Ethics,

Target Case Study Project

History Of Target Company,
sector, and business value.
• With its first store opening in Roseville, Minnesota, on May 1, 1962, Target aimed to
differentiate itself by providing many features of traditional department stores but
provide low prices typically associated with discount retailers. The name Target was
chosen purposefully as Stewart Widdess (Director of Publicity) states “As a marksman’s
goal is to hit the center bulls-eye, the new store would do much the same in terms of
retail goods, services, commitment to the community, price, value and overall
experience”. The company went public on October 18, 1967, (under the name “Dayton
Corporation”) and began expanding across the country. Through various acquisitions
and expansions into new areas of the country, Target has become the second-largest
discount retailer in the United States (behind Walmart). As of February 1, 2014, Target
operated 1,793 retail store locations in the United States, employed approximately
360,000 employees, and had annual revenues of $72.6 billion.
• Sector: Economic / Sales and Marketing
Possible Stakeholders Of The Company

• Stewart Widess: Target's Director of Publicity

• Brian Krebbs: Security Researcher
• Gregg Steinhafel: Chairman/CEO/Pres of Target
• FireEye: Malware Detection Tool Developer
• Amazon: Old partner of Target
• Verizon: Security Investigators
• Fazio: Supplier of Refrigerator devices and services
• Brian Cornell: 2nd chairman and CEO
• Bob Rhodes: CIO
What did the company perform to improve its business ethics
and values?

• Heavily invested into improving cybersecurity operations and created

the first cyber fusion center.
• Added chip readers with pin codes for Customers
• Switched and replaced Staff Members
Lying to Outside Stakeholders: Denying that they have been breached thus their reputation gets damaged and they lose
customers through that.

THIS IS THE MISCONDUCT(S) COMMITTED BY TARGET IT DEPARTMENT

The Type Of Misconduct Committed By Other Parties

Fazio:
Falsification or Fabrication:
Not doing a task that they were supposed to do which causes some
misfunctionality of operations when the required actions are needed.

Amazon:
Violating internet use policy:
Sharing the information of users to another company without permission
which leaks a lot of information about the customers without their consent.
Yes, because it impacted seventy million individuals and dropped the percentage of the household
shopping by 10 percent.

THIS IS THE IMPACT OF THE BREACH DEVASTATING

The ethical dilemma, and its effect on
the company, The breach origin is identified

The ethical dilemma is:

An IT user who shares this information with an unauthorized party, even inadvertently, has:
violated someone’s privacy, or
created the potential that company information could fall into the hands of competitors,
its effect on the company and The result of this negligence from both IT workers and end-users was a major
breach of the confidentiality of Target company information,
The breach origin is The initial point of entry appears to have stemmed from hijacked credentials stolen from
Fazio Mechanical Services, a third party service provider. Fazio, a supplier of refrigeration devices and services,
began working with Target to support the expansion of fresh food offerings across stores in the United States.
As with many other vendors and suppliers of Target, Fazio was provided access to Target’s systems to handle
“electronic billing, contract submission, and project management.” Fazio Mechanical did not, however,
“perform remote monitoring or control of heating, cooling, or refrigeration systems for Target”.
The government contacted Target about a possible data breach on their network, their role is to
supervise unusual activity.

THIS IS THE ROLE OF THE GOVERNMENT IN ADDRESSING THE BREACH

They denied that there was a breach or that some of their data has been stolen until the reports came in.

THIS IS THE MAJOR FAILURE COMMITTED BY THE BOARD OF DIRECTORS

Malware Attack.
Opinion: Possible because of the extra security measurements that Target has added in order to prevent
future incidents from happening.

THE TYPE OF ATTACK AFFECTED TARGET? DO YOU THINK THE PRACTICES IMPLEMENTED
AFTER THE BREACH ARE ENOUGH TO PREVENT ANY FUTURE INCIDENTS? WHY OR WHY
NOT?
Exploit: Malware (Citadel)
Perpetrator: Financial Gain Criminals

WHAT WAS/WERE THE TYPE(S) OF PERPETRATOR(S) AND EXPLOITS INVOLVED IN THE

BREACH?
what were the practices followed by Target, before the breach, to handle any
possible incident? Do you think they were enough? Why or why not?

1) Target employed a staff of dedicated security professionals to implement safeguards that

protect sensitive data.

2) Passed compliance audit for PCI-DSS

3) Completed implementation of Malware Detection tool by FireEye.

• Opinion:
No, because there was no inner protection for the company so it was vulnerable to its own
employees and partnerships.
the steps followed by Target to solve the problem. Do you think the steps
were enough? Why, why not?

• Compensated Customers with one year of free credit monitoring

• Commissioned Security Professionals in order to unveil more breach details.
• Preformed a detailed Security Audit.

• Opinion:
• Yes, because the compensation may satisfy some customers as their losses are partially
recovered, whereas the security takes will cause the company to be in a high security
structure and prevent it from having a similar incident from happening again.
comparison between what is reported by Target representatives and what is
reported by the consultation company
Comparsion Target
Date Nov-Dec 2013
Cause Victimized Fazio Mechanical
Services (Shared Systems)
Actual Influence Impact on certain guests
making credit and debit
card purchases in Target's
U.S Stores
Affected Seventy Million Individuals
Number
Steps - Worked with law
Implemented to enforcement and financial
Solve institutions
- Partnered with a leading
third-party forensics firm
- Eliminated Malware in
access point
Verizon
-
- Misconfigured Services
- Missing Critical Microsoft
Patches
- Running outdated web
server software
All sensitive data accessed.
-
- Gained access of the
network and domain
through weaknesses
- Tested several
vulnerabilities on the
Network in order to reveal
flaw
No, because it would embarrass the company and discourage the customers to come into their markets,
as well as cause the employees to move away from the company due to the bad reputation heard.

DO YOU THINK TARGET WOULD REPORT THE BREACH IF THERE WAS NO COMPROMISE
FROM THE MEDIA? WHAT MAKES A COMPANY REVEAL SUCH NEWS?
risk assessment plan in the case of infection of the ‘Citadel’ malware
the tasks that should’ve been implemented
to prevent the incident.

Installation of Corporate Firewall: was- -Implement Safeguards against attacks by

.implemented malicious insiders: was implemented.

Intrusion Detection System: was- -Conducting Periodic IT security audits.

.implemented
-Address Critical internet security threats.
.Antivirus Software: was implemented-
Yes, since they had an old partnership with Amazon which revealed the data of their customers.

16. DO YOU THINK THIS INCIDENT REVEALS THAT TARGET BREACHED THEIR CLIENTS’
INFORMATION PRIVACY (I.E. DATA AND COMMUNICATION)?
 Finally;
Finally;
Much
Much Appreciations
Appreciations For
For
Your Listening 
Your Listening 