Professional Documents
Culture Documents
Cyber Breach at Target Case
Cyber Breach at Target Case
Cyber Breach at Target Case
Target
Group 6
Sec-G
DATA BREACH
2
COMPANY BACKGROUND
❏ Parent company - Dayton Co
❏ Started in 1962
❏ USP - Quality goods at low prices
❏ Slogan - “Pay Less ,Expect More”
❏ Products include electronics, household
products , apparels, groceries
❏ As of 2013 November - 1919 stores ( 1797-
US, 122-Canada)
4
THE CYBER BREACH TIMELINE
Nov 12 Nov 30 Dec 15
Attackers first POS Malware Attackers lose
breach Target fully installed foothold in
network Target network
www.presentationgo.com
6
How did they do it?
Source : https://arxiv.org/pdf/1701.04940.pdf
7
Kill Chain Analysis 2 Step
Authentication
9
LITIGATIONS
Individual Customers Banks
● Informed late about • Visa alert to retailer for RAM
PIN compromise scraper malware
● Direct money stolen, • Negligent of providing data
higher interest rates, security
cost for hiring legal • Credit card – FACTA Red
help, reduced credit Flag Rule violation
score • Additional cost – Reissue
● Settlement deal for cards, Reimburse
61m people. Could customers, added staff
recover up to $10000 • Visa – $67m, Mastercard-
$40m
• Total Settlement- $290m
• Insurance - $90m
10
LOSS DUE TO BREACH
11
BOARD ACCOUNTABILITY
❏ BOARD MEMBERS- CEO Gregg W Steinhafel
and 10 Members
❏ COMMITTEES- Audit, Corporate
Governance,Compensation,Finance,
Nominating & Governance
❏ Shareholders filed lawsuits against all
BoDs,and against the CEO,CFO,CIO-Beth M
Jacob and Chairs and members of Audit and
CR committees.
12
AGAINST BoD IN FAVOUR OF BoD
1) Breach of fiduciary duty 1) Lack of evidence for
to protect consumer data intentional misconduct
2) Waste of corporate 2) Protected by firm’s
assets due to negligence Articles of Incorporation
3) Disregard for disclosure 3) Role of directors is to
procedures and risk oversee, not day to day
assessment processes management.
● Audit and CR committees ● “Corporate cybersecurity
should’ve closely breaches could be
monitored risk to brand managed but not
value and firm reputation prevented”
● Qualifications of CIO ● The Directors were re-
required for the post elected despite ISS
questionable recommendation to vote
them out.
13
KEY LEARNINGS
● Executives should be seriously keen with the
cybersecurity throughout the organization.
● Periodical (quarterly/ semi annual /annual )security
assessment can reduce the residual risk level in
regards with security breaches.
● But not only reviews but solid working relationships
between executives with the Chief Information
Security Officer (CISO) are most effective in this
case.
14
KEY LEARNINGS
• CISOs role strength cannot suffice but the
proactive engagement of the senior
executives will fetch the real time results in
the organization.
• Retailers may be liable for the breaches.
• Network Segmentation is necessary.
• The CISO should also be included in new
business initiatives early on.
15
THANK YOU !!!
16