1

                                                                                                          November - 2021

Target Security Breach Case

Background:
The founding story of Target Corporation began in 1902 when it was founded by George
Dayton. The first Target store opened in Roseville, Minnesota in 1962, and the parent company
was renamed Dayton Corporation. They merged with the JL Hudson Company in 1969, which
later became Dayton-Hudson Corporation. In 2000, Dayton-Hudson Corporation was renamed
Target Corporation (Rowley, 2003).
The founding story of Target Corporation began in 1902 when it was founded by George
Dayton. The first Target store opened in Roseville, Minnesota in 1962, and the parent company
was renamed Dayton Corporation. They merged with the JL Hudson Company in 1969, which
later became Dayton-Hudson Corporation. In 2000, Dayton-Hudson Corporation was renamed
Target Corporation (History of Target Corporation – FundingUniverse, n.d.).
In 1972, stores totaled fourteen units, totaling 46 stores across America. The Target chain of
stores, its rapid growth and the inexperience of its top managers in discount retailing, caused
Target to decline in its profits for the first time since its establishment. An investigation initiated
at Target's headquarters determined that the loss in operational revenue was due to overstocking
and moving goods over multiple years. After this incident, Dayton-Hudson considered selling its
Target Stores establishment. In 1973, they decided to change their CEO and vice president and
continue with more experienced names. The new management decided to melt down all stock
goods to clear excess stock and only allowed one new unit to open that year (Clipping from Star
Tribune - Newspapers.Com, 1972).
In 1981, Target Stores opened fourteen new units and a third distribution center in Little Rock,
Arkansas, totaling 151 units and $2.05 billion in sales. Since the launch of Target Stores, the
company has concentrated its operations in the center of the United States. In 1982, it expanded
into the West Coast market, opening 33 more stores in Arizona, California and Texas and a
fourth distribution center in Los Angeles. In 1988, Target Stores expanded into the Northwest
United States, opening eight units in Washington and three in Oregon, for a total of 341 units in
27 states. In 1989, it increased 60 units in the Southeastern United States, where it entered
Florida, Georgia, North Carolina, and South Carolina, to total 399 units, with sales of $7.51
billion in 30 states (Demott, 1985).
In January 2000, Dayton-Hudson Corporation decided to change its name to Target Corporation.
At that time, the company had 977 stores in 6 states and year-end sales of $29.7 billion. Target
chain stores expanded to 1,488 units in 2006, with sales reaching $59.4 billion. On March 4,

1
2

2009, Target expanded outside the Americas for the first time. Two stores opened
simultaneously on the Hawaiian island of Oahu, along with two stores in Alaska. Despite the
economic downturn, media reports indicated a large crowd and lively sales. The opening of
Hawaii stores left Vermont the only state where Target does not operate (Hammer, 1978).

Breach Timeline:

In 2013, the biggest crisis occurred since the establishment of the company. This incident
became one of the biggest leaks in the United States and caused great damage to Target
(Sources: Target Investigating Data Breach – Krebs on Security, 2013). On December 18, 2013,
security expert Brian Krebs announced that Target was investigating a massive data breach that
"potentially involved millions of customer credit and debit card records." On December 19,
Target officially confirmed the incident through a press release and announced that the hack took
place between November 27 and December 15, 2013. Target officials announced that the credit
and debit card information of up to 40 million customers may have been stolen. Hackers got hold
of customer names, card numbers, expiration dates and CVV security codes of cards issued by
financial institutions. On December 27, the scandal escalated and Target announced that its debit
card PIN data had also been stolen, albeit in encrypted form. On January 10, 2014, the crisis
deepened and Target announced that the names, home addresses, phone numbers or e-mail
addresses of up to 70 million additional people were also stolen, which could increase the
number of potential customers affected to approximately 110 million (Chapman & d’Innocenzio,

Figure 1. Timeline of the Target Data Breach taken from Shu et. al. (2017).
2014).

2
3

According to Bloomberg Businessweek, Target's computer security team was notified and
alerted of the breach through the FireEye security service they used. It had sufficient time to
prevent the theft of credit cards and other customer data, but did not take action to prevent the
hack from happening (“Missed Alarms and 40 Million Stolen Credit Card Numbers,” 2014).
Weaknesses in the events deepened the crisis, and Target officials announced that they were
working with law enforcement, including the United States Secret Service, to "bring those
responsible to justice." The data breach has been dubbed the second largest retail cyberattack in
history (Perlroth, 2013).

While the effects of the data breach continued, on March 6, 2014, Target officials announced the
resignation of the Deputy General Manager of Informatics and the overhaul of all information
security practices (Shrivastava & Thomas, 2014).
On May 5, 2014, Target announced the resignation of its CEO, Gregg Steinhafel. According to
analysts, all these crises were the result of excessively aggressive expansion and insufficiently
planned management of the control mechanism (Malcolm, 2014).

Aftermath of the Data Breach:

In past years, major banks have declared that they recognize the costs associated with data
breaches as a cost of doing business (Embry, 2015.) As the frequency and severity of stolen data,
breaches continued to increase over time, but case judges and the public began to hold retailers
more accountable. As a result, Target's costs from the data breach and the financial uncertainty
associated with it are still increasing.
At the end of 2015, Target officials announced that costs related to data breaches had reached
$290 million (Howland, 2015).
Despite the huge size of this amount, we can tell from the Home Depot data leak case that
companies are not putting enough financial pressure to cause significant changes in the way large
companies protect customer data. Home Depot's data breach. allegedly, the data breach occurred
in September instead of December, and the company responded within 24 hours. Unlike Target's
data breach, the Home Depot incident was met with a yawn in public (Hill, 2014). represents
less. (Target Corporation, 2015). While Target still has to factor in the costs of ongoing litigation
and investigations, whether the data breach raises enough concern among business and political
leaders to cause significant changes in business and regulatory environments is still a matter of
debate.

3
4

Post-Breach: How to prevent and contain further attacks?

Disastrous scale of the Target security breach has sent waves across the industry, and suggests
that if a company with the IT infrastructure resources that Target had can be so seriously
compromised with a resourceful targeted attack, what can other companies, or even companies
like Target, do to prevent these attacks? Sophistication of this attack illustrates that cyber-
criminals are equipped and possess the incentives to conduct operations that require intrusion,
lateral movement, and data exfiltration in networks that meet stringent security requirements.

Figure 1. Kill-chain analysis of the 2013 Target attack from Dell SecureWorks CTU research
team analysis report (Jarvis & Milletary, 2014).

A complex attack such as the Target attack involves (1) reconnaissance of the corporate network
layout, and underlying technologies, (2) weaponization of the vulnerabilities existing in the
networking, database management, and various IT infrastructure, (3) delivery of the exploit
through the public facing web interfaces, or 3rd part integration services through social
engineering, (4) executing the exploitation in endpoints, (5) achieving persistence and lateral
movements within the network, (6) gaining command and control in the target servers and
networks, (7) install malware payloads to the targeted software that acquires critical information,
and finally (8) exfiltrating data out of the network.
There are learned lessons and effective strategies to be learned from this attack to prevent future
attacks, or significantly limit potential damage any intrusion can cause. Major mistakes done in
the Target case was that, first, the company ignored many critical red flags raised by the security
systems in place, and turned off multiple intrusion detection systems beforehand (Pigni et al.,
2018). Secondly, Target networks were not properly segmented from third-party contractors
which allowed attackers to move laterally in the network (Jarvis & Milletary, 2014) and the
existence of the large surface of unsecured endpoints of sales data handling (Shu et al., 2017).
In their in-depth analysis of the attack, Dell SecureWorks Counter-Threat Unit Team suggests a
strategy that involves four fronts to employ against this type of kill chains: Detect, Deny, Disrupt
and Contain. They created a Defensible Actions Matrix that emphasizes the importance of a

4
5

multi-layered strategy to halt the kill-chain progression and mitigate the damages that can arise
from individual exploitation events.

Table 1. Defensible actions matrix provided by the Dell SecureWorks Counter-Threat Unit Team to detect,

Although the Target data breach incident points out a few key points of entry as the culprit, a
detailed analysis of the attack indicates that in the next attack entry points can be easily shifted to
other vulnerable parts in the system. Given that no security software is vulnerable-free, it shows
the importance of proper network segmentation, and employing company-wide policies to detect
and halt any ongoing attack without it can reaching disastrous scales. Assuming this is done
properly, attackers’ incentive to undertake highly expensive operations to only access a limited
amount of information turns infeasible therefore effectively prevented.

5
6

References:
Jarvis, K., & Milletary, J. (2014). Inside a Targeted Point-of-Sale Data Breach.
https://portal.secureworks.com/intel/mva?Task=ShowThreat&ThreatId=773
Pigni, F., Bartosiak, M., Piccoli, G., & Ives, B. (2018). Targeting Target with a 100 million
dollar data breach. Journal of Information Technology Teaching Cases, 8(1), 9–23.
https://doi.org/10.1057/s41266-017-0028-0
Shu, X., Tian, K., Ciambrone, A., & Yao, D. (2017). Breaking the Target: An Analysis of Target
Data Breach and Lessons Learned. ArXiv:1701.04940 [Cs].
http://arxiv.org/abs/1701.04940
Chapman, M., & d’Innocenzio, A. (2014, January 10). Target: Breach affected millions more

customers. https://finance.yahoo.com/news/target-breach-affected-millions-more-

184807005.html?

guccounter=1&guce_referrer=aHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnLw&guce_refe

rrer_sig=AQAAAAsc85uFOCT6I-

46qGFk4h2uSeXBFQVzJbhJG_ld6WzNze_XOhvfcv02GA59CCYR9f5ofmqYi0i1mJZq

V49RC9rHQFdsoTo9FqUugk3QMIP7eP6L9bIYXJf-

ReasX1NsOHrieS3StbIMzEPivxOuC_w8lEu3fzTwwwwzF-g3ECX1

Clipping from Star Tribune—Newspapers.com. (1972, July 15). Star Tribune (Minneapolis - St.

Paul). http://startribune.newspapers.com/clip/78521433/star-tribune/

Demott, J. S. (1985, May 20). Calling It Quits. TIME.

https://web.archive.org/web/20071014111547/http://www.time.com/time/magazine/

article/0,9171,956312,00.html?iid=chix-sphere

Hammer, A. (1978, March 28). Clipping from Star Tribune—Newspapers.com. Star Tribune

(Minneapolis - St. Paul). http://startribune.newspapers.com/clip/78521598/star-tribune/

6
7

History of Target Corporation – FundingUniverse. (n.d.). Retrieved November 19, 2021, from

http://www.fundinguniverse.com/company-histories/target-corporation-history/

Malcolm, H. (2014, May 5). Target CEO out as data breach fallout goes on. USA TODAY.

https://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/

8713847/

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. (2014, March

17). Bloomberg.Com. https://www.bloomberg.com/news/articles/2014-03-13/target-

missed-warnings-in-epic-hack-of-credit-card-data

Perlroth, N. (2013, December 19). Target Struck in the Cat-and-Mouse Game of Credit Theft.

The New York Times. https://www.nytimes.com/2013/12/20/technology/target-stolen-

shopper-data.html

Rowley, L. (2003). On Target: How the world’s hottest retailer hit a bullseye. Hoboken, N.J. : J.

Wiley. http://archive.org/details/ontarget00laur

Shrivastava, A., & Thomas, M. A. (2014, March 5). Target announces technology overhaul, CIO

departure. Reuters. https://www.reuters.com/article/us-target-security-

idUSBREA241DE20140305

Sources: Target Investigating Data Breach – Krebs on Security. (2013, December 18).

https://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

Embry, S. E. (2015, July 6). At risk: Community banks and the recovery of losses due to
merchant data breach. Lexology. Retrieved November 25, 2015, from http://www.
lexology.com/library/detail.aspx?g=eceb0fee-7686-4f9b- bfbe-f53e6903540d
Howland, D. (2015, December 3). Target reaches $39.4 M settle- ment with banks over massive
breach. RetailDive. Retrieved from http://www.retaildive.com/news/target- reaches- 394m-
settlement-with-banks-over-massive-breach/ 410208/

7
8

Hill, C. (2014, September 25). Home Depot’s data breach is worse than Target’s, so where’s the
outrage? MarketWatch. Retrieved November 25, 2015, from http://www.marketwatch.com/
story/yawn-who-cares-about-home-depots-data-breach- 2014-09-24
Target Corporation. (2014, January 13). Target announces $5 million investment in new
cybersecurity coalition. A Bull- seye View. Retrieved from https://corporate.target.com/
article/2014/01/target-introduces-cybersecurity-coalition/