case study

Session 11: Target Information Security Case Study Questions

  1. Itemize the nature of the information security breach at Target and how this adversely affected the organization. Be sure to include and indicate both tangible and intangible losses in preparing your response.

Nature of Breach

Tangible Losses

Intangible Losses

Identity theft

Customer names, addresses, credit card numbers, credit card expiration dates, and credit card security codes.

40 million customer transactions were compromised.

Sensitive organization data

Hire cost of public relations and marketing campaigns was incurred. The total cost to the company in dealing with this breach could reach one hundred million dollars or more.

The corporate organization image as well as Target Brand was ruined.

Financial/cash breach.

Millions of Target customers were affected before the malware was removed from Target’s POS systems and IT infrastructure.

Damage in terms of customer loyalty, public trust, and regulatory scrutiny.

add more rows as needed….

  1. What actions were taken by both Target and the “authorities” to address the crisis, and what is your assessment of each action taken?

Actions Taken to Address the Crisis

Assessment of These Steps

In Massachusetts the Office of the Attorney General and the Office of Consumer Affairs and Business Regulation immediately contacted Target for more details about the break-in. Target’s notification process was not timely, causing the Attorney General Martha Coakley to initiate an investigation into Target’s safeguards to protect customer information.

It is quite apparent that the Office of the Attorney General and the office of Consumer Affairs were reactive to the breach in accordance with the legislation provided in law books. However, these offices should adopt a more proactive as opposed to the reactive approach of curbing information security breach. Measures should have been set in place to ensure that cases of data breach are handled as they arise before numerous damages and/or losses are felt, as evident in Target Corporation.

Target will no doubt provide remedial services such as a customer hot line for questions, free-credit checks, coupons for future purchases, and the like.

This step taken by Target Corporation is seen as a coerced but not voluntary initiative to handle the data breach. In a real sense, the corporation should provide these customers hot-line for questions and free-checks for credit cards more regularly.

Target announced that it has hired a data security forensics firm to investigate the current break-in and to help Target with processes, procedures, and information technology investments to thwart future breaches.

This particular step was appealing that Target Corporation is concerned with the future welfare of its clients and its existence. The process of hiring the forensic firm however, should be quicker to act to realize the objective.

The movement to a chip-embedded credit card standard that changes the security access code with each new transaction. This arrangement more thoroughly encrypts user information on the card, making it more difficult for thieves to exploit credit card information for use in future purchases.

This scheme in Europe has aided in reducing data breach related crime and should be endorsed in many organizations.

add more rows as needed….

  1. What reactive steps by Target might have mitigated their losses subsequent to their discovery of the information security breach? Explain/justify your choices.

Reactive Steps

Explanation

Prompt response to security alerts.

The text stipulates that the Targets personnel didn’t respond to the alert thus giving it room to spread and build a stronghold. There had already been raised 30 security alerts that hadn’t been looked into.

Following of available pre-set policies, procedures and other provisions.

The personnel at Target are also said to have rejected their own well-documented procedures. Also, the antivirus system was working as expected.

Considering the danger.

The personnel at Target were indifferent about the danger and just assumed it. Such dangers should be carefully taken account for.

add more rows as needed….

  1. What proactive steps by Target might deter a reoccurrence of such an information security breach? Explain/justify your choices.

Proactive Steps

Explanation

The use of a chip-embedded credit card

These cards are able to change the security access code after each new transaction. This will further make it hard for thieves to crack into the system.

Enforcement of policies and procedures.

The well-documented procedures should be communicated, elaborated and enforce upon the personnel. There should be clear consequences of failure to follow these provisions.

The setting up of a special committee.

Target should set up a committee to be endowed with the specific task of data breach prevention and monitoring. These will place the process in more appropriate hands with high interests and concern.

add more rows as needed….

prepared by rmk 051214 Page 2