Question

In today’s technology environment, hackers present a substantial risk to a firm’s accounting or business system. As the result of these attacks, firms suffer huge losses, ranging from financial losses to losses in confidence by consumers, creditors, and suppliers. Firms may have made a significant investment in financial and non-financial resources to secure these systems.

evaluate the level of responsibility of Target in terms of the effectiveness of the response to the security breach. Provide support for your rationale.

Please include any references used

Answer 1

Data has become one of the most critical components of an enterprise in this digital era. Data breaches or data leakage is the international or inadvertent exposure of confidential informations to unauthorized parties. It is causes serious threats to any organisations like risk to company's reputation,stock price,risk to brand name,customers,partners and even its employees.

The second largest security breach case happened to America's favorite store ''Target''. At the end of 2013, amid the holiday shopping season, Target became a victim of a security breach affecting over 70 million customers. Through this breach all the credit and debit card information along with personal information(names,addresses,phone number,e-mail addresses) also taken.Many customers were outraged about the retailer’s inability to provide information after the breach, and its failure to assure customers that the issue was resolved.

On November 30, 2013, security operations personnel in Bangalore, India, received a notification from their malware detection software that some potentially malicious activity was recorded on the network. The alert was shared with security personnel in Minneapolis, but no further action was taken. Another alert was raised on December 2, 2013, but again no action was taken . It was not until December 12, 2013, when the U.S. Department of Justice contacted Target about a possible data breach on their network, that Target began investigating the issue in earnest. The Federal Bureau of Investigation (FBI) and the Secret Service joined the investigation as well. While no public disclosure was made at the time, the independent security researcher and blogger, Brian Krebs, posted information regarding a possible breach of the Target network on December 18, 2013.

Further investigation revealed that there were no major obstacles to accessing point of sale (POS) terminals across the entire network once inside the internal Target network. This lack of network segmentation could allow any malicious user the ability to traverse the network and attempt to access various devices ranging from point of sale terminals to mission critical back-end systems.

The audit team also found significant problems with enforcement of password policies. Target maintained a password policy that included industry-standard practices, however investigators found multiple files stored on Target servers that included logon credentials for various systems.The use of weak passwords was apparently rampant within the Target infrastructure. Investigators also identified significant issues related to the maintenance and patching of systems also responsible for data breach.

After the Data Breach:-

The breach had affected the store traffic and sales. Its fourth-quarter profits were down to 46 percent compared with the same period the year before. The company had reported a huge expenditure for the investigation and remediation of the security breach. The financial loss is not limited to few months of the year,upto two year target continued to incur costs related directly to the security breach.

Steps Taken By The Company:-

Although it has faced the biggest data breachs in the history it is successfully operating more than 1800 stores in America. The company hired a new chief information officer to oversees the company's technology team and data security after the data breach case. It invested around $100 million to switch to the new system which includes changing its branded credit and debit Redcards, as well as the cost of installing new payment terminals.

Another improvement that Target made was adding chip readers with PIN codes for customers. In fact, Target became the first major U.S. issuer to use chip and PIN credit cards in 2015. The addition of an EMV chip makes a card more difficult and more expensive to counterfeit. However, adding a PIN code on top of the EMV chip makes it even less likely that card information can be stolen and used to make unauthorized purchases.

A Target corporate webpage outlining a number of technical changes made since the attack suggests Target has corrected the network error with improved segmentation and firewall rules and policies.Target lists additional security improvements, including the monitoring and logging of system activity; the installation of application whitelisting on POS systems and POS management tools; limited or disabled network access for vendors; expanded use of two-factor authentication and password vaults; and disabled, reset, or reduced privileges for Target personnel and contractor accounts.

Conclusions:-

We cannot say that the data breach affected only one industry in this case it has affected the organisational system of a country,to the goverment and to its customer and citizens in large. Even though data breaches has become part of our everyday life we should take some measure steps to avoid it.The case of Target can work as a example for the data breach.To protect our business from data breach we have to take some steps such as train our employee regarding the threat,control physical access to your computers and create user accounts for each employee,limit employee access to data and information, limit authority to install software,use of secured Wi-Fi networks,creat strong password and authentication,make backup copies of important business data and information,provide firewall security for your Internet connection,create a mobile device action plan etc.

References:-

Business.com

The New York Times

ZDNet

Digitalguardian.com