Fereshteh ghahramani depaul

For the exclusive use of S. Memon, 2020. HEC130 Volume 14 Issue 1 March 2016 Autopsy of a Data Breach: The Target Case Case 1, 2 prepared by Line DUBÉ 3 On December 19, 2013, Target, the second-largest retailer in the United States, announced a breach involving the theft of data from over 40 million credit and debit cards used to make purchases in its U.S. stores between November 27 and December 18. 4 On January 10, 2014, it reported that the cybercriminals had also stolen personal data, including the names, telephone numbers, home addresses and email addresses of up to 70 million additional customers. The Discovery As is often the case in such situations, Target learned of the data breach from law enforcement agencies. Indeed, on December 13, 2013, representatives from the U.S. Department of Justice notified Target’s management of a large number of fraudulent debit and credit card transactions that all seemed to share a link to transactions made at Target. Following this meeting, Target hired a computer forensics firm to investigate the breach. The results confirmed its worst fears: cybercriminals had been hacking into Target’s systems and stealing data from 40 million debit and credit cards used in its U.S. establishments since November 27. Target wasted no time eradicating all the software used by the cybercriminals, but despite the company’s eagerness to stifle the news, word got out and reporters started asking questions. On December 19, under growing pressure, Target announced the breach and theft of the data. Its website and call centre were quickly inundated with calls from worried consumers, creating a nightmare scenario for its customer service department. To make matters even worse, the breach 1 Translation from the French by Andrea Neuhofer of case #9 65 2016 001, “Autopsie d’un vol de données : le cas Target.” 2 This case was written using public information sources and therefore reflects the facts, opinions and analyses published in the media. The blog by the investigative reporter Brian Krebs (krebsonsecurity.com), an expert in the field of computer security, was also a valuable source of information. See the list of publications used at the end of the case. 3 Line Dubé is a full professor in HEC Montréal’s Department of Information Technologies. 4 This date varies between December 15 and 18, depending on the source. December 18 is used here because it is the date given by John Mulligan, Target’s Executive Vice-President and Chief Financial Officer, in testimony before the U.S. Senate Committee on the Judiciary on February 4, 2014 (see http://www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-preventing-databreaches-and-combating-cybercrime). © HEC Montréal 2016 All rights reserved for all countries. Any translation or alteration in any form whatsoever is prohibited. The International Journal of Case Studies in Management is published on-line (http://www.hec.ca/en/case_centre/ijcsm/), ISSN 1911-2599. This case is intended to be used as the framework for an educational discussion and does not imply any judgement on the administrative situation presented. Deposited under number 9 65 2016 001T with the HEC Montréal Case Centre, 3000, chemin de la Côte-Sainte-Catherine, Montréal (Québec) H3T 2A7 Canada. This document is authorized for use only by Sultan Memon in F20/Assignments taught by Fereshteh Ghahramani, DePaul University from Sep 2020 to Mar 2021. For the exclusive use of S. Memon, 2020. Autopsy of a Data Breach: The Target Case occurred during the pre-Christmas shopping season, which included Black Friday, one of the busiest days of the year for “brick-and-mortar” retailers. The data breach affected approximately 10% of all debit and credit cards in circulation in the United States. The financial institutions that had issued the cards from which data had been stolen reacted swiftly to Target’s announcement. Normally, in order to minimize losses, the banks would simply cancel the cards and issue new ones. However, because of the sheer number of cards affected and the massive costs involved, and because the holiday season is a very bad time to leave consumers unable to pay for purchases (without the possibility of paying by credit card or withdrawing cash from an ATM using a debit card), the banks sought alternative solutions.