information on prospective hirers. It now also offers data for volunteer and job-applicant screening and data to assist in the location of missing children. As of 2005 ChoicePoint had over 4,000 employees, and its 2004 revenue was $918 million.

In the fall of 2004, ChoicePoint was the victim of a fraudulent spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals. At the time, the average customer request for individual background files ranged from 20-50 files but there were no process controls in place to limit such requests. The theft netted its perpetrators the name and address information as well as a combination of Social Security numbers and/or driver's license numbers and, at times, abbreviated credit reports for some 145,000 unsuspecting people.

Based upon advice from the Los Angeles Police Department, Choice Point delayed for three months before notify those impacted by this information/identify theft. The bad press and class-action law suits that followed did serious harm to ChoicePoint who were totally unprepared for such a security breach or the effects of its aftermath. The firm paid dearly for its mishandling of the situation. But good came out of this sad story, the State of California soon passed legislation that made it a criminal offense (complete with steep fines) for corporations who fail to report in a timely manner (within 48 hours) acts of identity theft to those impacted. Since then forty-seven (47) other states of the union have followed suit and the Federal government is also considering national legislation along these same lines but is not likely to act anytime soon.[3]

[1] This case study draws on information provided by the Boston Globe , pages A1 and A12, December 20, 2013 and the New York Times, Business Day Section, pages 1 and 7, December 20,2013; Riley, Michael, Elgin, Ben, Lawrence, Dune, Matlack, Carol, Kopecki, Dawn, and Wallbank, Derek, "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It." Bloomberg BusinessWeek, March 13, 2014; and the Bloomberg BusinessWeek/Video: Hacking Timeline: What Did Target Know and When?, March 13, 2014.

[2] Source: choicepoint.com/news/statement_0205_1.html#sub1 (accessed February 2005). Used with permission of Choice.Point.com. Modified extensively by Richard M. Kesner in 2013.

[3] Kendall, Brent, "Congress on Data Breaches: Lots of Hearings, Little Consensus," Wall Street Journal, Washington Wire blogs, February 5, 2014.

-Itemize the nature of the information security breach at Target and how this adversely affected the organization. Be sure to include and indicate both tangible and intangible losses in preparing your response?

Nature of Breach	Tangible Losses	Intangible Losses
add more rows as needed.

-What actions were taken by both Target and the authorities to address the crisis, and what is your assessment of each action taken?

Actions Taken to Address the Crisis	Assessment of These Steps
add more rows as needed.

-What reactive steps by Target might have mitigated their losses subsequent to their discovery of the information security breach? Explain/justify your choices?

Reactive Steps	Explanation
add more rows as needed.

-What proactive steps by Target might deter a reoccurrence of such an information security breach? Explain/justify your choices?

Proactive Steps	Explanation
add more rows as needed.