Target originated from George Dayton’s establishment of a department store in Minneapolis

Target originated from George Dayton’s establishment of a department store in Minneapolis in 1902. In 1909, Dayton opened a discount store that was focused on customers who could not afford higher-priced department stores (Srinivasan et al., 2019). In 1962, the Dayton Company opened their discount stores which were branded as Target at the same time Walmart and Kmart were created. Target was unique in comparison to other stores because their brand image was about selling quality goods at low prices within upscale environments (Srinivasan et al., 2019). A typical Target store has around 80,000 Stock Keeping Units (SKU), offering a wide variety of items, such as electronics, apparel, and even groceries. Target also offered its customers credit through a REDcard program (Srinivasan et al., 2019). The Thanksgiving and Christmas seasons were the busiest period for Target, and increased employment by 50,000 over its normal amount. From 2010 through 2013, the company derived around 30% of its revenues from the fourth quarter (Srinivasan et al., 2019). 
Summary of the Incident (Sidhya Raman)
In November and December of 2013, Target suffered from one of the largest cyber breaches that has been faced. The breach occurred during the holiday shopping season and it unfortunately resulted in approximately 11o million Target customers’ data being compromised. The breach started when hackers from an unknown location initiated a phishing email campaign against Target’s external heading and ventilation providers, called Fazio Mechanical Services (Srinivasan et al., 2019). Using Fazio’s credentials, hackers were able to gain access to Target’s network for project management, contract submission, and electronic billing (Srinivasan et al., 2019) Some of the information that was stolen included names, home, and email addresses (Srinivasan et al., 2019). The attack and Target Corporation’s response to the breach faced an intense amount of criticism by the public, and in turn, Target’s board of directors and the Audit Committee and Corporate Responsibility Committee accountability was put on blast since they were responsible for the oversight of operational and reputational risks. Institutional Shareholder Services (ISS), which is a leading proxy advisory firm, voted against the re-election of 7 out of 10 Target board members, which included the chair of the Audit Committee (Srinivasan et al., 2019). Investors of the company ended up filing derivative suits which charged the board with breach of fiduciary duty and waste of corporate assets (Srinivasan et al.,
2019). Even though Target’s board members defended the incident that occurred, the public was still wary about Target and their lack of accountability for the incident. 
Case Questions (Sidhya Raman, Tiffany Valle, Mohammad Nouri)
1.      What’s your diagnosis of the breach at Target – was Target particularly vulnerable or simply unlucky? (Mohammad Nouri)
When it comes to the cyber breach of Target in 2013, Target was in fact vulnerable. Target could have simply included a two step authentication method in which it could have possibly prevented the breach from happening. Target had poorly planned out their authentication methods which led to Fazio (vendor) being vulnerable and easy to target in order to obtain access to the Target network and systems. If target had implemented some type of two step authentication method such as text verification code, and remote access tokens for its vendors (even if the type of access is basic), it could have more than likely prevented the online attackers from being able to get through. To add to that, Target’s network was not separated and organized either which allowed the attackers access data such as personal data and customer information which is considered PII (Personally Identifiable Information) that ended up having a large impact on the customer and the company itself. 
2.      What, if anything, might Target have done better to avoid being breached? What technical or organizational constraints might have prevented them from taking such actions? (Mohammad Nouri)
3.      What’s your assessment of Target’s post-breach response? What did Target do well?  What did they do poorly? (Tiffany Valle) 
I think they didn’t expect this to happen, they weren’t prepared. They didn’t give much information to their customers about what was going on. They posted on their corporate website where people don’t visit much and regular media about how they were aware of unauthorized access to card payment data. Customers were upset by their poor service towards the information of the breach and how it could affect them. There were customers who were pissed off but Target was trying. They would help concerned customers with guidelines to follow to see if there were any suspicious charges. They tried helping customers by giving them 1 year of free credit and theft monitoring for those affected from the breach. CEO Steinhafel offered a 10% discount to employees and customers who would buy in Target stores for 2 certain days, December 21-22, 2013. What was wrong with
Target was they kept giving out false information to their customers by telling them that they thought PIN information hadn’t been accessed but later on revealed that it had been stolen. That made customers think if hackers could have gained more information because Target kept switching their statements. Target settled to cover consumer losses. They also settled with VISA, MasterCard and other banks. Target had spent about $290 million from costs of the breach. 
4.      To what extent is Target’s board of directors accountable for the breach and its consequences?  As a member of the Target board, what would you do in the wake of the breach?  What changes would you advocate? (Tiffany Valle)
I think they are all accountable for the breach because they were using malware detection tools and if there wasn’t good management then it’s useless. Target’s board of directors had to take the initiative in proceeding with the alerts being given from FireEye. There were so many alerts but that’s why management needs to overlook them. They didn’t implement internal controls to protect their customers’ data. The board of directors caused an impact of losses to the company and its shareholders. As a member of the target board, in the wake of the breach, I would’ve started the incident response plan. The incident response plan would have minimized the breach impact, it would reduce fines and help your business get back in action. I don’t think Target had an incident response plan because they would’ve been able to control it. My team could’ve tried to contain the breach when it first started and assess the damage that has been caused. I would’ve notified those affected right away and let them know what’s happening because they have the right to know since they are a customer. I would update our recovery plan because it would review how we responded to the breach and what we could have done better as a company. I would’ve been honest in alerting people because giving false information makes people skeptical. That’s when Target and their board of directors can get a bad reputation for not being trustworthy with sensitive information (SSN, Date of Birth, Credit Card, etc.).
5.      What lessons can you draw from this case for prevention and response to cyber breaches? (Tiffany Valle) 
Target were very vulnerable since the beginning of the attack because there were vulnerabilities  that never got patched. There are multiple lessons to learn from in this breach, one of them is having the network properly segmented. The hackers had been able to gain access to personal data and customer payments through an unsegmented network. There were alerts coming from
FireEye, Inc., who provide malware detection tools and a security specialists team in Bangalore, India. FireEye would monitor Targets systems 24/7 and when the hackers tried to install a malware intrusion on Target, Fireye alerted them but Target didn’t take it seriously. They should take every alert seriously because FireEye is letting you know they detected something that can be prevented. Target could’ve prevented the breach to happen by eliminating unneeded default accounts because that’s where hackers were able to gain the most sensitive data of Target’s network. Target’s mechanical services Fazio should’ve been more vigilant  on critical system files which could’ve helped them notice that hackers had stolen Target credentials. They also could have had stronger firewalls with their internal and external network to allow and block traffic coming in. The implementation of point-to-point encryption could have helped out. They didn’t have sufficient data security. They weren’t honest in responding to their customers about the breach because they would change their statements. They claimed that customers’ PIN numbers hadn’t been compromised but later on said it was compromised. They should have waited until they had all the factual information because they just assumed that the hackers hadn’t accessed the PIN numbers.
6.      How would you characterize your role as a director in relation to cybersecurity at your organization?  What are some concrete things that you can do as a director to oversee this domain?
7.      What do you think companies can do better today to protect themselves from cyber breaches and in their post-breach response?
Given that cyber breaches are becoming more and more common in this digital age, it is essential that companies appropriate proper countermeasures in place to protect themselves from these incidents. One measure that could be implemented is to limit access to any valuable data (Ulisticadmin, 2018). This would involve having strong authorization protocols implemented. Only those with a higher privilege status should be able to have access to confidential information. Secondly, employees must complete security awareness training in order to know how to effectively safeguard important data (Ulisticadmin, 2018). As for the cyber security breach response plan, employees should ensure that it includes an evaluation of what exactly occurred, how data was lost, and when it was lost. Finding out who or what was responsible for this incident is also important within the documentation. For post-breach responses, companies should certify that the system is restored and there is proper network integrity (Appleby, 2018). In addition, there should be a
post-incident analysis conducted and proactive measures that are put into place to mitigate any future problems. Many companies today also use a method called a “hotwash,” which is an after action report  (Appleby, 2018). This is a report where you gather all of the important personnel to review the incident that occurred and have a discussion about everyone’s view on the success or failure of the response to the said incident  (Appleby, 2018). A hotwash usually includes the incident response team, members of the IT team, high-level executives, and third-party vendors if applicable to the scenario  (Appleby, 2018). Having all of these methods put in place are essential in protecting a company from having a cyber breach.