Fluent Essays

·  The write-up should be at most 1,000-words (12-point font, 1.5 spaced)  1.  “Cyber Breach at Target” Case Questions 1.  What is your diagnosis of the breach at Target—was Target particularly vulnerable or simply unlucky? 2.  What, if anything, might Target have done better to avoid being breached? What technical or organizational constraints might have prevented them from taking such actions? 3.  What is your assessment of Target’s post-breach response? What did Target do well? What did they do poorly? 4.  What lessons can you draw from this case for prevention and response to cyber breaches? What do you think companies can do better today to protect themselves from cyber breaches and in their post-breach response? 9 - 1 1 7 - 0 2 7 R E V : J A N U A R Y 1 0 , 2 0 1 9 Professors Suraj Srinivasan and Lynn Paine and Research Associate Neeraj Goyal prepared this case. This case was developed from published sources. Funding for the development of this case was provided by Harvard Business School and not by the company. HBS cases are developed solely as the basis for class discussion. Cases are not intended to serve as endorsements, sources of primary data, or illustrations of effective or ineffective management. Copyright © 2016, 2019 President and Fellows of Harvard College. To order copies or request permission to reproduce materials, call 1-800-545- 7685, write Harvard Business School Publishing, Boston, MA 02163, or go to www.hbsp.harvard.edu. This publication may not be digitized, photocopied, or otherwise reproduced, posted, or transmitted, without the permission of Harvard Business School. S U R A J S R I N I V A S A N L Y N N P A I N E N E E R A J G O Y A L Cyber Breach at Target In November 2013, Target Corporation was the subject of one of the largest cyberattacks in history. Heading into Christmas, the retail industry’s busiest season of the year, hackers stole credit and debit card information for 40 million Target customers and names, as well as home and email addresses for another 70 million. The attack and Target’s response exposed the company to intense criticism and raised questions about the accountability of Target’s board of directors and the Audit Committee and Corporate Responsibility Committee that were responsible for the oversight of both operational and reputational risks. Leading proxy advisory firm Institutional Shareholder Services (ISS) recommended that Target shareholders vote against the re-election of 7 of Target’s 10 board members, including the chair of the Audit Committee. Investors filed derivative suits charging the board with breach of fiduciary duty and waste of corporate assets, with lack of diligence in protecting sensitive customer information, and with failure to oversee risks to brand value. While Target’s board vigorously defended its performance, observers were left wondering about the extent of board accountability for a breach of such large magnitude. Company Background Target’s origins could be traced to George Dayton’s establishment of a Minneapolis department store in 1902. In 1909, Dayton opened a discount store, focusing on customers who could not afford the higher-priced department store.1 In the 1950s, discount stores started taking market share from department stores by offering branded, quality products at lower prices. In 1962, the Dayton Company opened its discount stores branded Target at the same time Sam Walton was founding Walmart and Sebastian Kresge was starting Kmart. Target created its unique brand image by selling quality goods at low prices in an upscale environment, when its competitors focused on selling goods as cheaply as possible. In advance of Target’s opening, Douglas Dayton had stated in 1961, “[Target will] combine the best of the fashion world with the best of the discount world, a quality store with quality merchandise at discount prices, and a discount supermarket . . . a store you can be proud to shop in, a store you can have confidence in, a store that is fun to shop and exciting to visit.” 2 Target embraced this approach as the store that offered everyday consumers high-quality products at discount store prices embodied in its slogan, “Pay Less, Expect More,” first advertised in 1994.3 This ethos allowed Target to differentiate itself from competitors like Walmart. Target appealed to the latest For the exclusive use of G. Ssebagala, 2021. This document is authorized for use only by Geoffrey Ssebagala in MSIS 512 - Information Security taught by Stephanie Lee, University of Washington from Sep 2021 to Jan 2022. 117-027 Cyber Breach at Target 2 consumer tastes by offering new fashions and fresh trends and even collaborated with designer labels such as Maternity, Jason Wu, and Liz Lange.4 In 2004, the Dayton Company divested its Mervyn’s and Marshall Field’s stores and focused solely on Target, which accounted for nearly 80\% of the sales of the parent company.5 For fiscal 2013, Target had revenues of over $72 billion, reflecting a 2.8\% compound annual growth rate over the previous five years.6 (See Exhibits 1–3 for recent financial statements and Target’s stock performance.) As of November 2013, Target operated 1,919 stores, 1,797 in the U.S. and 122 in Canada, representing over 254 million retail square feet. Target competed with the largest U.S. retailers, such as Walmart, Sears, and Kohl’s. 7, 8 Target was proud of its corporate citizenship. Every financial press release in 2013 included this statement: “Since 1946, Target has given 5 percent of its profit through community grants and programs; today, that giving equals more than $4 million a week.”9 A typical Target store had around 80,000 Stock Keeping Units (SKU) a offering a wide variety of electronics, household products, apparel, and even groceries at its SuperTarget locations. 10 Target also offered its customers credit through its REDcard program. As with all retailers, the Thanksgiving-to- Christmas shopping season represented the busiest period for Target; for the 2013 Christmas season, the company had increased employment by 50,000 over its normal base of around 366,000.11, 12 In each year from 2010–2013, the company derived around 30\% of its revenues from the fourth quarter.13 Hackers Strike Target In September 2013, hackers from an unknown location initiated a phishing email campaign b against one of Target’s external heating and ventilation providers, Fazio Mechanical Services.14, 15 Information about Target’s vendors was publicly available online and hence accessible to anyone looking for it. When a Fazio employee opened the malicious email, it enabled hackers to steal all of Fazio’s passwords.16 Fazio’s main method to detect malware was a free version of a security product called “Malwarebytes Anti-Malware,” whose license explicitly prohibited corporate use. But Fazio had used it anyway, and Target did not monitor the vendor’s security arrangements. Also, that same month, Target’s security team identified vulnerabilities in the firm’s payment card systems and cash registers, but no further investigations were undertaken or ordered by Target officials. 17 On November 15, 2013, using Fazio’s credentials, hackers gained access to Target’s network for electronic billing, project management, and contract submission.18 To prevent such an intrusion, Target could have required two-factor authentication—a regular password, enhanced with a verification code sent to the vendor’s mobile phone—which was a payment card industry (PCI) standard for remote access by third parties, but was not being required by Target.19, 20 According to an industry analyst who managed some of Target’s vendor relationships:21 Only the vendors in the highest security group—those required to directly access confidential information—would be given a token, and instructions on how to access that portion of the network. . . . Target would have paid very little attention to vendors like a An SKU identifies each distinct item offered in a retailer’s product catalog, and can vary by manufacturer, material, size, color, and other features. b Phishing email campaigns are attempts by Internet scammers to acquire sensitive personal information such as user names and passwords, credit card information, and other data by sending emails with malicious links. These emails typically ask unsuspecting users to visit a fraudulent website and enter information into a seemingly appropriate website, but allow scammers to steal and misuse gathered data. For the exclusive use of G. Ssebagala, 2021. This document is authorized for use only by Geoffrey Ssebagala in MSIS 512 - Information Security taught by Stephanie Lee, University of Washington from Sep 2021 to Jan 2022. Cyber Breach at Target 117-027 3 Fazio, and I would be surprised if there was ever even a basic security assessment done of those types of vendors by Target. Moreover, because Target’s network was not properly segmented, the hackers gained access to sensitive customer payments and personal data.22 According to an industry expert, “there should never be a route between a network for an outside contractor (such as Fazio) and the network for payment data. In Target’s case, there was and the hackers found it and exploited it.” 23 According to investigators, the attack started on a small number of Point-of-Sale (POS) systems between November 15 and November 28, heading into the busiest holiday shopping season for U.S. retailers. By November 30, the majority of Target’s POS system had been affected. The hackers installed malware c called “Citadel” on specific POS systems in Target’s retail stores.24,25 Once the hackers installed the malware, they used a “RAM scraping” attack method;d this allowed the hackers to collect encrypted data as it passed from the POS systems to the payment processing providers Visa and MasterCard.26 The malware collected credit and debit card information encrypted on the cards’ magnetic strips whenever a customer swiped at the store.27 Target’s network design allowed hackers to move about Target’s internal networks and even update the malware for another wave of attacks.28 According to a security report, “The attackers reportedly first installed three variants of this malware on November 30 and updated it twice more, just before midnight on December 2 and just after midnight on December 3.”29 On December 2, and over the next two weeks, the malware started exporting the collected data through another compromised Target server, to an external server based in Russia.30 (Refer to Exhibit 4 for a timeline of the cyberattack.) In all, hackers gathered 11 gigabytes (GB) of stolen data, which represented around 40 million debit and credit card accountse and could be sold on the black market for as much as $100 per credit/debit card number.31, 32, 33 According to lawsuits filed by affected customers, “On Dec. 11, one week after hackers breached Target’s systems, Easy Solutions, a company that tracks fraud, noticed a ten to twentyfold increase in the number of high-value stolen cards on black market web sites, from nearly every bank and credit union.”34 Security Warnings Initially Ignored Target contracted its cybersecurity monitoring to FireEye, Inc., a firm that provided malware detection tools and a team of security specialists in Bangalore, India. These security specialists were required to monitor Target’s systems around the clock.35 The FireEye team initially raised an alert of an attack right after the Black Fridayf shopping season, on November 30.36, 37, 38 The FireEye team in India sent an electronic alert to Target’s in-house security team in Minnesota indicating that the c Malware (or “malicious software”) is any program or file that is harmful to a computer user. This includes computer viruses, worms, Trojan horses, and also spyware, programming that gathers information about a computer user without permission. d RAM scraping or memory scraping malware targets encrypted data in a computer system’s memory, where the data is in plain- text format. According to security experts, in order to process data or code, the information needs to be decrypted in memory, which makes the system vulnerable. RAM scraping malware intercepts the data when the code sees 16 characters ending with a zero or special character, as is the case with credit card data. e Target later revised its estimates of affected customers from 70 million to 110 million, and included other types of data such as mailing and email addresses and phone numbers, data that Target had collected over time. f Black Friday is the Friday after Thanksgiving Day (Thanksgiving is the fourth Thursday in November), and marks the beginning of the Christmas shopping period in the U.S. In the 2000s, it became increasingly common for U.S. retailers to open earlier in the day at 5 or 6 a.m. on Black Friday, and in 2014, Target opened its doors at 6 p.m. on Thanksgiving Thursday. For the exclusive use of G. Ssebagala, 2021. This document is authorized for use only by Geoffrey Ssebagala in MSIS 512 - Information Security taught by Stephanie Lee, University of Washington from Sep 2021 to Jan 2022. 117-027 Cyber Breach at Target 4 monitoring software had detected malware intrusions but that the install had not been activated yet. However, the U.S. team did not respond to the alert. According to the subsequent investigation, the U.S. team could have potentially viewed the FireEye alert as a false positive since multiple alerts were being generated under generic names like “malware.binary.”39 Once the malware started extracting the data to the hackers on December 2, the security team in India again alerted Target’s security team in Minneapolis, but got no response. 40, 41 From December 2 through December 15, hackers collected customers’ credit card data in real time. Every time a customer swiped a card at the register, the financial data linked to the card was sent to one of three “staging points”—storage facilities created within Target’s networks. To avoid setting off alarms, the data was stored on Target’s networks for six days and then transmitted through a number of fake servers before being sent to the hackers’ personal servers. According to two experts who audited the breach, “The breach could have been stopped there without human intervention. The system has an option to automatically delete malware as it’s detected. . . . Target’s security team turned that function off.”42 It was unclear why this function was turned off. (Refer to Exhibit 5 for a graphical representation of Target’s missed opportunities, and Exhibit 6 for a summary of analysis by a U.S. Senate subcommittee on the Target data breach.) Before the attack, the information security functions were split among the Chief Financial Officer, the Chief Information Officer, and the General Counsel (refer to Exhibit 7 for a description of Target’s pre-breach information security structure). Beth Jacob was Target’s Chief Information Officer (CIO) during the attack, and she oversaw teams in India and the U.S.43 Although the cyberattack through the POS system was not necessarily under the direct purview of the CIO, according to analysts, detecting the breach seemed to fall under the CIO’s responsibilities.44 Target Discovers the Breach (week of December 12–19) On December 12, 2013, the U.S. Department of Justice (DOJ) contacted Target about the breach, making the company’s U.S. executive team aware of its seriousness. 45 On the same day, JP Morgan Chase began alerting credit card companies of a pattern of fraudulent credit card charges initiated at Target.46 The next day, Target executives met with the DOJ and the U.S. Secret Service, and on December 14, Target hired a third-party forensics team to investigate the breach.47 In a later interview with CNBC, Target CEO Gregg Steinhafel explained that he first found out about the breach on the morning of December 15 after the internal security team had confirmed the attack. On December 15, Target began removing the malware from its systems and the attackers started losing access to the Target network, but Target wanted to avoid disruption in store operations and did not close its stores. 48 The company took until 6 p.m. on December 15 to remove the malware. g,49 On the 16th, Target initiated an investigation and began forensic work, and on December 17, the company started preparing its stores and call centers to answer customers’ questions.50 The first public indication of the breach came on December 18, from Krebs on Security, a popular online security blog run by David Krebs. 51, 52 Sources at credit card issuers informed Krebs that the breach extended to nearly all Target locations in the U.S. and had occurred from Thanksgiving to December 15. It was unclear if online customers had been affected. Krebs reported that more than one million cards had been compromised, and warned that if hackers were able to steal debit card PIN data, g By December 15, Target removed most of the malware on its networks. However, card information for 56 additional customers who shopped at Target on December 16 and December 17 were stolen since a small number of POS systems that had been disconnected from the network during the initial cleaning continued to be infected until then. For the exclusive use of G. Ssebagala, 2021. This document is authorized for use only by Geoffrey Ssebagala in MSIS 512 - Information Security taught by Stephanie Lee, University of Washington from Sep 2021 to Jan 2022. Cyber Breach at Target 117-027 5 they would potentially be able to steal money directly from customers’ accounts and ATMs.53 Media outlets soon picked up the story and obtained confirmation from the Secret Service that it was investigating the incident. One media outlet quoting an unnamed source stated, “[W]hen all is said and done, this one will put its mark up there with some of the largest retail breaches to date.” 54 Target refused to confirm the incident that day. Target Announces the Breach On December 19, one week after it was first contacted by the DOJ, Target posted on its corporate website (and not the more frequented consumer website) and distributed through regular media outlets a press release stating that it was “aware of” unauthorized access to payment card data.55 The press release explained that between November 27 and December 15, 2013, approximately 40 million credit and debit card accounts belonging to Target customers had been affected.56 “Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts,” stated the press release.57 Target customers immediately began noticing fraudulent transactions on their accounts. One customer stated, “Sure enough, there were charges from various online retailers that neither I nor my husband had made.”58 Another customer called Target’s hotline “at least 40 times” on December 20, the day after the announcement, and “When she finally got through, the pre-recorded message referred her to a Web address: http . . . forward slash, forward slash . . . and so on.” Customers complained about poor service when they tried to gather more information on the breach and how it might affect them. 59 Customers found Target’s website difficult to navigate, and the dearth of information left customers ill-equipped to plan.60 On December 20, CEO Steinhafel explained in a letter posted on Target’s website and sent to customers via email and U.S. mail that “there is no indication that PIN numbers have been compromised.”61, 62 The CEO also explained that simply having shopped at Target during this period did not imply that they would be victims of the fraud, and that the level of fraud had been low in similar situations. 63 Target offered free credit and theft monitoring for affected customers for a year and reassured customers that they would not be held liable for any fraudulent charges resulting from the breach.64 (See Exhibit 8a for Target’s announcement and Exhibit 8b for Steinhafel’s letter.) Target also stated that it was not likely that birth dates and Social Security numbers had been accessed.65 In a video apology posted on Target’s corporate website the same day, Steinhafel explained that the wait times to Target’s call centers were “unacceptable” and that his team was “working around the clock” to shorten the wait times. Steinhafel offered the 10\% employee discount to customers who would shop in Target stores on December 21 and December 22.66, 67 The CEO highlighted three steps for its concerned customers to follow, namely, to check credit card activity to see if there were any suspicious charges, contact the card provider or Target itself if a customer found suspicious charges, and check their credit services report.68 However, customers felt ill-equipped to protect themselves. One customer stated, “How the hell am I supposed to monitor my account if I can’t get into it. . . . No excuse you have is good enough.”69 The pressure on Target’s management to efficiently manage the breach response continued to build. On December 20, Krebs on Security learned that underground black markets had been inundated with stolen credit and debit cards that were being sold in batches of one million cards for $20 to $100 per card.70 These card batches were considered high “quality,” as data had been stolen from the cards’ magnetic stripes and could be cloned more easily. Krebs spoke with a bank in New England and found that although bank officials had so far identified 6,000 customers (5\% of its card portfolio) who had For the exclusive use of G. Ssebagala, 2021. This document is authorized for use only by Geoffrey Ssebagala in MSIS 512 - Information Security taught by Stephanie Lee, University of Washington from Sep 2021 to Jan 2022. 117-027 Cyber Breach at Target 6 shopped at Target during the breach period, they had not received any notifications from Target or law enforcement. The bank representative stated, “Nobody has notified us. Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out . . . nothing.” 71 On December 25, a payment executive familiar with Target’s breach stated that PIN information had been stolen, and on December 27, Target reversed its earlier position to confirm that PIN information had, in fact, been stolen. 72, 73 In addition to PIN data, CVV numbers and expiration dates had been compromised, and customers need not have even swiped their cards in a Target store. Target had retained data over time, which had now been stolen.74 Target explained that although PIN information had been stolen, it remained encrypted, and a decryption key, which was necessary to unlock and decipher the PIN code, was not stolen, as it was never stored on Target’s network. Only the independent payment processor could decrypt this code.75 On January 10, Target announced that, in addition to payment card data, personal information including names and mailing and email addresses had also been stolen for 70 million customers, 30 million more than Target had initially reported.76, 77, 78 This revelation raised questions about what other data the hackers might have accessed. An industry analyst explained, “For somebody to actually go out and open credit in your name, it’s pretty tough to do if they don’t have your Social [Security number]. . . . But if they have your Social and have all this other stuff too, it compounds the problem.” 79 Target collected Social Security numbers from customers who applied for Target’s flagship credit card product, the REDcard. A brand expert captured the grim customer sentiment: The retailer has reached its lowest consumer perception point since at least June 2007. While many say they can understand a store getting hacked, they’re having problems getting their heads around what one customer called a “disheartening” response to the security breach. Many are vowing to avoid shopping at Target, while others have canceled their REDcards . . . or are planning to sue. 80 Steinhafel explained in an interview on January 12, 2014: “The call center experience initially, was unacceptable, and for that, I apologize for that. . . . As of Friday [January 10], our wait times were only 8 seconds.” 81 The hackers targeted a large number of customers, which allowed for small charges that could easily slip past an unsuspecting eye.82 “It’s just very frustrating,” explained an affected customer who had pored through her statements in great detail to find two unauthorized charges—one from iTunes, and a strange $14 charge she did not make. Another customer found her bank account depleted from $3,643.53 to $5.86, forcing her to borrow for food and for her son’s tuition.83 Postmortem: What Went Wrong? A Senate investigation found that at least two months before these attacks, Target’s security team had highlighted vulnerabilities in Target’s POS system and asked to review Target’s payment network.84 According to a former employee, Target was updating its payment terminals, and this left security analysts with less time to find flaws in the system. But the Senate report found that the review request was ignored, as Target was preparing for a busy Black Friday weekend. It remained unclear who within Target’s management made this decision, but according to an employee: The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cybersecurity intelligence team, which sees numerous threats each week and could prioritize only so many issues. 85, 86 For the exclusive use of G. Ssebagala, 2021. This document is authorized for use only by Geoffrey Ssebagala in MSIS 512 - Information Security taught by Stephanie Lee, University of Washington from Sep 2021 to Jan 2022. Cyber Breach at Target 117-027 7 Target had received a certification of compliance with the Payment Card Industry Data Security Standards (PCI DSS) as recently as September 2013 from Trustwave Holdings, an information security company.87, 88 Card companies required merchants to receive this certification before they would process transactions. In late 2013, the payment card industry was set to adopt the latest set of standards, PCI DSS 3.0. Large organizations such as Target were subject to yearly audits of their security networks. 89 Trustwave was considered a leader in the security industry, having performed thousands of these certifications and audits for retailers and payment processors.90 However, some clients certified by Trustwave had suffered large cyberattacks soon after receiving their certifications. 91 According to industry observers, “It [recent cyberattacks] also raised important questions about the liability of third-party companies that audit and certify the trustworthiness of restaurants, retailers and others that accept bank card payments.”92 In addition, the standards themselves were not considered dynamic. According to analysts, security needs evolved at a quicker pace—a compliant company could become non-complying the next month if firewalls were installed and configured incorrectly, or if segregated systems became connected because access restrictions were misappropriated.93 In addition, new vulnerabilities could arise if a company changed servers or its software architecture, or even installed new programs. As such, industry analysts considered the PCI standards to be a “floor and not the ceiling.”94 According to a technology industry expert, it was unlikely that Target was even compliant with PCI 2.0 at the time of the breach, because the attack affecting millions of customers went unnoticed for 18 days.95 To disrupt the attack, Target should have taken measures called for in the PCI DSS 2.1, the version of PCI DSS in effect at the time of the breach. Target should have eliminated unneeded default accounts, which the hackers utilized to access the most sensitive parts of Target’s network. Additionally, Target should have required vendors to closely monitor the integrity of their critical system files, which would have put Fazio on notice that hackers had stolen its Target credentials. Finally, Target could have created stronger firewalls between its internal systems and external Internet; checked the location of the credentialed log-ons; and created a list of approved servers and Internet connections Target’s network could communicate with. 96,97 The Aftermath Target’s total sales fell 6.6\% for the fourth quarter of 2013, and compared to the previous year, net earnings for the fourth quarter dropped by 46\% to $520 million. 98, 99 As of February 1, 2014, six weeks after the date of the breach announcement, the firm’s stock price was down 8.8\% to $56.7 per share.100 Target also forecasted roughly 20\% lower earnings per share (EPS) guidance after the episode. By the end of 2014, Target had incurred $162 million in costs due to the data breach, and the amount was expected to …