Target Corporation was incorporated in Minnessota in 1902 and currently offers everyday essentials and fashionable differentiated merchandise at discounted prices. Target relies strongly on its technology infrastructure to deliver a preferred shopping experience. Prior to the first quarter of 2013, Target operated in the US credit card segment, providing credit to its Guests. Additionally, until January 15, 2015 Target also operated within the Canadian segment (Target Corporation, 2015).
About the data breach
During the fourth quarter of 2013, Target experienced a significant data breach which impacted its ability to handle customer enquiries resulting in weaker than expected sales along with the loss of certain payment card and guest information from its network (Target Corporation, 2015). The information which was taken included names, email addresses, phone numbers or mailing addresses and has affected up to 70 million individuals. Additionally the breach has impacted approximately 40 million credit and debit card accounts (corporate.target.com, n.d.).
Short term effects
From Target’s perspective, as of January 31, 2015 the financial impact of the data breach was costly as it has incurred net cumulative breach expenses of $162 million. In addition, fraudsters and scam artists were using the opportunity to target Target’s customers via various attack vectors such as phishing, social engineering, smishing and pretexting. In addition, Target took a number of initiatives to enhance monitoring and logging, create application whitelisting of point-of-sale systems, implementation of enhanced segmentation, reviewed and limited vendor access while resetting passwords of 445,000 within its infrastructure while also broadening the use of two-factor authentication (corporate.target.com, 2014). All these initiatives may be part of the $162 million Target spent as a result of the data breach.
Even though the above is directly related to Target, the short term effect on the industry has seen more companies allocate resources towards preventing, detecting and resolving cyber breaches. Cyber Security budgets have increased by 34 percent, with fifty percent of this going towards Security Incident and Event Management (SIEM) tools, forty eight percent to Endpoint Security, forty four percent going to Intrusion Prevention and Detection technologies and thirty eight percent towards encryption and tokenization (Ponemon, 2015). While the companies have also focused on technologies, Senior Management in general has shown extremely high concern to Cyber Security incidents (Ponemon, 2015).
While companies may be in a position to implement new processes and hire new people to deploy and or maintain the latest and or greatest technologies, the same cannot be readily said about individuals. In the short term individuals need to be vigilant, when receiving any communications purporting to be from Target and or any other breached entity. As stated above, fraudsters have chosen techniques such as phishing, social engineering, smishig and pretexting to dupe potential victims. Individuals may help to protect themselves by at a minimum, having all patches and relevant updates installed on their computer, while also having up-to-date antivirus or other anti-malware tools.
Long Term effects
In the long term, greater effort would be placed on the strategic importance of IT security to the operations of the companies. This would result in more focus being placed on the people and the process rather than on the technology. As an example, companies are now focusing on the creation of an Incident Response Team, training and awareness activities, measurement of data security effectiveness, policies and procedures along with specialized education for IT security staff (Ponemon, 2015).
In addition, as in the case with Target, companies may face court action from customers, card issuing banks, shareholders and or other individuals seeking relief (Target Corporation, 2015).
While it is expected that companies will continue to invest in people, processes and technologies, they will also look into buying insurance to cover any costs which may be associated with a data breach on its infrastructure. Target maintains a $100 million network security insurance coverage, above a $10 million deductible. It is believed that this coverage along with other insurance may reduce its exposure to cyber attacks (Target Corporation, 2015). In the next 5 years a larger amount of services will be conducted online. This increase in online activity will result in more companies looking to lower the risk from cyber attacks (ibisworld.com, 2014)
More importantly, as hacks similar to Target continues to occur, greater efforts will be made towards information sharing, so as to reduce the probability (and effects) of the breaches propagating beyond its initial target. In his Cyber Security Legislative Proposal, President Obama has included voluntary information sharing with Industry, States, and Local Government as one of the key methods for protecting the security of the United States (US) digital infrastructure (whitehouse.gov, 2011).
Finally and most importantly, governments can and may enact laws which controls how companies respond to data breaches. At present, a number of US states and some of its territories have enacted data breach laws, which dictates who must comply with the law, what constitutes a breach, requirements for notice along with exemptions (ncsl.org, 2015). At the federal level, the proposed Data Security and Breach Notification Act of 2015 requires entities that owns or possess data in electronic form containing personal information to notify affected individuals and a designated government entity (FTC, Secret Service, FBI, Attorney General, etc ) no later than 30 days after the date of discovery of a breach. In the event of a breach, any individual who intentionally and willingly conceals the fact that a breach occurred and there is damage greater than $1000 may be fined and or imprisoned for not more than 5 years (congress.gov, 2015).
In the long term, hacks like target will cause both individuals and companies to place more attention on cyber security. Companies though will be the ones that ultimately need to make the investments to secure our personal data. The world is becoming more networked and big data is the ultimate objective for most of these companies. They more data is had, the more companies can predict your next move. However, how they protect this data will be the ultimate concern. Action by governments is needed to ensure that all companies respond consistently whenever a breach occurs.
congress.gov. (2015, 1 13). S.177 - Data Security and Breach Notification Act of 2015. Retrieved from https://www.congress.gov/bill/114th-congress/senate-bill/177/text
corporate.target.com. (2014, 04 29). updates on Target’s security and technology enhancements. Retrieved from corporate.target.com: https://corporate.target.com/discover/article/updates-on-Target-s-security-and-technology-enhanc
corporate.target.com. (n.d.). data breach FAQ. Retrieved from corporate.target.com: https://corporate.target.com/about/shopping-experience/payment-card-issue-faq
ibisworld.com. (2014, 08). Cyber Liability Insurance in the US: Market Research Report. Retrieved from ibisworld.com: http://www.ibisworld.com/industry/cyber-liability-insurance.html
ncsl.org. (2015, 12 1). Security Breach Notification Laws. Retrieved from http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Ponemon. (2015). 2014: A Year of Mega Breaches. Ponemon Institute LLC.
Target Corporation. (2015). Annual Report . Minneapolis.
whitehouse.gov. (2011, May 12). FACT SHEET: Cybersecurity Legislative Proposal. Retrieved from https://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal