On December 19, 2013, Target Brands, Inc., one of the world’s largest retailers, announced a breach in customer data security affecting more than 40 million, and as many as 70 million, customers from 1,797 of the company’s US stores. (Ray, Elgin, Lawrence, & Matlack, 2014, and Isidore, 2014). Information including customer names, addresses, email addresses, phone numbers, and credit card data was compromised by the use of malware installed in Target’s security and payments system (Walace, 2013, and Isidore, 2014). This was a devastating instance of hacking and computer crime committed against the company and its customers, and was especially damaging since it occurred during the holiday season. It resulted in negative impacts to Target’s relationships with customers, as well as its future earnings.
Any business conducting online transaction processing should
consider information security one of its top priorities. Keeping business information, supplier
information, and customer information secure is key to running a successful
business and maintaining good relationships with business partners. According to O’Brien and Marakas in Management Information Systems, “Effective
security management can minimize errors, fraud, and losses in the information
systems that interconnect today’s companies and their customers, suppliers, and
other stakeholders” by integrating a variety of methods and tools to protect a
company’s information system resources (O’Brien and Marakas, 2010). Target Brands, Inc. had security management
tools in place, and had begun installing $1.6 million in malware detection
tools just six months prior to the discovery of the data breach (Riley, Elgin,
Lawrence, & Matlack, 2014). Unfortunately,
there were holes in Target’s information management system that gave hackers
the ability to infiltrate security measures and steal sensitive information.
According to Riley, Elgin, Lawrence and Matlack in “Missed
Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” the new
malware system installed by Target had registered alarms of potential malware
threats two weeks before the breach was discovered (2014). These alarms, however, went untreated because
an option in the software to automatically delete malware as it is detected was
turned off (Ray, Elgin, Lawrence, & Matlack, 2014). According to a quote from Edward Kiledjan,
chief information security office for Bombardier Aerospace, in the article,
this is not an unusual practice for businesses, as their IT security teams want
the ability to make the final decision on what do to (Ray, Elgin, Lawrence,
& Matlack, 2014). In this instance,
Target’s security team failed to recognize the alarms and potential threat, which
caused trouble for the company and its customers. Ultimately, however, it was the company’s
decision not to let the anti-malware software do what it was designed to do and
delete the incoming malware when it was uncovered that lead to devastating consequences.
Target is accused of failing to employ “reasonable and
appropriate security measures to protect personal information” (Wallace, 2013),
which is an ethical responsibility the company has to its customers. The company reportedly spent $61 million
responding to the breach in the first quarter of 2014, as well as saw a 46%
decline in sales for the 2013 holiday season compared to the same quarter in
2012. Since the attack, Target has taken
measures to regain trust from its customers as well as ensure the company is
doing what it can to prevent another catastrophic incident from happening
again. The company stated that customers
would not be liable for the cost of any fraudulent charges, and it has promised
to help lead the transition from magnetic strip credit cards to cards with
embedded chips by spending $100 million for upgrades to cash registers and
other technology that read the new cards (Ray, Elgin, Lawrence, & Matlack,
2014). The new chip embedded cards
provide heightened security to card holders compared to the magnetic strip
cards used currently in the US (Biersdofer, 2014). Target also offered a year of free credit
monitoring and identity theft protection to all customers who shopped in its US
stores, as another way to rebuild trust (Isidore, 2014).
References:
Biersdorfer, J. (2014, June 9). The
Shift to Safer Chip-and-PIN Credit Cards. The New York Times. Retrieved
July 29, 2014, from http://www.nytimes.com/2014/06/06/technology/personaltech/the-shift-to-safer-chip-and-pin-credit-cards.html?_r=0
Isidore, C. (2014, January 11).
Target: Hacking hit up to 110 million customers. CNNMoney. Retrieved
July 29, 2014, from http://money.cnn.com/2014/01/10/news/companies/target-hacking/
Riley, M., Elgin, B., Lawrence, D.,
& Matlack, C. (2014, March 13). Missed Alarms and 40 Million Stolen Credit
Card Numbers: How Target Blew It. Bloomberg Business Week. Retrieved
July 29, 2014, from http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
Wallace, G. (2013, December 23).
Target credit card hack: What you need to know. CNNMoney. Retrieved July
29, 2014, from http://money.cnn.com/2013/12/22/news/companies/target-credit-card-hack/
No comments:
Post a Comment