TARGET BREACH 2013

TARGET BREACH 2013

11

A Case Study on Target Corporation Breach in 2013

Crisis Communications and Media Relations
Meliah Michael

TARGET BREACH 2013

TARGET BREACH 2013

As the Internet has become a prominent medium in society, it is common for corporations to
store information via cyberspace. Customers names, account numbers, expiration dates and card
verification values (CVV) are gathered from the magnetic strips on the backs of debit and credit
cards. Mallory Duncan, the spokesperson for the National Retail Federation, states that the cards
themselves are fundamentally fraud-prone, utilizing technology created in the 1960s to combat
hackers who use tools from the 21st century (Whitaker, 2014). Cyber-criminals breach into corporate
systems and steal stored customer information to create new cards and sell them on the black market.
Dave DeWalt, the CEO of FireEye, a cybersecurity company, states:
Even the strongest banks in the world banks like JPMorgan, retailers like Home Depot,
retailers like Target can't spend enough money or hire enough people to solve this problem.
Nearly every company is vulnerable97% of all companies are being breached (Whitaker,
2014)
Cyber-theft is the inevitable result of modern societys dependence on technology; businesses of any
size are at risk for a breach in confidentiality (Whitaker, 2014). By analyzing the Target Corporation
hack of 2013, the understanding of its crisis stages, press coverage, social media and spokespersons
presence will dictate the effectiveness of competent crisis communication.
Prominence of Cyber-Criminality
Corporate hacks have become widespread, exposing customer and employee private
information from thousands of companies over the past several years. The New York Times,
JPMorgan, NASA, the Federal Reserve and Apple are among the businesses that experienced
significant cyber breaches in 2013 (Albanesius, 2013). From North Koreas official Twitter account
to the Emergency Alert System, 2013 was regarded as the Year of the Hack (Osnos, 2013) before
its predecessor took the title with several multimillion dollar breaches in 2014 (Tobias, 2014). Target
Corporation, a merchandise retailer recognized as a leader in innovation, experienced one of the

TARGET BREACH 2013

TARGET BREACH 2013

33

largest retail breaches to date on November 27, 2013 (McGrath, 2014). A sophisticated security
breach leaked up to 70 million customers credit and debit card information, affecting approximately
one-third of Americas consumers (McGrath, 2014).
History of Target Corporation
The first Target store opened in 1962 and from its beginning they were dedicated to their
missions statement, providing the one-stop shopping experience at competitive discount prices
(Target, 2015). Fifty-three years later, Target Corporation is considered an upscale discount retailer
that provides high-quality, on-trend merchandise at attractive prices in clean, spacious and guestfriendly stores. Target is the second largest merchandise retailer in America and target.com is
ranked as one of the most visited retail websites (Target, 2015). Target is committed to providing
higher-class products for the middle class family through its Expect More. Pay Less brand promise
(Target, 2015). In addition, they donate 5% of the company income to a number of charity programs,
accumulating four million dollars a week dedicated to the improvement of child education (Target,
2015).
History of the Data Breach
ShopperTrak found that in 2012, 507.67 million people participated in Black Friday, spending
more than $400 a piece on door-busters sales (Fox, 2012). Every year retailers are expecting to reach
record high sales, and 2013 was no different. Every time a Target consumer used their debit, credit or
Target RED bonus card, their full name, email address, card numbers and CVV codes were allegedly
was encrypted, protected by FireEyes secure detection system and monitored by a team of experts
(Clark, 2014). However, the team dismissed FireEyes alarms, thus exposing 40 million customers
information to fraud from November 27 to December 15 (Clark, 2014). On December 13 and 14,
Target executives met with the U.S. Justice Department and hired a third-party forensics team to
investigate the system breach. They hoped to find digital footprints, but the cybercriminals are still

TARGET BREACH 2013

TARGET BREACH 2013

anonymous today. On December 15, Target confirmed that there was an infiltration and that the
criminals implanted a malware virus that potentially stole customers payment and credit card data.
Target attempted to remove all of the viruses from the registers in U.S. stores. However, the public
remained unaware of the breach until KrebsOnSecurity, a distinct investigative blog that researches
and detects illegal cyber activity, reported the infiltration on December 18. By the next day, Targets
website and customer service hotlines were jammed with angry, confused customers. Target
publically acknowledged the infiltration after failing to inform its customers before its exposure on
the Internet. The release was vague and relatively uninformative, telling its customers the crime was
under investigation (Krebs, 2013). The next day, Target announces that very few credit cards were
compromised, giving the public false hope as close to 70 million customers were affected. Following
this announcement, JPMorgan Chase & Co. placed daily limits on withdrawals and spending for its
credit and debit card users affected by the Target breach.
As the Christmas season was rapidly approaching, transactions at Target fell three and four
percent, with its reputation plummeting as well. Forbes expressed that people genuinely liked Target,
but by leaving the public uniformed, they risked the viability of their Christmas season (Kosner,
2013). It was not until January 10, Target announced that its previous customers safety estimate was
undervalued, misjudging the seventy million cards affected (Kosner, 2013). As a result of this
miscalculation, the company lowered their forecast for their fourth quarter (Clark, 2014). By January
22, Target downsized its Minneapolis location by 475 employees, beginning the onslaught of
thousands of layoffs of Target employees across the country. By early February, the costs associated
with the breach topped $200 billion and by early March, Target allowed it employees to wear jeans
and polos in an effort to boost morale after layoffs and the sale-killing data breach (Kosner, 2013).
The backlash continued into late 2014, forcing Target to close all of its 133 stores in Canada and
laying off 17,000 employees. This loss proved detrimental to Targets leadership as well. The long-

TARGET BREACH 2013

time Target veteran and CEO resigned in May 2014. The corporation carefully explained Steinhafels
TARGET
BREACH
2013their appreciation for his years of service in their May statement:
5
resignation
and
expressed
He held himself personally accountable and pledged that Target would emerge a better
company. We are grateful to him for his tireless leadership and will alwaysconsider him a
member of the Target family (OConner, 2014).
Today, Targets business and reputation struggle to regain from this massive cyber-breach. From
shelf stackers to CEOs, Target represents the damaging nature of insufficient corporate-wide action
and communication.
Crisis Stages: Planning and Prevention
Major retailers are required to hire outside security firms to test their computer security and
must meet an additional 400 requirements that include installing firewalls, updating antivirus
software and ensuring that credit card readers remain secure (Braintree, 2008). Critics, however,
question the effectiveness of these guidelines as they fail to address key issues in major corporations
security. (Finely, 2014). Audits are conducted once a year and often fail to provide a broad enough
perspective regarding merchants security, creating a huge conflict of interest (Litan, 2014). Target
recognized this weakness and integrated their own security in hopes to fill in the inconsistencies
noticed by the professionals (Clark, 2014). Spokeswomen Molly Snyder said Target had recently
invested hundreds of millions of dollars in data security, had a robust system in place, and had
recently been certified as PCI-compliant (Schwartz, 2014). Recognizing that an adaptive predator
requires extensive preparation, Target anticipated cyber activity by investing $1.6 billion in FireEye,
a leading cyber security network (Target, 2015).
Crisis Stage: Signal Detection
It is argued that the Target crisis was not a matter of ill-preparedness, but a failure to act.
Reuters, an international news agency, released a statement that Targets security staff took no

TARGET BREACH 2013

immediate action when the corporations security software detected potentially malicious activity
(2014). On November 30, FireEye detected the initial infection of Target's payment system, setting
off five "malware.binary" alarms, each graded at the top of FireEye's criticality scale. These
prodromes where seen by Targets information security teams in their two headquarters in
Minneapolis, Minnesota and Bangalore, India. The companys indecision proved to be the first
crippling mistake of the Target crisis of 2013. Molly Snyder summarized and partially justified their
inaction via email:
"Like any large company, each week at Target, there are a vast number of technical events
that take place and are logged. Through our investigation, we learned that after these
criminals

entered our network, a small amount of their activity was logged and surfaced to our

team, that

activity was evaluated and acted upon. Based on their interpretation and evaluation of

that

activity, the team determined that it did not warrant immediate follow up. (Schwartz, 2014)

If the security team had reported the malware.binary alarms initially, the outcome could have been
different; however, upon their success with Target, the same group of cyber criminals proceeded to
infiltrate Home Depots system in 2014(Lawrence, 2014). These hackers proved to be an elite
collection of cyber professionals and would have adapted to the earlier detection. Therefore, the
differences between outcomes would most likely have been limited (Schwartz, 2014).
Crisis Stage: Recognition
Target Corporation publicly acknowledged the breach on December 19, 2013, three weeks
after customer information was first stolen on Black Friday and one day after KrebsOnSecurity, a
trusted investigative website, informed the public. Even after their delayed response, Target struggled
to adequately address the issue. When asked for specifics during the immediate days following the
announcement, Molly Snyder repeated that Target typically doesnt comment on pending litigation
(Wallace, 2013). This atypical behavior proved to be damaging to Targets honest, transparent

7
TARGET
BREACH 2013

reputation. Customers were confused and frustrated, gathering answers from sources like The Wall
Street Journal, Forbes and KrebsOnSecurity, rather than from Target itself (Wallace, 2013). Upon
the announcement, Target offered affected customers a free credit monitoring service and
implemented a 10% store-wide discount for the following Saturday and Sunday. Despite their efforts,
Consumer Growth Partners reported that Target customers transactions declined in comparison to
the same weekend in 2012 (Parrot, 2013).
Crisis Stage: Containment
Major banks and card issuers were alerted of the situation and asked to monitor activity and
report suspicious spending. JPMorgan limited the amount customers could withdraw from ATMs as
well (Riley, 2014). When Target found the malware shortly after the initial breach, they extracted it
as quickly as possible but failed to grasp its immensity (Target, 2015). Due to the lack of
communication in the beginning, Target struggled to contain the explosive behavior of the media.
They attempted to contain panic by providing credit monitoring tools, FAQs and a customer service
hotline (Target, 2015). They also created a series of segmented clips of the CEO walking customers
through the specifics of the breach. Their measures were helpful but not entirely successful as the
Target breach affected 33% of American consumers (McGrath, 2014).
Crisis Stage: Recovery
Since the breach in November 2013, Targets sales and reputation have encountered several
obstacles. Their leadership, financial stability and their relationships with the media and the public
are stressed as Targets integrity is waning. They have laid off approximately 19,000 workers and
closed all 133 Canadian locations in 2014 (McGrath, 2014). CEO, Gregg Steinhafel and CIO, Beth
Jacob resigned in 2013 in light of the crisis, proving that the situation was more taxing and costly
than originally anticipated. Since 2013, the company has transitioned between three CEOs. The
interim CEO, John Mulligan filled the position until Brian Cornell was elected as the permanent

TARGET BREACH 2013

board chairman and CEO of the company in August (Malcom, 2014). Target is also charged with 90
lawsuits and a $10 million settlement (Farivar, 2014). Some experts say this is small change
compared to how deeply the breach affected American consumers, but more signifigantly, it is a
matter of customer and employee loyalty, not legal embezzlement. Customers are providing the
profit; therefore, without their support, Target can no longer function (Farvivar, 2014).
As a result of the lawsuits, Target has implemented several security measures that will aid in
the prevention of future attacks: they appointed a chief information officer; they keep a written
information-security program, documenting all potential crisis risks; and they educate employees
about the importance of safeguarding personal information (Associated Press, 2015). Ideally, these
elements would have been available pre-breach in a crisis kit; however, Targets insufficient
preparation stifled its ability to act in the crisis.
Crisis Stage: Evaluation
It is expected that Target will fully recover and proceed to the evaluation stage of crisis
management. However, the breach cost close to one billion dollars (PYMNTS, 2014) and according
to Steve McKee recovering from the data breach is not the same thing as achieving the lofty heights
in consumer affection that Target once had (2015). In response to this, Brian Cornell stresses their
dedication to regaining their customers trust through multiple statements. He believes that Target is
fully immersed in the evaluation stage:
A year ago, we were in the recovery mode, working to repair guest relationships following
the data breach while we undertook an assessment of the long-term prospects for our
Canadian

business. Fast forward to today and weve ended the year with the data breached fully

behind us and that weve made tough decision to execute the Canadian business. (PYMNTS, 2015)
In order to adequately evaluate the crisis, Target must address every issue in which they fell short and
rate their impact. Immediate and transparent communication were the most damaging elements of

TARGET BREACH 2013

Targets approach to the breach in late 2013; however, as this crisis was an extensive issue, the
evaluation must be as well. It is the job of the newly established leadership to uncover the core issue:
what was the reason they struggled? How did this go wrong? When did it all fall apart? Critical,
analytical questions are the only solution to an enhanced outcome.
Press Coverage Analysis
During the initial weeks of the breach, Targets spokeswoman Molly Snyders single quote,
typically doesnt comment on pending litigation was used against the company on multiple,
prominent websites. Fueling the publics confusion and outrage, this quote acted as a reason for the
condemning tone many of the websites involved enacted throughout the process (Fox, Stark &
Reuters). Specific information is arguable in this case; however, all coverage emphasizes the
negativity of the situation. Finding hopeful installments of this situation is rare, but McKee WallWork and Company, an innovative business dedicated to the betterment of society, are sure there
remains hope for a reputation-healing recovery (McKee, 2015). The websites, blogs and other reports
maintained by common middle-class workers tend to be more condemning. These men and women
are more likely to have been directly affected by the breach, and are expressing their opinion via the
internet. Newspapers such as the Wall Street Journal, The Washington Post and The New York Times
were negative as well. However, their tone was more reserved and informational due to their ability
to cover multiple crises around the area.
In addition to print, professional news websites and broadcasters had varying opinions on
how Target handled the breach. Overall, the news networks conducted themselves as if Target was
directly responsible for the millions of compromised cards. Bloomberg Newsweek utilized an
informal tone and exceptionally negative titles of their website and magazine to voice their
frustration towards Target during the early stage of its crisis (Riley, Elgin & et al, 2014). A southern
California news network, KTLA 5 condemned Targets actions through their article, Target Hack

10

TARGET BREACH 2013

Settlement: Victims Could Get Up to $10,000 (CNN Wire, 2015). They based their news story on
Snyders typically doesnt comment on pending litigation, and continually considered all Target
customers victims. ABC 7 and TIME questioned the validity of Targets release and developed
broadcasts entitled How to Save Your Money.
Throughout the crisis stages, Target received very little positive press coverage. Huffington
Posts article, Target To Pay $10 Million To Settle Lawsuit From Massive Data Breach, was among
the few articles to recognize the companys ability to return to the retail market as a fully recovered
organization. Huffington Post reassured its publics by emphasizing Snyders more affirming
comments: We are pleased to see the process moving forward and look forward to its resolution
rather than the plethora of other less reassuring comments. (Reuters, 2015). Additionally, CNN
Money articles remained neutral despite the delivery of bad news. By remaining neutral, CNN
Money was capable of providing the unbiased statistics throughout several milestones during the
crisis. They presented the breach in a reliable, objective tone that adequately informed its publics.
Spokesperson Analysis
Initially, Molly Snyder was as uncommunicative towards the public as was Target itself. As
the company decided how to handle the breach, their customers were left uninformed and angry.
Many customers learned of the breach through an article on KrebsOnSecurity, justifying what would
seem like a dishonest corporate scam. This created tense relationships between Target and its publics,
and Snyder was attacked. Her inaction was arguably due to the lack of communication between work
divisions; however, her preliminary response was cryptic and she acted as though her employer had
something to hide.
Communication slowly progressed and today, target.com is equipped with adequate FAQs,
hotlines, videos, snapshots and links to further aid in the understanding of the breach. Target is
adequately prepared for a crisis (Target, 2015). However, it is apparent, that this is a recent

11

TARGET BREACH 2013

development. Target took too long to address this communicative weakness and it reflects in their
spokeswomans responses and in the publics opinion.
Recommendations
They failed to adequately address the breach in a timely fashion and risk losing 5% of their
customers resulting from distrust and anxiety. They needed to publically acknowledge the situation
days before KrebsOnSecurity released the information. In order to do this effectively, adequate
communication should have been a priority. The Dominant Coalition should have been more readily
involved in the development of a crisis plan years before the breach occurred. It is also
recommended that Target continues to stress its diligence toward regaining their publics trust. They
must prioritize their customers safety and emphasize their dedication upon entering the new era as a
recovered corporation. In order to do this effectively, they must combine action with preparation and
information with solutions. They can only improve from the breach, as they did very little right, and
if crisis returns, they will be adequately prepared with a crisis kit, trained employees and solid
relationship with the media and its publics.
Conclusion
Target Corporation is a well-known merchandise retailer that offers top-of-the-line products
for middle-class families. They are recognized as a leader in innovation and are considered the
second largest retailer in the United States. However, the nationwide breach of 2013 began to
corrode this image. Their inaction and poor communication further damaged their once honest,
transparent relationship with the public. As a result, thousands of people were laid off and leadership
shifted. The hack was not cataclysmic, but it was damaging to Targets integrity, image and bottom
line. Their preparation and execution will dictate the success when faced with future crises. This can
be the start of a new era for business at Target Corporation or the beginning of the end for the
merchandise giant.

12

TARGET BREACH 2013

References
Albanesuis, C. (2013, December 13). Target and the 10 Biggest Hacks of 2013.
Farivar, C. (2014, March 19). Targets $10M settlement in data breach lawsuit.
Finley, K. (2014, April 17). It's Time to Encrypt the Internet
Fox, G. (2012). Black Friday 2012 Values: ShopperTrak
Gitonga, D. (2013, March 12). A Timeline of Companies That Have Been Hacked In 2013.
Krebs, B. (2013, December 18). Krebs on Security - Target Investigating Data Breach.
Lawrence, D. (2014, September 12). Home Depot's credit card breach looks just like the Target hack
Malcolm, H. (2014, September 12). With new CEO, Target ready to move forward.
McGrath, M. (2014, February 1). Target data breach spilled information of 70 million
McKee, S. (2014, May 20). When Will Brand Target Come Out of the Breach?
Osnos, E. (2013, May 28). The Year of the Hack - The New Yorker.
Tobias, S. (2014, December 31). The Year of the Cyberattacks
Parrot, A. (2013, December 23). 40 Million Target Customers Hacked
PCI DSS Compliance Basics. (2008, May 23).

TARGET BREACH 2013

PYMNTS, (2015, February 27). How much did the Target, Home Depot breaches really cost?
Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Target Missed
Warnings in Epic Hack of Credit Card Data.
Schwartz, M. (2014, March 14). Target Ignored Data Breach Alarms.
Smith, G. (2014, October 24). Why Credit Card Companies Couldn't Stop Hacks At Target and
Home Depot.
Target (2015, January 1). Corporate: Social Responsibility, Careers, Press, Investors.
Vaas, L. (2014, March 6). Target CIO Beth Jacob resigns in breach aftermath.
Wallace, G. (2013, December 23). Target credit card hack: What you need to know.
Wallace, J. (2015). Lawsuits piling up on Target over hack.
Whitaker, B. (2014, November 30). What happens when you swipe your card?

13