J Info Technol Teach Cases (2018) 8:9–23

DOI 10.1057/s41266-017-0028-0

TEACHING CASE

Targeting Target with a 100 million dollar data breach

Federico Pigni1 • Marcin Bartosiak2 • Gabriele Piccoli3 • Blake Ives4

Published online: 16 November 2017

 Association for Information Technology Trust 2017

Abstract In January 2014, the CEO of the renowned U.S. into the shoes of Target executives as they seek answers to
discount retailer Target wrote an open letter to its cus- the above questions.
tomers apologizing for the massive data breach the com-
pany experienced during the 2013 holiday season. Keywords Teaching case
Cyber security
Hacking

Attackers were able to steal credit card data of 40 million Data breach
Target
Information systems
customers and more were probably at risk. Share prices,
profits, but above all reputation were all now at stake. How
did it happen? What was really stolen? What happened to Introduction
the data? How could Target win consumer confidence
back? While the company managed the consequences of On January 13th and 14th, 2014, Greg Steinhafel, Chair-
the attack, and operations were slowly back to normal, in man, President, and CEO of Target, published an open
the aftermath the data breach costs hundreds of million letter to customers (Steinhafel 2014) in The New York
dollars. Customers, banks, and all the major payment card Times, The Wall Street Journal, USA Today, and The
companies took legal action against Target. Some of these Washington Post, as well as in local papers of the firm’s 50
litigations remained unsettled 3 years later. The importance largest markets. In the letter, he apologized for the massive
of the breach lays in its far broader consequences, rippling data breach his company experienced during the 2013
through the U.S. Congress, and raising consumer and holiday season.
industry awareness on cyber security. The case provides
Target learned in mid-December that criminals
substantial data and information, allowing students to step
forced their way into our systems, gaining access to
guest credit and debit card information. As a part of
the ongoing forensic investigation, it was determined
last week that certain guest information, including
names, mailing addresses, phone numbers or email
addresses, was also taken.
& Federico Pigni I know this breach has had a real impact on you,
[email protected] creating a great deal of confusion and frustration. I
1
share those feelings. You expect more from us and
Grenoble Ecole de Management, 12, rue Pierre Sémard, deserve better. We want to earn back your trust and
38000 Grenoble, France
2
confidence and ensure that we deliver the Target
Department of Economics and Management, University of experience you know and love.
Pavia, Pavia, Italy
3
E.J. Ourso College of Business, Lousiana State University, The breach, announced to the public 6 days before
Baton Rouge, LA, USA Christmas, included credit card data from 40 million
4
C.T. Bauer School of Business, University of Houston, customers. It was later discovered that data for another
Houston, TX, USA 70 million customers were also at risk.
10 F. Pigni et al.

Target Inc. By December 15th, the hemorrhaging had slowed to a

trickle, and by the 18th was stopped. By then the data
Target’s chain of discount stores sold low-cost clothing, contained on magnetic stripes of 40 million debit and
items for the home, and—in some stores—groceries. Major credit cards had been copied and, through a circuitous
competitors in the U.S. included Walmart, Kmart, CostCo, route, transmitted to a server in Russia. Almost immedi-
Kohl’s, J.C. Penney and, in Target’s still small but growing ately, customer credit card data surfaced on the black
online segment, Amazon. The first Target store, a low-cost market at Internet ‘‘card shops.’’
subsidiary of the department store chain Dayton Hudson, On December 27th, Target announced that encrypted
opened in 1962; by December of 2014, Target’s 366,000 personal identification number (PIN) data from some cards
employees staffed a network of nearly 2000 stores located had also been scraped. Then, on January 10th, 2014, Target
in the U.S. (1801) and Canada (133). Target’s stores also reported that non-financial data from as many as 70 million
included larger SuperTarget stores, smaller CityTarget additional customers had also been stolen from Target
stores, and still smaller Target Express stores. In 2014, servers; included were names, addresses, phone numbers,
Target reported revenues of USD 73 billion. and email addresses. Because of duplicates between the
Headquartered in Minneapolis, Target differentiated two sets of data, the total number of customers affected
itself from low-cost competitors by offering Target brands, was approximately 100 million.
exclusive deals with other brands, quality and trendy
goods, as well as fashion items from well-known design-
ers—all at modest prices; Fortune magazine characterized Data breaches
Targets merchandising focus as ‘‘Cheap and Chic’’ (Wahba
2014). The Identity Theft Resource Center (ITRC) defines a data
breach as (ITRC 2015, p. 2):
An incident in which an individual name plus a
The breach
Social Security number, driver’s license number,
medical record or financial record (credit/debit cards
Target announced the data breach (see Exhibit 1), one day
included) is potentially put at risk because of
after an independent reporter and investigator of Internet
exposure.
security, Brian Krebs, broke the story on his blog:
Data breaches were classified in several ways. Breaches
…Target is investigating a data breach potentially
could be criminal or accidental, carried out by insiders or
involving millions of customer credit and debit card
outsiders, computer-based or manual. The external, com-
records… According to sources at two different top
puter-based, criminal variety often involved changes to, or
10 credit card issuers, the breach extends to nearly all
tapping into, the network, computer, or terminal hardware
Target locations nationwide, and involves the theft of
(called skimming). For instance, fake ATM fronts or card
data stored on the magnetic stripe of cards used at the
readers were surreptitiously attached to ATM machines; or,
stores (Krebs 2013).
for as little as USD 1000 an ATM could be acquired and set
For several days prior to Kreb’s posting, banks had up as a honey pot for capturing unencrypted data from
witnessed an uptick in illegal card activity, with a legitimate cards (Satanovsky 2011). An alternative
disproportionate number of those transactions traceable to approach, called RAM or Memory Scraping (Zetter
card numbers recently used by Target customers. The 2014), required the use of software tools, either malware
banks notified the Federal Bureau of Investigation (FBI). or legitimate software employed in an illegitimate manner
The U.S. Department of Justice (DOJ) alerted Target on the on customer facing devices including ATMs, POS, or even
evening of December 12th. The following day, DOJ and consumers own computers or phones. Scraping, unlike
U.S. Secret Service personnel met with Target executives. skimming, required no physical access; it could be carried
By December 15th, outside experts, hired by Target, helped out from anywhere in the world, thus lowering the risk to
to discover and remove malware in Target’s point-of-sale the perpetrator, while presenting still greater exposure to
(POS) terminals and on several of the company’s servers. the victims.
On December 16th, Target notified banks and payment The Target data breach was but one of an increasingly
processors (e.g., Visa) that it had been breached. common phenomenon. One compilation (ITRC 2015)
From November 27th onwards, debit and credit trans- identified 781 breaches in the U.S. that exposed 169 mil-
actions from Target’s U.S. store’s point-of-sale checkout lion records in 2015, a significant increase from 498
terminals had been compromised and customer data stolen. reported breaches and 22 million records reported six years
Targeting Target with a 100 million dollar data breach 11

Fig. 1 Evolution of data

breaches in the U.S. (ITRC 900

number of breaches
2016) Banking/Credit/Financial
800
Health/Medical

700 Government/Military

Educational
600 Business

500

400

300

200

100

0
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

earlier (Fig. 1). In ten years, the ITRC had identified over other parties when personal data were stolen or compro-
6000 breaches exposing more than 850 million records. A mised; an obligation not all countries were under. These
fourfold increase in a decade, affecting financial services, regulations had the double objective of encouraging firms
business, education, government, and healthcare sectors. to improve their practices and consequently reduce con-
As many breaches went unreported, these were conserva- sumers’ risk.
tive numbers. Healthcare, government, financial, retail, education, and
U.S. firm’s reported having had more than a million technology were the main target sectors for data breaches.
records exposed in the year following the Target breach; In the U.S., 2016 saw an increase in breaches to POS
among them were three retailers: Home Depot, Michael’s systems at several hotel chains and retailers (see Fig. 3).
Stores, and Neiman Markus. In each case, the perpetrators Senior management’s rising concern regarding com-
appeared to have employed tools, and taken advantage of puter and network security were on display in the results of
organizational lapses, in ways similar to Target’s Breach. the 2016 PwC Annual Global CEO Survey, where 61%
Among notable, other victims of data breaches in 2014 percent of the executives interviewed described cyber
were AliExpress (owned by Alibaba.com), American threats and lack of data security as a threat to both national
Express, Korean Credit Bureau, JPMorgan, The U.S. Postal and commercial interests (PwC 2016). Moreover, an even
Service, the U.S. Internal Revenue Service, Rumbler.ru higher proportion (78%) of them considered cyber security
and, perhaps most notoriously, SONY Pictures. technologies to be strategically important for their firms.
In 2016, data breaches were still increasing 15% year on While security became a top priority in CEOs’ agendas
year, and the number of stolen record was growing at twice and a prominent topic in boardroom discussions, the data
that peace (31%), with an average of 3 million records showed that corporations were losing ground in responding
stolen per day. North America (see Fig. 2) was experi- to the threat.
encing the largest number of data breaches, accounting for
almost 80% of the world total (Breach Level Index, 2016). Payment systems and fraud
The United States led the world in data breaches with over
400 million compromised records (70% of the total). The U.S. Federal Reserve Bank reported (Federal Reserve
Europe, the next highest, accounted for 10% of the total Board 2014, p. 41) in 2012 that credit cards made up 21%
breaches with close to 50 million stolen records. The Asia of the total number of non-cash transactions in the US and
and Pacific region was close behind in breaches (8%) but 1.4% of the non-cash value; the corresponding numbers for
far outstripped Europe with 110 million compromised debit cards were 38% and 1% and for checks, 15% and
records (20%). U.S. security breach notification laws and 14.8%. For Automated Clearing House (ACH) transac-
European directives and regulations (e.g., the General Data tions, such as online bill-pay and wire transfers, commonly
Protection Regulation 2016/679) required organizations to used for large, non-retail transactions, the transaction and
disclose and to inform promptly customers, authorities, and value numbers were 18% and 83%. Cash, an essentially
12 F. Pigni et al.

Fig. 2 Data breaches by

country—logarithmic scale 1,000
(authors on Gemalto’s data,
October 2016—http://www.
breachlevelindex.com/data-
breach-database)

Number of breaches
100

10

1
United United New South
Canada Australia India Japan China Israel
States Kingdom Zealand Africa
2016 1008 82 55 34 17 12 7 9 8 8
2015 1370 158 65 45 22 23 21 9 5 5
2014 1259 135 65 34 7 13 12 15 17 4
2013 911 86 30 26 12 13 12 5 8 3

Fig. 3 Data breaches by

industry (authors on Gemalto’s 450
data, October 2016—http://
www.breachlevelindex.com/
data-breach-database)
Number of breaches

300

150

0
Healthcare Government Financial Retail Technology Education Hospitality Other
2016 375 197 169 142 133 122 11 195
2015 445 296 276 238 120 165 1 322
2014 446 289 211 194 138 173 274
2013 342 191 165 97 110 34 262

anonymous payment system, was still the most common ability to tap into U.S. payment systems from other coun-
payment method, constituting 40% of transactions in the tries, particularly those with weak enforcement or no
U.S. (Bennett et al. 2014, p. 3). An average consumer in the extradition treaties with the U.S., further lowered the risk.
month of October 2012 used cash for 23 of 59 payments In 2012, the Federal Reserve reported over 31 million
(Bennett et al. 2014, p. 2). Cash, however, was primarily fraudulent payment transactions with a value of over USD
used for small dollar value purchases, constituting only 6 billion; 26 million of these transactions, and over USD 4
14% of purchases at retail, and averaging USD 21 per billion of value, were from credit, signature-only debit, or
transactions (Bennett et al. 2014, p. 3). At brick & mortar prepaid cash cards. Pin-protected debit cards were far more
stores such as Target, a high, and increasing, proportion of secure, experiencing only 20% of the fraud rates of sig-
purchases were made with credit or debit cards. nature debit cards (Federal Reserve Board 2014).
Payment cards, particularly credit and non-pin protected The biggest vulnerability in card payment systems in the
debit cards and prepaid cash cards, presented tempting, and U.S. was the card’s magnetic stripe. The data written on the
still relatively risk-free, opportunities for criminals. The ‘‘magstripe’’ included the primary account number, the
Targeting Target with a 100 million dollar data breach 13

account holder’s name, the expiration date, a service code Anatomy of the Target breach
indicating the types of charges that could be accepted, and
discretionary data, such as a PIN code. Once compromised, The first victim in the heist was not Target, but Fazio
either by scraping or skimming, these data could be used to Mechanical Services, a provider of refrigeration services to
make online purchases or to legitimate counterfeit cards, Target. The means of attack was uncertain, but likely executed
which could then be used in physical stores. While in-store via a bogus link or attachment as part of an email ‘‘phishing’’
use might seem risky, it did not require a mailing address to broadcast to multiple Target third-party vendors—a list of
collect the ordered merchandise. Moreover, the stolen which was openly available on the Internet. To get inside the
merchandise, mostly electronics or gift cards, could often supplier’s network, the attackers used a malware package
be immediately resold. called Citadel (Olavsrud 2014) and then found and used
‘‘Big Box’’ and discount retailers were particularly Fazio’s credentials to exploit its previously authorized access
vulnerable to payment card fraud and data breaches due to to Target’s computer network. Fazio had access to several
the size of their customer population, their high daily Target systems, including contract management, project
transaction volumes, the liquidity of some of their mer- management and electronic billing. On November 12th, 2013,
chandise, and their customers’ desire for fast and conve- the attackers gained access to Target’s internal network,
nient checkout. Moreover, huge past investments in point- probably by uploading an executable file disguised as a
of-sale check-out devices, as well as the typical customer’s legitimate document attachment through a Web application.
comfort with mag-stripe credit and debit cards, had retar- The name of the uploaded file was apparently chosen to be
ded retailers’ transition to more secure technologies (Geuss similar to that of other files commonly seen on the system.
2015). Once inside Target’s internal network, the attackers
The complexity of the payment network added further sought out logins, passwords, and network diagrams.
vulnerability. The observation of a judge in an earlier data Failing to find credit card credentials on Target servers,
breach case described that complexity and, implicitly, its they instead, apparently patiently and successfully, pene-
consequent vulnerability: trated Target’s POS terminals. Harnessing a computer
account they had created on Target’s network, they
‘‘Every day, merchants swipe millions of customers’
deployed malware to POS terminals that the investigators
payment cards. In the seconds that pass between the
named Kaptoxa (pronounced kar-toe-sha), available for
swipe and approval (or disapproval), the transaction
about USD 2000 on black market Web sites. The software
information goes from the point of sale, to an acquirer
then scraped each unencrypted card as it was read.
bank, across the credit-card network, to the issuer
Between November 15th and 28th, the attackers tested the
bank, and back. Acquirer banks contract with mer-
malware1 on a few of Target’s POS devices. By November
chants to process their transactions, while issuer
30th, the hack was fully installed on almost all POS devices
banks provide credit to consumers and issue payment
and fully operational. That day, the attackers also installed
cards. The acquirer bank receives the transaction
malware to transfer the stolen data to an internal server. This
information from the merchant and forwards it over
data exfiltration malware,2 the file name of which was dis-
the network to the issuer bank for approval. If the
guised to look like a legitimate application, was updated
issuer bank approves the transaction, that bank sends
twice: on December 2nd, and again on December 4th. On
money to cover the transaction to the acquirer bank.
December 2nd, the perpetrators began to transfer data to
The acquirer bank then forwards payment to the
another Target server, one that was authorized for file
merchant.’’ (Rosenthal, 2011)
transfers through Target’s firewall. The data were moved
The judge described a four-party payment system: A from that server to servers outside the U.S., eventually
credit-card network, usually Visa or MasterCard, is a ending up on a server in Russia. Data were moved during
network intermediary between the merchants’ bank (‘‘ac- business hours to hide the illicit activity within an otherwise
quirer’’), the merchant, and the customer’s bank (‘‘issuer’’). busy network traffic.
The alternative, a three-party approach, links three partic-
ipants: the card-carrying customer, the merchant, and the 1
While not definitively linked to the Target data breach, in August of
card issuer (e.g., American Express or Discover). In 2013, 2014 the U.S. Secret Service Identified malware called ‘‘backoff’’ that
82% of card payments went through the four-party system. was first detected in October of 2013 but not detectable by anti-virus
To further the complexity, many merchants relied on solutions until almost a year later. Backoff was estimated to have already
affected over 1000 U.S. Businesses. https://www.documentcloud.org/
outside payment processors for the link between their POS
documents/1279345-secret-service-malware-announcement.html.
devices and acquiring banks. Two of these, Global 2
Data exfiltration is the transfer of stolen data from a compromised
Payments and Heartland Payments, had themselves been system within victims’ network back to the attacker while attempting
major victims of hackers. to remain undetected.
14 F. Pigni et al.

Fig. 4 Rescator’s efficient and user friendly web shopping interface

Stolen card numbers were almost immediately available servers, it was not required, and from reports was rarely used,
on Internet black markets. One market, Rescator, had been for non-payment related, externally accessible applications
described as ‘‘The Amazon.com of Stolen Credit Cards.’’ on Target’s external network. Instead, Target relied on a
(Lawrence 2014) Here batches of credit cards could be scheme required by PCI policy: payment servers were seg-
purchased, sometimes for prices exceeding USD 100 regated from the rest of the network. Indeed, PCI had
(Fig. 4). Cards data contained in the earliest batch released recently given a clean audit of Target’s network segrega-
on Rescator sold for between USD 26.60 and USD 44.80 in tion—a segregation that subsequently proved inadequate.
the days before December 19th (Exhibit 3), when Target Two different security packages triggered alarms as the
went public on the data breach (Krebs 2014). data exfiltration malware was installed on November 30th,
and then again when it was updated. One of these pack-
Failed security measures ages, FireEye, installed at a cost of USD 1.6 million a few
months earlier, recommended to its Target minders in
Target’s attackers exploited numerous security weaknesses. Bangalore the deletion of the malware—a recommendation
Target had publicly posted the names of its suppliers on the reportedly passed on to, but ignored by, the personnel in
Internet. One of them, Fazio Mechanical Services, had relied Target’s security operations center in Minneapolis (Riley
on a free malware detection package, intended for use by et al. 2014). Target also apparently did not maintain a
individuals, rather than for commercial use. The malicious ‘‘white list’’ of authorized processes, often used to ensure
detection package, installed at Fazio, probably captured that malware is not allowed to run on a device or server.
login and password information during transactions. While Neither did Target adequately monitor the creation of new
two-factor authentication was required by PCI3 for payment
Footnote 3 continued
3
The Payment Card Industry Security Standards Council (PCI SSC) Data Security Standard (PCI DSS) is intended to ensure participating
was created in 2006 to develop security standards for the evolving companies that process, store, or transmit credit card information do
Payment Card Industry (PCI). The resulting Payment Card Industry so in a secure manner.
Targeting Target with a 100 million dollar data breach 15

accounts, nor effectively block access to certain external claims have been or may be asserted against us on behalf
file servers (e.g., servers in Russia). of guests, payment card issuing banks, shareholders or
others seeking damages or other related relief allegedly
Financial consequences arising out of the Data Breach. State and federal agen-
cies, including State Attorneys General, the Federal
The breach proved to be immediately costly as reflected in Trade Commission and the SEC, are investigating
the CEO’s comments to analysts in a February 2014 events related to the Data Breach, including how it
earnings conference call. occurred, its consequences and our responses…
Target’s fourth quarter financial results reflect better Target customers’ numerous lawsuits were combined into a
than expected US segments performance through the single class action suit, to be adjudicated in a Federal District
first three weeks of the holiday season, followed by Court in Minnesota. One of nearly 100 customer reports
meaningfully softer results following our December included in the lawsuit described the damages and inconve-
19 [data breach announcement] … fourth quarter niences suffered by one misfortunate Target customer:
comparable sales decreased 2.5%, consistent with our
updated guidance in January. (Target 2014c, p. 3) [A Target customer] used her Savannah State Bank
Visa debit card to purchase goods at a Target store in
Target’s cumulative stock return had beaten both the S&P Georgia during the period of the Target data breach.
500 and Target’s peer comparison group in February of 2013 [The customer’s] personal information associated
but, by the following February, 2 months after the breach, with her debit card was compromised in and as a
had fallen precipitously behind both groups. Earnings per result of the Target data breach. [The customer] was
share had also fallen (Target 2014a, pp. 15–16). Profits in the harmed by having her financial and personal infor-
4th quarter of 2013 were off 47% from the previous year, mation compromised. She incurred multiple unau-
though the decline was partially attributed to poor perfor- thorized charges totaling approximately $1900 in
mance at Target’s Canadian stores. December 2013. [The customer] also experienced a
Costs piled up. Eight months after the breach, the com- loss of access to her funds, paid a replacement card
pany reported USD 236 million in breach-related costs, of fee for which she remains unreimbursed, and incurred
which USD 90 million were covered by insurance (Target late payment fees due to failed automatic payments.
2014e, p. 9). One big expense was the cost to provide Tar- She also paid for credit monitoring services as a
get’s customers with a year of credit screening services. result of the Target data breach. (United States Dis-
Those reported expenses, coupled with a drop in expected trict Court: District of Minnesota 2014, p. 23)
earnings from 85 to 78 cents a share, stunned Wall Street;
Target’s stock price fell 4.4% the next day (Abrams 2014). Estimates of the eventual total cost of fraudulent charges to
John Kindervag, a Vice President and principal analyst customer cards ranged from USD 240 million to USD 2.2
at Forrester Research, predicted that the eventual costs of billion (Weiss and Miller 2015). Among the numerous
the breach would be much higher: damages enumerated by customers’ lawyers were: unau-
thorized charges to debit and credit card accounts; theft of
I don’t see how they’re getting out of this for under a personal and financial information; costs of detecting and
billion, over time… One hundred fifty million in a protecting against identity theft and unauthorized use of
quarter seems almost like a bargain. (Abrams 2014) accounts; lack of access to account funds; costs associated
with that lack of access (e.g., late charges and fees, credit
rating harm); time and loss of productivity stemming from
Legal consequences the need to deal with the challenges faced.
The customers’ lawyers accused Target of:
In its 2014s quarter earnings conference call (Target 2014e,
… failing to take adequate and reasonable measures to
p. 9), Target trumpeted ‘‘dramatically lower’’ breach-re-
ensure its data systems were protected, failing to take
lated costs as compared to post-breach external estimates
available steps to prevent and stop the breach from ever
that had been more in line with Kindevag’s billion dollar
happening, failing to disclose to its customers the
estimate. But, 3 months later, in the risk assessment section
material facts that it did not have adequate computer
of Target’s November 2014 10-Q filing to the SEC (Target
systems and security practices to safeguard customers’
2014b, p. 9), Target identified many, still unresolved
financial account and personal data, and failing to
potential sources for further costs and legal uncertainties.
provide timely and adequate notice of the Target data
… more than 100 actions have been filed in courts in breach (United States District Court: District of Min-
many states, along with one action in Canada, and other nesota 2014, p. 4)
16 F. Pigni et al.

That same U.S. District Court in Minnesota would adjudicate Customer communication
another set of class action lawsuits, this time brought by
banking institutions adversely impacted by their own From its initial announcement of the breach on the 19th
customers’ misfortune. Because of contracts with payment through January 15th, Target sent six emails to its ‘‘guests’’
networks like Visa, historically the banks had shouldered the and a seventh to the holders of Target’s proprietary
bulk of the losses for credit card breaches. This time they REDcard payment card. Included among these were
hoped, because of the retailers’ alleged negligence, more of descriptions of what had happened, apologies, reassurances
the responsibility would be assigned to Target. Estimates of that the problem was being well taken care of and that the
the potential fines that might be levied on Target ranged from customer risk was small, advice about how the recipient
USD 71 million to USD 1.1 billion, numbers that repre- could protect themselves or what actions the customer
sented anywhere from 2 to 37% of Target’s net income for should take (e.g., ‘‘Be wary of emails that ask for money or
2013 (Weiss and Miller 2015). The American Bankers send you to suspicious websites.’’) or should not take (e.g.,
Association estimated that the data breach affected more ‘‘Never share information with anyone over the phone,
than 8% of debit cards and nearly 4% of credit cards email or text, even if they claim to be someone you know
countrywide, with the average loss to banks of USD 331 per or do business with.’’), and explained how to take advan-
debit card and USD 530 per credit card (ABA 2014). tage of the year of free credit monitoring Target was pro-
viding. The Company also quickly established, and
Targeting Target with a 100 million dollar data continued to update, several web resources. One web page
breach (B) included links to the seven emails, related press
announcements, and to transcripts of CFO Mulligan’s
Everyone in this industry right now has to come February 4th and March 26th testimony to Congressional
together to make sure we’re putting the right defense committees. A second web page included responses to 48
plans in place. ‘‘frequently asked questions.’’ The initial versions of these
[Brian Cornell, CEO Target Stores] (CBS News web resources were prominently displayed and accessible
2014) from Target’s home page as of the announcement on
December 19th.
In May 2014, Greg Steinhafel resigned as Target’s
Chairman, President and CEO, a resignation partially
attributed (Abrams 2014) to a massive, criminal data
breach suffered by Target during the 2013 holiday season.
Rebuilding the organization and consumer
The breach had exposed over 100 million customer
confidence
records; it depressed Target’s holiday shopping revenues,
In April of 2014, Target hired a new CIO, Bob DeRoddes,
increased administrative costs, and triggered legal liabili-
who had served in a security advisory capacity to the U.S.
ties. Moreover, the breach was a clear threat to Target’s
Department of Homeland Security, the U.S. Secretary of
brand and reputation. In parallel with Steinhafel’s May
Defense, the U.S. Department of Justice, and numerous
resignation, Institutional Shareholder Services, an overseer
multi-national firms.
of corporate governance for institutional investors, recom-
In the CIO announcement, Target also described its
mended that shareholders reject the re-election of seven
intention to move Target’s ‘‘Red’’ branded credit and debit
members of the board who served on Target’s audit and
cards to a ‘‘chip-and-pin enabled technology,’’ as well as
corporate responsibility committee.
accelerating a plan to install new payment devices in close
Following Steinhafel’s resignation, John Mulligan,
to 1800 stores (see Exhibit 4). Further, it identified a
Target’s CFO took on the position of interim CEO. Three
number of security enhancements already implemented
months later, in mid-August of 2014, Brian Cornell was
(Target 2014d). Among them were the following:
named Chairman and CEO. A previous CEO of PepsiCo
Americas’ Foods Division, Cornell brought extensive retail 1. Enhancing monitoring and logging [including] addi-
experience to Target; his impressive resume included CEO tional rules, alerts, centralizing log feeds and enabling
at Sam’s Club, CEO at Michael’s Craft Stores, and CMO at additional logging capabilities.
Safeway. 2. Installation of application whitelisting point-of-sale
The breach foreshadowed a further shakeup in Target’s systems [including] deploying to all registers, point-of-
management team. Prior to Steinhafel’s resignation, and sale servers and development of whitelisting rules.
3 months after the breach, Target’s CIO resigned. The Vice 3. Implementation of enhanced segmentation [including]
President of Assurance Risk and Compliance, in keeping development of point-of-sale management tools,
with his previously announced intention, also resigned. review and streamlining of network firewall rules and
Targeting Target with a 100 million dollar data breach 17

development of a comprehensive firewall governance Yet, the mood at Target seemed considerably more
process. upbeat than a year earlier. So too were Target’s financials.
4. Reviewing and limiting vendor access [including] The 2014 fiscal year closed with sales up 1.3% and with
decommissioning vendor access to the server impacted digital channel sales growth exceeding 30 percent (Target
in the breach and disabling select vendor access points 2015a) and by the first quarter of 2015, sales grew 2.3%
including FTP and telnet protocols. from the same period in the prior year (Target 2015b).
5. Enhanced security of accounts coordinated reset of Target’s stock price, which had fallen to a low of USD
445,000 Target team member and contractor pass- 54.66 in February of 2014, had rebounded to over USD 75
words, broadening the use of two-factor authentication, in late January of 2015 (Exhibit 2). Target was confident
expansion of password vaults, disabled multiple ven- that the data breach would not impact their reputation in
dor accounts, reduced privileges for certain accounts, the long term:
and developing additional training related to password
… we experienced weaker than expected sales
rotation.
immediately following the announcement of the Data
In June of 2014, Brad Maiorino was appointed to a newly Breach that occurred in the fourth quarter of 2013,
created position, that of Senior VP and Chief Information and while we now believe the incident will not have a
Security Officer. Maiorino was previously with General long-term impact to our relationship with our guests,
Motors and, prior to that, General Electric. In those roles, it is an example of an incident that affected our
his responsibilities focused on information security. He reputation and negatively impacted our sales for a
would report to the CIO. Six months later, Target period of time. (Target 2015a, p. 4)
announced the appointment of Jacqueline Hourigan Rice,
to fill the role of Senior VP and Chief Risk and Compliance The Target Web site, which had, until recently, promi-
Officer. Hourigan Rice also came from GM where she had nently displayed links to information on the data breach,
spent 17 years, most recently as GM’s chief compliance had returned to business as usual (Exhibit 5). By the end of
officer. According to the announcement, she would report 2015, the major lawsuits initiated by customers and credit
to CEO Cornell. Her responsibilities would include the card issuers were finally being settled. In March, Target
following: ‘‘centralized oversight of enterprise risk man- agreed to pay USD 10 million to settle individual victims’
agement, compliance, vendor management and corporate damages up to USD 10,000 (Reuters and Fortune, 2015). In
security under her leadership’’ (Target 2014f). August, Visa issuers settled on up to $67 million in costs
related to the data breach (Whipp 2015). In December, an
agreement was reached with MasterCard issuers for USD
A year later 19.11 million, and banks and credit unions not covered in
the other actions for up to USD 20.25 million (Stempel and
In a televised interview in November of 2014, a year after Bose 2015).
the breach and two days before ‘‘Black Friday4,’’ the semi- While the situation was increasingly back to normal, the
official start of the crucial holiday sales season, Cornell company was still facing shareholder lawsuits, as well
reassured customers, shareholders, and business partners probes by the Federal Trade Commission and State
that the Target leadership team was taking data security Attorneys General, regarding the breach (Stempel and Bose
very seriously: 2015).

We focus every day, every single day, not just during

the holidays, but 52 weeks a year, on data security. The broader threat
Making sure we’ve the right team in place, to mon-
itor, detect, contain. (CBS News 2014) Executives at other multi-national companies were con-
Confidence building words, but even as he spoke, the siderably more pessimistic than Cornell appeared to be, at
perpetrator(s) had not been apprehended, the stolen credit least in his public pronouncements. Speaking at a panel at
card credentials were still for sale on Internet black the 2015 World Economic Forum in Davos, Switzerland,
markets, and a growing number of breach-related lawsuits several CEOs (Gelles 2015) had expressed their appre-
still hung over Target. hensions about data breaches. John Chambers, CEO of
Cisco, predicted, ‘‘The number of security incidents this
year will be exponentially greater than last year.’’ Simi-
4 larly, the CEO of Infosys, Visha Sikka, predicted ‘‘five
The first shopping day after Thanksgiving in the U.S.: allegedly,
named because it was often the day when a retailer’s profitability for times as many incidents as we did last year.’’ (Figure 1) As
the year went from red to black. vendors of IT and security solutions, Chambers and Sikka
18 F. Pigni et al.

were perhaps predictably alarmist in their assessments. The 4. Who do you believe is to blame for the incident? Why?
comments of the CEO of IMax, Richard Gelfond, probably How did Target manage the situation when the breach
better reflected the trepidation of many of Chambers’ and was detected? Do you consider their reaction
Sikka’s customers: appropriate?
5. Do you believe it was the CEO’s responsibility to
The one thing that really scares me is that if someone
inform customers about the data breach? What would
wants to get into your system, they can get in. Almost
you have done?
no amount of money will keep them out.
6. What lessons should a CEO learn from Target?
Another vendor’s study supported their pessimism (Riley 7. What lessons should a CIO learn?
et al. 2014) reporting that only 31 percent of companies 8. What should Target do next?
had identified data breaches through their own monitoring. 9. Do you believe consumers are becoming tolerant of
The percentage was far lower for retailers. As with Target, breeches?
95% of retail data breaches were not discovered by the
retailer; one observer described retailers as ‘‘the wilde-
beests of the digital savannah.’’
Appendix

Exhibit 1: Initial notification to target customers

Congressional reactions to target breach
on December 19th, 2013
Compared to their European counterparts, U.S. retailers
Important notice: unauthorized access to payment card
were particularly vulnerable as Seth Berman, head of the
data in U.S. stores
London office of a risk management firm, observed:
There’s a fundamental flaw in the US credit card We wanted to make you aware of unauthorized access to
system in that they do not use chip and pin… The US Target payment card data. The unauthorized access may
is doing everyone a favor by acting as a honeypot for impact guests who made credit or debit card purchases in
criminals, and in addition the country has more credit our U.S. stores from Nov. 27 to Dec. 15, 2013. Your trust is
cards per head than anywhere else. a top priority for Target, and we deeply regret the incon-
venience this may cause. The privacy and protection of our
The growing, still seemingly uncontrollable, threat to U.S.
guests’ information is a matter we take very seriously and
firms posed by hackers was a growing concern in
we have worked swiftly to resolve the incident.
Washington D.C. Between Feb 3rd and April 2nd, 2014,
We began investigating the incident as soon as we
six Congressional Committees held seven different hear-
learned of it. We have determined that the information
ings related (Weiss and Miller 2015, p. 2) to data breaches
involved in this incident included customer name, credit or
in general and the Target breach in particular. Among the
debit card number, and the card’s expiration date and CVV.
options discussed were:
We are partnering with a leading third-party forensics
Federal legislation to require notification to con- firm to conduct a thorough investigation of the incident and
sumers when their data have been breached; legisla- to examine additional measures we can take that would be
tion to potentially increase Federal Trade designed to help prevent incidents of this kind in the future.
Commission (FTC) powers and authorities over Additionally, Target alerted authorities and financial
companies’ data security; and legislation that could institutions immediately after we discovered and confirmed
create a federal standard for the general quality or the unauthorized access, and we are putting our full
reasonableness of companies’ data security. resources behind these efforts.
We recommend that you closely review the information
provided in this letter for some steps that you may take to
Study questions protect yourself against potential misuse of your credit and
debit information. You should remain vigilant for incidents
1. How was the attack on Target perpetrated? Can you of fraud and identity theft by regularly reviewing your
identify its main phases? account statements and monitoring free credit reports. If
2. Which weaknesses in Target security did hackers you discover any suspicious or unusual activity on your
exploited? accounts or suspect fraud, be sure to report it immediately
3. Would you consider Target data breach an information to your financial institutions. In addition, you may contact
system failure? Why? the Federal Trade Commission (‘‘FTC’’) or law
Targeting Target with a 100 million dollar data breach 19

enforcement to report incidents of identity theft or to learn copy of your credit report every 12 months from each of
about steps you can take to protect yourself from identity the three nationwide credit reporting agencies.
theft. To learn more, you can go to the FTC’s Web site, at Again, we want to stress that we regret any inconve-
www.consumer.gov/idtheft, or call the FTC, at (877) nience or concern this incident may cause you. Be assured
IDTHEFT (438-4338) or write to Federal Trade Commis- that we place a top priority on protecting the security of our
sion, Consumer Response Center, 600 Pennsylvania Ave- guests’ personal information. Please do not hesitate to
nue, NW, Washington, DC 20,580. contact us at 866-852-8680 or visit Target’s website if you
You may also periodically obtain credit reports from have any questions or concerns. If you used a non-Target
each nationwide credit reporting agency. If you discover credit or debit card at Target between Nov. 27 and Dec. 15
information on your credit report arising from a fraudulent and have questions or concerns about activity on your card,
transaction, you should request that the credit reporting please contact the issuing bank by calling the number on
agency delete that information from your credit report file. the back of your card.
In addition, under federal law, you are entitled to one free

Exhibit 2: Target data breach timeline (adapted Langley 2014)

$70
Nov.27 - Dec.18 Dec.18 Jan.10 Jan.29
Hackers were stealing the Target says ‘strong start to its Target says up to 70 million Target confirms that hackers gained
numbers from credit and holiday season has continued more customers had personal network access through an outside
debit cards swiped at POS through the first part of December. information such as names and vendor.
registers. email addresses stolen.
$65

Feb.18
Stock closes at $56.4,
down 11.3% since Target revealed
$60 that card numbers were stolen.
Dec.27
Target says PIN data
also were stolen. Jan.10
CEO Gregg Steinhafel
offers apology in full-page
$55
newspaper ads.
Dec.19
Feb.4
Target says the card numbers
CFO John Mulligan testifies before
of 40 million customers were
Congress about need to convert cards
stolen between Nov. 27 and
from magnetic strips to chip-enabled
Dec.18.
technology.
$50
December January February
20 F. Pigni et al.

Exhibit 3: From hacking to monetization

Exhibit 4: New MasterCard Initiative through this initiative, all of Target’s REDcard products
and commitment to chip-and-PIN will be chip-and-PIN secured.
Earlier this year, Target announced an accelerated $100
Today, Target also announced a significant new initiative million plan to move its REDcard portfolio to chip-and-
as part of the company’s accelerated transition to chip-and- PIN-enabled technology and to install supporting software
PIN-enabled REDcards. Beginning in early 2015, the entire and next-generation payment devices in stores. The new
REDcard portfolio, including all Target-branded credit and payment terminals will be in all 1797 U.S. stores by this
debit cards, will be enabled with MasterCard’s chip-and- September, 6 months ahead of schedule. In addition, by
PIN solution. Existing co-branded cards will be reissued as early next year, Target will enable all REDcards with chip-
MasterCard co-branded chip-and-PIN cards. Ultimately, and-PIN technology and begin accepting payments from all
chip-enabled cards in its stores.
Targeting Target with a 100 million dollar data breach 21

‘‘Target has long been an advocate for the widespread ‘‘Target and MasterCard are taking an important step
adoption of chip-and-PIN card technology,’’ said John Mul- forward in providing consumers with a secure shopping
ligan, executive vice president, chief financial officer for experience, and the latest in payments technology,’’ said
Target. ‘‘As we aggressively move forward to bring enhanced Chris McWilton, president, North American Markets for
technology to Target, we believe it is critical that we provide MasterCard. ‘‘Our focus, together with Target, is on safety
our REDcard guests with the most secure payment product and security.’’
available. This new initiative satisfies that goal.’’

Exhibit 5: Target income statement (adapted Target 2014a, p. 63)

Quarterly results (millions, except per share data) First quarter Second quarter Third quarter Fourth quarter Total year
a
2013 2012 2013 2012 2013 2012 2013 2012 2013 2012a

Sales 16,706 16,537 17,117 16,451 17,258 16,601 21,516 22,370 72,596 71,960
Credit card revenues – 330 – 328 – 328 – 356 – 1341
Total revenues 16,706 16,867 17,117 16,779 17,258 16,929 21,516 22,726 72,596 73,301
Cost of sales 11,563 11,541 11,745 11,297 12,133 11,569 15,719 16,160 51,160 50,568
Selling, general and administrative expenses 3590 3392 3698 3588 3853 3704 4235 4229 15,375 14,914
Credit card expenses – 120 – 108 – 106 – 135 – 467
Depreciation and amortization 536 529 542 531 569 542 576 539 2223 2142
Gain on receivables transaction 391 – – – – 156 – 5 391 161
Earnings before interest expense and income taxes 1408 1285 1132 1255 703 1164 986 1668 4229 5371
Net interest expense 629 184 171 184 165 192 161 204 1126 762
Earnings before income taxes 779 1101 961 1071 538 972 825 1464 3103 4609
Provision for income taxes 281 404 350 367 197 335 305 503 1132 1610
Net earnings 498 697 611 704 341 637 520 961 1971 2999
Basic earnings per share 0.78 1.05 0.96 1.07 0.54 0.97 0.82 1.48 3.10 4.57
Diluted earnings per share 0.77 1.04 0.95 1.06 0.54 0.96 0.81 1.47 3.07 4.52
Dividends declared per share 0.36 0.30 0.43 0.36 0.43 0.36 0.43 0.36 1.65 1.38
Closing common stock price
High 70.67 58.86 73.32 61.95 71.99 65.44 66.89 64.48 73.32 65.44
Low 60.85 50.33 68.29 54.81 62.13 60.62 56.64 58.57 56.64 50.33
Per share amounts are computed independently for each of the quarters presented. The sum of the quarters may not equal the total year amount
due to the impact of changes in average quarterly shares outstanding and all other quarterly amounts may not equal the total year due to rounding
a
The fourth quarter and total year 2013 consisted of 13 and 52 weeks, respectively, compared with 14 and 53 weeks in the comparable prior-
year periods
22 F. Pigni et al.

References PwC. 2016. 19th Annual Global CEO Survey. PricewaterhouseCoop-

ers, p. 44. Retrieved from http://www.pwc.com/gx/en/ceo-survey/
ABA. 2014. Target Breach Bank Impact. American Bankers Asso- 2016/landing-page/pwc-19th-annual-global-ceo-survey.pdf.
ciation. Retrieved from http://www.aba.com/Tools/Function/ Reuters and Fortune. 2015. Target will pay $10 million to settle data
breach lawsuit. Fortune, March 19, 2015. Retrieved from http://
Payments/Documents/TargetBreachBankImpact.pdf.
Abrams, R. 2014. Target Puts Data Breach Costs at $148 Million, and fortune.com/2015/03/19/target-10-million-settle-data-breach/.
Forecasts Profit Drop, The New York Times, August 5, 2014, Riley, M., B. Elgin, D. Lawrence, and C. Matlack. 2014. Missed
http://www.nytimes.com/2014/08/06/business/target-puts-data- Alarms and 40 Million Stolen Credit Card Numbers: How Target
Blew It. Bloomberg.com, March 17, 2014. http://www.bloom
breach-costs-at-148-million.html.
Bennett, B., D. Conover, S. O’Brien, and R. Advincula. 2014. Cash berg.com/news/articles/2014-03-13/target-missed-warnings-in-
Continues to Play a Key Role in Consumer Spending: Evidence epic-hack-of-credit-card-data. Retrieved 13 May 2016.
from the Diary of Consumer Payment Choice. Federal Reserve Rosenthal, L.H. 2011. n re: Heartland Payment Systems, Inc.
Bank of San Francisco Fednotes (April 2014). Retrieved from Customer Data Security Breach Litigation, No. 834 F.Supp.2d
http://www.bheesty.com/cracker/1450697937_f3ce6ff546/fed 573 (United States District Court, S.D. Texas, Houston Division
notes_evidence_from_dcpc.pdf. Dec. 1, 2011). Retrieved from http://www.leagle.com/decision/
Breach Level Index. 2016. 2016 It’s All About Identity Theft—First In%20FDCO%2020111202937/IN%20RE%20HEARTLAND%
Half Findings from the 2016. Gemalto. Retrieved from http:// 20PAYMENT%20SYSTEMS,%20INC.
www.breachlevelindex.com/assets/Breach-Level-Index-Report- Satanovsky, G. 2011. How Counterfeit Credit Cards are Created From
H12016.pdf. ATM Skimmers. Fraud Fighter–Fraud Prevention Blog,
January 17, 2011. http://blog.fraudfighter.com/bid/52994/How-
CBS News. 2014. Target CEO on Black Friday: ‘We have to Win that
Big Playoff Game’. CBS News, November 26, 2014. http://www. Counterfeit-Credit-Cards-are-Created-From-ATM-Skimmers.
cbsnews.com/news/target-ceo-brian-cornell-on-black-friday- Retrieved 12 May 2016.
data-security-free-shipping/. Retrieved 23 June 2016. Steinhafel, G. 2014. An Open Letter from CEO Gregg Steinhafel,
Federal Reserve Board. 2014. The 2013 Federal Reserve Payments Target Corporate, January 12, 2014. http://corporate.target.com/
Study—Recent and Long-Term Payment Trends in the United article/2014/01/target-ceo-gregg-steinhafel-open-letter-guests.
States: 2003–2012—Summary Report and Initial Data Release. Retrieved 26 April 2016.
Federal Reserve System, p. 43. Retrieved from https://www. Stempel, J., and N. Bose. 2015. Target in $39.4 million settlement
frbservices.org/files/communications/pdf/general/2013_fed_res_ with banks over data breach, Reuters, December 3, 2015.
paymt_study_summary_rpt.pdf. Retrieved from http://www.reuters.com/article/us-target-breach-
Gelles, D. 2015. Executives in Davos Express Worries Over More settlement-idUSKBN0TL20Y20151203.
Target. 2014a. 2013 Annual Report, Target.com. Retrieved May 13,
Disruptive Cyberattacks. The New York Times’ DealBook,
January 22, 2015. http://dealbook.nytimes.com/2015/01/22/in- 2016, from https://corporate.target.com/annual-reports/pdf-
davos-executives-express-worries-over-more-disruptive-cyberat viewer-2013?cover=6725&parts=6724-6726-6727-6730-6728.
tacks/. Retrieved 23 June 2016. Target. 2014b. Quarterly Report 10-Q, For the quarterly period
ended November 1, 2014 (SEC filing No. Commission File
Geuss, M. 2015. Chip-Based Credit Cards are Old News; Why is the
US only Rolling Them Out Now? Ars Technica, November 26, Number 1-6049). Retrieved from http://investors.target.com/
2015. http://arstechnica.com/business/2015/11/chip-based-credit- phoenix.zhtml?c=65828&p=irol-secText&TEXT=aHR0cDovL2
cards-are-old-news-why-is-the-us-only-rolling-them-out-now/. FwaS50ZW5rd2l6YXJkLmNvbS9maWxpbmcueG1sP2lwYWdl
Retrieved 13 May 2016. PTk5MjM5MTgmRFNFUT0xJlNFUT0mU1FERVNDPVNFQ1
ITRC. 2015. Data Breach Reports. Identity Theft Resource Center, RJT05fQk9EWSZleHA9JnN1YnNpZD01Nw%3D%3D.
p. 197. Target. 2014c. Edited Transcript: TGT-Q4 2013 Target Corporation
ITRC. 2016. ITRC Breach Statistics 2005–2015, January 25, 2016. Earnings Conference Call. Target.com, February 26, 2014. http://
http://www.idtheftcenter.org/images/breach/2005to2015multiyear. phx.corporate-ir.net/External.File?item=UGFyZW50SUQ9M
pdf. Retrieved 13 May 2016. jIyNTE0fENoaWxkSUQ9LTF8VHlwZT0z&t=1. Retrieved 13
Krebs, B. 2013. Sources: Target Investigating Data Breach—Krebs on May 2016.
Target. 2014d. Target Appoints New Chief Information Officer,
Security. Krebs on Security, March 18, 2013. Retrieved from
http://krebsonsecurity.com/2013/12/sources-target-investigating- Outlines Updates on Security Enhancements. Target Corporate,
data-breach/. April 29, 2014. http://corporate.target.com/press/releases/2014/
Krebs, B. 2014. Fire Sale on Cards Stolen in Target Breach, Krebs on 04/target-appoints-new-chief-information-officer-outl. Retrieved
Security, February 19, 2014. Retrieved from http://krebsonsecur 23 June 2016.
ity.com/2014/02/fire-sale-on-cards-stolen-in-target-breach/. Target. 2014e. Edited Transcript: TGT—Q2 2014 Target Corporation
Langley, M. 2014. Inside Target, CEO Gregg Steinhafel Struggles to Earnings Conference Call. Target.com, August 20, 2014. http://
Contain Giant Cybertheft. Wall Street Journal, February 19, phx.corporate-ir.net/External.File?item=UGFyZW50SUQ9M
2014. Retrieved from http://www.wsj.com/articles/ jY0NDkzfENoaWxkSUQ9LTF8VHlwZT0z&t=1. Retrieved 13
SB10001424052702304703804579382941509180758. May 2016.
Lawrence, D. 2014. The Amazon.com of Stolen Credit Cards Makes Target. 2014f. Target Names Jacqueline Hourigan Rice as Senior Vice
President, Chief Risk and Compliance Officer. Target Corporate,
It All So Easy. Bloomberg.com, September 4, 2014. http://www.
bloomberg.com/news/articles/2014-09-04/the-amazon-dot-com- November 6, 2014. http://corporate.target.com/press/releases/2014/
of-stolen-credit-cards-makes-it-all-so-easy. Retrieved 13 May 11/target-names-jacqueline-hourigan-rice-as-senior-vi. Retrieved 23
2016. June 2016.
Target. 2015a. Quarterly Report 10-Q, For the Fiscal Year Ended
Olavsrud, T. 2014. 11 Steps Attackers Took to Crack Target. CIO,
September 2, 2014. http://www.cio.com/article/2600345/secur January 31, 2015 (No. Commission File Number 1-6049).
ity0/11-steps-attackers-took-to-crack-target.html. Retrieved 13 Retrieved from http://investors.target.com/phoenix.zhtml?c=
May 2016. 65828&p=irol-SECText&TEXT=aHR0cDovL2FwaS50ZW5r
d2l6YXJkLmNvbS9maWxpbmcueG1sP2lwYWdlPTEwMTQ2Njc
Targeting Target with a 100 million dollar data breach 23

4JkRTRVE9MCZTRVE9MCZTUURFU0M9U0VDVElPTl9FT Weiss, N.E., and R.S. Miller. 2015. The Target and Other Financial
lRJUkUmc3Vic2lkPTU3. Data Breaches: Frequently Asked Questions. In Congressional
Target. 2015b. Quarterly Report 10-Q, For the Quarterly Period Research Service, Prepared for Members and Committees of
Ended May 2, 2015 (No. Commission File Number 1-6049). Congress February, Vol. 4, p. 2015.
Retrieved from http://investors.target.com/phoenix.zhtml?c= Whipp, L. 2015. Target to pay $67 m over Visa data breach. FT.com,
65828&p=irol-SECText&TEXT=aHR0cDovL2FwaS50ZW5r August 18, 2015. https://www.ft.com/content/a6b571d8-45c8-
d2l6YXJkLmNvbS9maWxpbmcueG1sP2lwYWdlPTEwMzA 11e5-af2f-4d6e0e5eda22. Retrieved 31 July 2016.
0MDY0JkRTRVE9MCZTRVE9MCZTUURFU0M9U0VDVE Zetter, K. 2014. How RAM Scrapers Work: The Sneaky Tools
lPTl9FTlRJUkUmc3Vic2lkPTU3. Behind the Latest Credit Card Hacks. WIRED, September 30,
United States District Court: District of Minnesota. 2014. In re: Target 2014. https://www.wired.com/2014/09/ram-scrapers-how-they-
Corporation Customer Data Security Breach Litigation, No. work/. Retrieved 12 May 2016.
14-2522 (PAM/JJK), January 12, 2014. Retrieved from http://
cdn.arstechnica.net/wp-content/uploads/2014/12/document4.pdf.
Wahba, P. 2014. Target puts focus back on ‘cheap-chic’ with eye on
winning back holiday shoppers, October 21, 2014. http://fortune.
com/2014/10/21/target-holiday/. Retrieved 26 April 2016.