Information Systems for Managers

Case Analysis-
“Cyber Breach at Target”

Group-2 | Sec D

Ayush Burman | 2020PGP084

Kumar Pranay | 2020PGP217
Namrata Madnani | 2020PGP226
Prakhar Raj | 2017IPM086
Srivastava Kopal | 2020PGP431
Introduction
Target Co. aimed to combine the fashion world with the discount world. It operated 1919 stores
in the USA and Canada with revenues of over $72 billion & a CAGR of 2.8% in the past 5 years.
However, between 27th November and 18th December 2013, a cyber breach took place at
Target due to which personal and credit card details of 10 million customers were stolen leading
to the second largest breach in American history. Fazio Mechanical services, Target’s vendor,
had received a phishing mail, through which the hackers acquired remote access to Target’s
network.

After the cyber breach, the share price & sales of Target fell down by 8.8% and 6.6%
respectively. Target had to settle $67 million with Visa & $40 million with Master Card. It had to
spend roughly $290 million in breach-related costs, out of which $90 million was expected to be
reimbursed by the insurers. 81 consumer cases, 28 bank cases & 4 shareholder cases were
filed against Target. Customers underwent a lot of hardships due to the delay in the discovery of
the breach.

Timeline Of the Attack

On 15th November, attackers breached Target Network, tested malware on Target’s POS till
28th November & by 30th November, the majority of Target’s POS had been affected. FirEye
raised an alert of an attack on 30th November but got no response. On 2nd December, the
hackers started extracting data & a second alert was issued by the FireEye team only to be
ignored again. On 12th December, DOJ notified Target & Target finally confirmed the breach on
15th December.

Analysis
The breach led to Target realising to remove the malware from their systems as soon as
possible, but no operations were disrupted. Repeated alerts about the malware attacks were not
noticed and after being notified by the Department of Justice, they reacted to the issue at hand.
They responded quickly and along with the FBI and the secret service, began investigating the
matter. The customers were not informed about the breach and no public statement was issued
until the problem was pointed out by an independent blogger. The affected customers
(approximately 40 million credit and debit cards were impacted) were offered free credit and
theft monitoring for a year. It was later found that about 70-110 million customers were
impacted. Target invested heavily to maintain the goodwill among their customers and ensured
that they won’t be held liable for the fraudulent charges which resulted from the breach.

The cyber breach was a result of the interaction of various factors:

i) They failed to monitor the security arrangements of their vendors properly and the information
of their vendors were available publicly. There was a lack of security assessment by Target,
which left them exposed to the attackers. Fazio used “ malwarebytes anti-malware” which was
not meant for corporate use.
ii) Lack of segmentation of Target’s network- They had a direct route for an outside contractor
and for the payment data network. The hackers could enter the internal networks, access the
data, and even modify the malware for further attacks. This led to hackers being able to get the
cess to different servers of the firm.
iii) The vulnerabilities in their card systems and cash registers were identified two months prior
to the breach but no investigations were undertaken by the Target's security team. POS system
was found to be vulnerable to the cyberattacks and review of the payment network was
required.
iv) Carelessness- Unresponsiveness of the Target’s in-house security team in spite of repeated
alerts by FireEye & gave higher priority to Black Friday Sale. The feature to automatically turn
off the system on malware detection had been turned off. They ignored alerts raised by Visa,
mastercard & the attack went unnoticed for 18 days.
v) The organization had a comprehensive cybersecurity intelligence unit, but each week they
saw multiple threats and prioritized a few problems with the large volume of alerts.

Recommendations
Some steps Target should have taken to prevent, or, at the very least, detect the breach are-
i) Stricter regulations, monitoring and upgradation of its vendors’ security arrangements. If the
firm would have asked the vendors to track sensitive files, worked on building stronger firewalls
between internal networks and the outsiders, used PCS 2.1 DSS standards and eliminated
unneeded default accounts they may have tried to avoid such a data loss.
ii) Paying heed to internally identified security threats prior to and at every stage of the attack,
especially at the recently upgraded POS systems, and taking forward the requests for further
review of these critical points of the payment system.
iii) Mandating a two-factor authentication, a payment card industry standard for remote access.
iv) Ensuring basic security protocol for even low level vendors like Fazio to have measures in
place that would prevent them from accessing internal, sensitive data like customer and
payment information.
v) Segregating sensitive, internal information from information accessible by external sources.
vi) Develop an automated system or create a team to preliminarily verify each security threat
identified, and separate false positives from true positives to ensure all threats highlighted get
investigated and the necessary ones get followed upon.
vii) Construct a network structure that would instantly detect and alert any foreign intrusion like
that of the hackers’ malware, and prevent them from navigating through their internal networks,
much less allow updating the malware. An instant auto-close of all payment systems can be
triggered if such an intrusion is found at a set number of levels (recommended: 2 levels), maybe
even allowing for a small degree of false positives as this breach dealt with highly critical and
sensitive data.
viii) Additionally, anti-malware can be purchased or developed by Target to be launched
automatically, as soon as such a breach is detected.
ix) Investigate why the function to auto-delete malware was disabled, and enable it if possible.
x) Trigger alarms to the CIO and store managers as soon as payment data on the servers
exceeds half a day.
xi) Creating a team specially dedicated to and accountable for actively developing and updating
security protocol and implementing it, to avoid a repeat, especially in the high-sales months.
This team would also be responsible for keeping these protocols in line with regulations.