Skip to main content
On this page

Autopsy of a Data Breach: The Target Case - Case Solution

Line Dube | Harvard Business Review ( HEC130-HCB-ENG ) | March 01, 2016 (Revision: 2023-09-08)
Abstract:

"Autopsy of a Data Breach: The Target Case" case study looks into the sequence of events that led to the largest breach of confidential data in history when cybercriminals stole 40 million debit and credit card numbers and other personal information of millions of customers.

Case Questions Answered

  • Summarize the timeline and key chain of events in the data breach at Target and describe the links that completed the chain causing the explosion.
  • What lessons can be learned from Target, and how can these lessons be leveraged by risk managers in other organizations?
  • In your own words, explain the concept of Operational Risk as it relates specifically to technology.
  • Define and explain the key attributes of the IMF's measures to strengthen resilience to cyber risk.
  • How would you apply the IMF framework relating to measures to strengthen resilience to cyber risk in the Target case?

Summarize the timeline and key chain of events in the data breach at

Target and describe the links that completed the chain causing the explosion.

The data breach at Target partly came from the failure of the retailers to appropriately separate the systems dealing with sensitive payment card data from the rest of the network.

Hackers broke into the network of the retailers through the use of login identifications, which were taken from a heating, ventilation, and air conditioning organization working for Target in several places (Sidel & Dan, 2013).

The attackers got access given by the Fazio credentials to undertake activities on the Target network undetected and also upload malware programs on the POS systems of the company. They managed to steal data meant for about 40 million credit and debit cards.

The company seemed to have allowed third-party access to its networks, but it failed to appropriately secure access to the systems.

Target gave Fazio access, but it should have segmented its networks to make sure that Fazio or any other person does not have access to the payment systems (Sidel & Dan, 2013).

What lessons can be learned from Target, and how can these lessons be

leveraged by risk managers in other organizations?

Target data breaches can be considered as a watershed activity that puts the spotlight on the security of security cards. Several lessons are learned from the Target data breach, and these should be seriously considered by managers in any organization.

To begin with, one of the lessons is that…

Preview Only — Unlock Full Content Below

Complete Case Solution

Get immediate access to the full, detailed analysis

  • Comprehensive answers to all case questions
  • Detailed analysis with supporting evidence
  • Instant digital delivery (PDF format)
Buy Full Case Solution

Secure payment • Instant access

By clicking, you agree to our Terms of Use, Arbitration and Class Action Waiver Agreement and Privacy Policy