A Case Study Analysis Target and Home De (1)
Running Head: A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA
BREACHES
A Case Study Analysis Target and Home Depot Data Breaches
Name of Student
Institutional Affiliation
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
A Case Study Analysis Target and Home Depot Data Breaches
Introduction
Data privacy and cyber security are real risks to companies: in the wake of data breach,
most employees may be terminated or face personal liability, the company may face regulatory
investigations, multitude lawsuits, disruption of business, fall of stock price, and the reputation
of the enterprise may weaken. Hacking is a serious issue, a potential threat to every computer
system. Cybercrime or internet hacking, according to Computer Crime Research Center Aghatise
E. Joseph is an internet crime committed using a computer as a tool or a victim targeted (Joseph,
n.d.). Notably, it is much challenging to categorize general internet crimes into distinct groups
since most cyber crimes evolve on a daily basis. However, public relations professionals provide
a proportionate procedure of handling internet security crises to restore the company reputation.
It all counts down on trust of the consumers to the company that their personal information will
be safe despite the crisis. Therefore, how companies respond to data breaches can damage or
build the corporate reputation and hard-earned trust. Since data breaches compromises are often
complex, the procedure of making a rapid communications decisions required to curb the
potential harm of the data breach is often challenging.
The situations are often further complicated owing to the reality that every data breach
differs from the other, and there may be no precedent within the organization to respond to the
crisis. The impact of mishandled breach can reach throughout the business both in short and
long-term; lost sales, bad press, litigation and mitigation alongside uphill battle to rebuild the
company reputation. Apparently, most of the breaches involved compromise or theft of
identifiable information, such as addresses, names, and social security numbers. Many
information security professionals will remember 2104 as the year of the big data breaches, and
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
with a good reason. Besides the occurrence of numerous high-profile hack attacks, the year
incorporated various lesser known incidents that nevertheless led to significant theft records,
according to a report by Timothy, (2015). Breach crimes went up to a total of 1, 540 representing
46 percent from the increase 1,056 in 2013.
More importantly, the dramatic rise in data records involved in the breaches that jumped
78 percent from approximately 575 million in 2013 to more than one billion in 2014 (Timothy,
2015). Following the time perspective, in 2014 alone, some 2,803,036 data records were stolen
every day, 116,793 every hour and 1,947 every minute and so on (Timothy, 2015). Despite the
growing interest of technological encryption as a security measure to protect privacy and
information, only 58 percent of the data breach incidents in 2014 representing less than 4 percent
of the total involved that was encrypted in fully or partially. However, beyond the numbers were
the economic, social, and political impacts of the breaches. Some of the big data breaches in the
year 2014 names Home Depot and entertainment company Sony Pictures Entertainment. This
reality- based case study will examine two examples of cyber crime that happen in 2013/2014:
the data breach at Target and the one at Home Depot. This study highlights the strengths and
weaknesses of public relations at Target and Home Depot during their recent data breach crises.
The public relations and marketing plans that Target and Home Depot pursued while they were
victims of cyber crime will be analyzed, followed by communications recommendations that
may help keep an already bad situation from becoming worse. The case study prepares a robust
analysis of data breach crisis response using Target and Home Depot. It identifies the data breach
scenario in the company, their response followed by evaluation and recommendation of data
breach response based on public relations literature.
Problem Statement
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Cyber attacks make news headlines almost every day these days, essentially, when they
hit global credit card companies, major retailers, and high-tech leaders. Recently, financial data
breaches have exposed a good number of company’s personal information concerning finances,
healthcare, personally identifiable information (PII), and legal issues. The criminal act of cyber
has predominantly been affected by outside hacking computer systems of institutions and the
insiders with or without authorized access to the information. According to Timothy (2015), 78
percent of all records compromised during the initial six months of 2014 were exposed as a result
of the outside hackers. More recently, Target and Home Depot has fallen victims of these
incidences recording huge financial losses. Specifically, Home Depot reported 56 million
customer email addresses and payment cards while Target reported 40 million payment cards and
70 million records of customer names, telephone numbers, addresses, and emails.
The data of small and middle size companies are increasingly being hacked. Target and
Home Depot is considered one of the worst data breaches in history of American data breach
crimes. Cyber security has been named top five global company risks for companies, according
to World Economic Forum. It is reported that the plethora of new hackers opportunities include
mobile device use, increased use of cloud computing and corporate espionage. Despite the
looming cyber threats, according to Timothy, many senior company managers remain denial and
have not been able to put up robust public relations measures to respond to data breaches crises
through professionalized communication strategies. Accordingly, data breaches that result in
compromising of personal information or disclosure of personally identifiable information from
consumers or employees, in particular, can have a significant impact on the company’s bottom
line. Public relations strategies help prepare the companies for a quick response to data breach
scenarios by ensuring proper communication strategy to mitigate the crisis.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Background of Data Breach
While there are emerging efforts to promote internet security systems, hackers continue
to poke holes in a number of industries, instigating disorder to both the consumers and the
corporations that trust their information will be protected. Definitely, mishandling of consumer
data and inadequate company safeguards can come at a high price from lawsuits and consumer
mistrust, resulting in devalued company stocks. Primarily, the security data breaches at Target
and Home Depot cost the company approximately $248 million and 3 billion dollars
respectively.
Home Depot Data Breach
Home Depot retail references an American based retailer dealing with home
improvement and product services. The company operates numerous big-box format stores
across the U.S. Mexico and all the ten provinces of Canada. The breach against the United States
based home improvement specialty retailer involved financial access attack that mentions 109
million records and scored 10.0 on the risk assessment scale. This was considered on of the
largest attacks of the year based on the records compromised, Hill (2014) reports. According to
the company official statement, its payment data systems got attacked. Notably, the files that
contained the stolen email addresses never contained payment card information, passwords or
other sensitive personal or private information, the report reads. More specifically, in September
2014, the US home improvement retailer, Home Depot, established it experienced a breach in
security that affected approximately 56 million debit and credit cards in United States and
Canada (Hill, 2014). The data breach criminals used unique, custom-built malware to steal the
account numbers from the point of sale systems of Home Depot. The do-it-yourself retailer owns
and operates 180 stores in Canada and more than 2, 200 in the United States. Reports from Home
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Depot Company indicated that cyber criminals armed with custom-built malware stole
approximately 56 million cards numbers from the customers from April to September 2014. The
disclosure made the crime the biggest incident card breach on record.
The disclosure that was first released in September indicated that the malicious software
used by the unknown cyber criminals to steal debit and credit cards was mainly installed on the
payment systems in the self-checkout at retail stores. While investigations revealed that the
criminals stole fewer cards in the period of five months breach than they might otherwise. Home
Depot release dated September 18, 2014, through investigations indicated that the cyber thieves
used unique, custom built malware to evade detection. Apparently, the malware had not been
seen previously in other cyber attacks, according to the Home Depot security partners (Home
Depot Security Breach, 2014). It is estimated that the cyber attack put payment card information
at risk for nearly 56 million unique payment debit and credit cards. Hill, (2014) finds that that the
malware is believed to have been present from April to September 2014. Besides, Home Depot
statement established that it had completed a security upgrade that would deter any further
breach of its system in its retail stores in United States and would roll out updated and enhanced
encryption of the stores in Canada. According to Home Depot Security Breach (2014), the
terminals identified with the malware were taken out of service and eliminated from the systems
of the company. Today, the Canadian debit and credit cards have chip technology that protects
the customers. Home Depot subsequently assured the customers that there is no evidence the
cyber criminals gained access to the customers PINs.
Target Data Breach
The Home Depot cyber crime story is no an isolated incident. On December 19, 2013,
United States-based retail giant Target provided a statement indicating that it had suffered a
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
major credit card data breach between November 27 and December 25, 2013. The released
statement confirmed a previous report of the December 18 data breach. A report by In Hardy,
(2014) indicates that Target engaged both the federal law enforcement including private incident
response firm and U.S Secret Service to investigate the nature and scale of the data breach.
However, on December 23, Target suggested that malware installed on point of sale (POS)
terminals provided an edge for the breach, a fact that the statement release of the company
confirmed in early January 2014. However, Target representatives have released little narrative
and technical detail on the attacks, which is often typical for institutions that have suffered cyber
crime incidences.
According to statement released by Target, from November to December 2013,
information on approximately 40 million payment cards, for example, debit, credit, and ATM
cards, and personally identifiable information (PII) on 70 million consumers were compromised.
Reports from the Secret Service indicated that it was investigating the breach and is yet to release
further details. However, the Congressional hearings, the executive vice president from Target
testified that an intruder used vendor access to the system of the company to place malware on
the point –of-sale (POS) registers. According to the testimony, In Hardy (2014) writes the
malware recaptured debit and credit card information before it got encrypted, and this rendered it
more difficult, or rather impossible to read. Additionally, the hacker captured some strongly
encrypted personal information numbers (PIN), according to Burg (2014). The report validates
that it was very unlikely that all the 40 million payment cards that got compromised at Target
could be used in fraudulent transactions. As such, some cards, the report reads would be canceled
before they begin working and attempts to use valid cards were denied by the issuing financial
information. Finally, there were zero attempts to make fraudulent use of the credit cards.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
According to reports from the media, financial institutions responded to the Target
Breach by issuing new credit and debit cards of their cardholders while others decided to depend
on antifraud monitoring approach. More specifically, Wells Fargo, JPMorgan Chase, and
Citibank replaced their debit cards, rather than credit cards, U.S Bank and Bank of Africa
depending on the detection of the fraud (Geneiatakis, Scheer & European Commission, 2013).
Most currently, Target reported that the data breaches costs 248 million dollar. However,
independent sources made back to back envelope and estimated that it ranges from 240 million
dollars to 2.2 billion dollars in fraudulent charges alone. Yet this is exclusive of the additional
potential costs to consumers concerned about personal information or credit histories; penalties
or fines to Target and financial institutions (Weiss & Miller, 2015). The data breach of Target was
alongside that of Home Depot was one of the numerous cyber crimes in the history of United
States. The concerns of consumers over the Target data breached fueled further congressional
attention on its data security. Therefore, the Congress held seven hearings on six various
committees related to these topics to examine the events surrounding Target breach. The
hearings, according to Weiss and Miller (2015), was predominantly held to ensure improvement
of the data security standards, notifying consumers when their data have been compromised and
protecting consumers’ personal information data.
Case Studies
Target Corporation
Detailed Story of the Target Breach Target data breach dates back to the months of
November and December of 2013 when unknown cybercriminals breached the data security of
the company. Kassner, (2015) indicates that the business confirmed that 40 million debit and
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
credit cards account numbers and details were stolen. Furthermore, in the month of January 10,
2014 the company announced that personal information, including addresses email addresses,
names, and phone numbers of nearly 70 million customers were also stolen during the cyber
crime act. Owing to the testimony of Target vice president and financial executive to the Senate,
a report was released by the committee of Senate that concluded that Target missed opportunities
to prevent the data breach crime. According to Kassner (2015), the November-December
incident involved cyber criminals that successfully collected, staged and eventually exfiltrated
data related to credit and debit payment cards. Notably, a number of finer details remain unclear;
however, quite a few have emerged. Speculations streamed from various reliable sources
maintaining that the security products of Target Corporation never had in place that was
necessary to stop the breach.
Target Corporation involved both the federal law enforcement including the US Secret
Service, and private incident response firm that aided in the investigation of scale and nature of
the data breach. Besides, Target suggested that the malware installed on the POS terminals was
the significant component of the breach as confirmed by the company in January 2014. Target
representatives, however, released little technical detail on the attacks that indicate a downturn in
obtaining verifiable details about the cyber crime (Janczewski & Colarik, 2008). Widespread
speculations have emerged on how the cyber criminals successfully executed the large-scale
attack that went undetected for approximately three weeks. Despite assertions that payment card
companies obligates any enterprise accepting payment card to adhere to the PCI rules
highlighting security of their payment card processing, Target testified that its systems were
reviewed in September 2013 and certified as compliant (Janczewski & Colarik, 2008).
Moreover, the magnetic stripes on the back of United States credit cards are, for instance
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
not encrypted. However, media reports indicate that a malware known as a “memory scraper”
captured information from the payment cards of the customer by reading the memory of the POS
system before it got encrypted (Munson, 2014). In a nutshell, the reports from both the media
and the company provides that an intruder obtained the credentials of a vendor that enabled the
access to the Target vendor billing and invoicing system that escalated the intrusion in the POS
system of target. This allowed the introduction of the malware into target’s POS system, and the
initial warnings about the malware got ignored by the security professionals of the company. As
such, the software of Target was used to spread the malware to virtually all of Targets POS
devices. Besides, the credit and debit cards data were stored in innocuously named files that was
sent to servers outside the system of Target and then on the other servers. Surprisingly, the
warnings about communicating the data were overlooked.
The company estimates that the 40 million payment and 70 million PII data breaches had
at least 12 million people in common, translating to a figure of 98 million as the number of the
affected customers, according to Retail Association (2014). Additionally, the Fazio Mechanical
Services that provided ventilation, heating, and air conditioning (HVAC) services for the
company indicated that it was used to breach the payment system of Target. Accordingly, reports
indicates that a Fazio computer authorized to submit project management and contract billing to
the company reportedly was compromised by the intruders, the report reads. Besides, media
reports provided that Fazio became a victim of phishing email containing the malware that was
used to install other malware on the network of target, including Target’s POS system that
records card transactions and all payments (Retail Association, 2014).
Target Breach Timeline
According to a report by Senate committee on the Judiciary (2014), companies that suffer
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
data breaches due to cyber crimes rarely publish their detailed timelines. However, Target
became an exception to this rule, perhaps because the company senior management was made to
testify before the Congress. Senate committee on the Judiciary (2014), reports that according to
testimony of Target executive vice president and chief financial officer, John J. Mulligan, the
documented significant dates of the crimes are as follows.
The testimony indicates that on November 12, 2013 Cyber criminals or intruders
breached the computer system of Target Company. It is anticipated that the intrusion was
detected by the company security systems, yet the security professionals of Target failed to take
any action until the time the law enforcement of the breach provided a notification (Senate
committee on the Judiciary, 2014). In December 12, 2013, the Senate records, the Department of
Justice (DOJ) provided a notification to Target that there was an apprehensive activity involving
the debit, credit and ATM cards that had been used in the company. On December 13, 2013,
senior officials from Target met with the Department of Justice and the United States Secret
Service for further information on the suspicion. On December 14, 2013, the company hired
external professionals to offer a robust forensic investigation into the matter. On December 15,
2013, Target released a statement confirming that malware had been installed and that most of
the malware had been eliminated.
As time goes by, on December 16 and 17 of 2013, the company provided a notification to
the payment processors and card networks that the breach had indeed occurred (Senate
committee on the Judiciary, 2014). December 18, 2013 the company removed the remaining
malware and in the 19th of December 2013, the company released an official public
announcement of the breach. Later, on December 27, 2013, the company provided further details
relating to the crime adding that the encrypted PIN data had been stolen. Thereafter, on January
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
9, 2014, Target discovered the theft of PII and on January 10, 2014 the company confirmed
through a public announcement that PII had been stolen (Senate committee on the Judiciary,
2014).
Home Depot Case Study
Home Depot is a retail business with 2,266 stores and 79 billion dollars in annual
revenue. Previously, before the hackers intruded into the payment accounts of Home Depot, the
stores in Canada and US, it had suffered to smaller hacks. However, the company confirmed the
major hack on September 8, 2014 nearly one week after credit card data that was linked to its
customers went up for sale on a black-market website, according to (Laasby, 2014). The hack put
56 million cards of the company at risk and more than 40 million Target, breach victims. Internal
documents of Home Depot, according to Laasby, (2014), indicated that the Atlanta-based retailer
had chosen to keep extra measures on security deactivated despite being designed to detect
intrusion of any malicious software in the system. The reports provided in a statement from
Home Depot indicated that the cyber criminals used custom-made software to evade detection,
thus relying on tools that had never been used in account hacking.
Home Depot Customer update on data breach reports that a massive batch of debit and
credit cards belonging to Home Depot went on sale on a criminal internet site that lined the
hackers to Target and P.F. Chang’s. The credit card information got offered on sale a day after the
underground site that had stolen financial information. According to the reports, the breach could
have begun in late April 2014, according to Krebs security reports. Besides, Home Depot
spokesman, Paul Drake, reinstated that there was unusual activity in their software and was
working with the financial partners and law enforcement officials to investigate the matter. The
hackers stolen information from the cards issued by the European financial institutions further
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
confirming that a breach occurred, and that effort were being made for instant notify the
customers (Reingold, 2014). However, Home Depot press never released any specifics related to
the duration the malware was in its systems, the points of sale compromised, and how the
hackers gained access to its networks, according to Reingold (2014). However, rumors leaked
that there may be an insider connection that allowed the hackers to gain access to Window XPe
terminals of Home Depot.
While limited details were provided to the public about Home Depot data breach, sources
familiar with the investigation referenced that the hack never hit the registers of the store. A press
statement later released by Home Depot that outlined the findings of the inquiry of the data
breach confirmed that the criminals used a third-party vender’s username and password to access
the perimeter of the company network. The stolen credentials alone; however, never provided
direct access to the point of sale devices of Home Depot (Egan & Anderson, 2015). Thereafter,
the hackers acquired elevated rights that made them to navigate portions of network of Home
Depot and to deploy unique, custom-built malware on its self-checkout systems in Canada and
U.S. Additionally, the previously disclosed payment card data, the statement reads, separated the
files containing nearly 53 million email addresses that were also stolen during the breach.
However, the statement confirmed that the files never contained passwords and payment card
information or other sensitive personal information.
Home Depot Timeline of Data Breach
The first information on the Home Depot data breach was disclosed on September 2,
2014 that also sought to assure the customers that the used malware was eliminated in both the
stores. Multiple financial institutions reported on September, 7 2014 that they were receiving
alerts from MasterCard Visa about particular debit and credit cards compromised in the breach
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
suggesting that the cyber criminals were stealing from card data from Home Depot, marking five
full days after the data breach news first broke. Moreover, Home Depot acknowledged that on
Monday, September 8, 2014, that it had suffered a breach of debit and credit card involving its
members in Canada and U.S. stores dating back to April 2014 (Egan & Anderson, 2015). Despite
the retail acting swiftly to assure its customers and the financial institutions that there was no
debit card PIN was compromised, reports came that multiple financial institutions have
experienced a steep increase over the previous day in fraudulent ATM withdrawals on the
customer accounts (Home Depot Press Release, 2014).
On September 9, 2014, Home Depot confirmed that a network intrusion has led to the
compromise of its customer credit and debit payment card data for potentially the customers in
the entire unit that shopped at the retailer dating back to April 2014 (Home Depot Press Release,
2014). On that very day, the details started after a well-known security blogger reported that a
large quantity of the stolen cards for the customers started to appear in underground markets.
Home Depot, therefore, on September, 13, 2014 rolled out the encryption project in its U.S. and
Canada stores that was then estimated to be complete early in 2015.
Home Depot Respond
According to Morran (2014), almost a week after security blogger Krebs warned that
Home Depot could be the victim of data breach extending to its U.S. and Canada stores, the
company never confirmed nor denied the breach occurred. While Target made the initial
disclosure to the scope of the breach and later revised them in a series of updates, Home Depot
did not respond swiftly. Despite the cases being different, Home Depot initially denied that no
breach had occurred and in their defense, Home Depot spokeswoman Paula Drake indicated that
they never had any updates on the situation. Therefore, Home Depot waited until they
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
established the parameters of the breach to disclose other details finally. Frequently, the company
released statements aimed at updating the customers on the investigation into the breach in the
payment data system (Morran, 2014). Finally, the company confirmed that hackers stole separate
files containing credentials of the clients, and every effort was made to notify individual
customers that became a victim of the breach. Constantly, the company assured the customers
that they were not liable for the fraudulent charges to their accounts and offered a free identity
protection services such as credit monitoring to the customers that used payment cards at home
Depot from April 2014.
Despite responding a week later, the company provided an initial press release denying
the breach justifying that they had no facts on the breach. However, the company later provided a
detailed report on the data breach, though the company never specified what information was
stolen by the hackers. Also, reports indicated that payment cards had gone up for sale on an
online black market that indicated that they contained adequate data to create a fake card. Home
Depot also failed to provide the timeline of the data breach, however, insisted that the
investigations go back as far as April 2014, according to (Greising & Lisa, 2014). Despite the
mixed feelings over the in the reports, Home Depot stressed that it had closed the leak, and the
malware had been eliminated from the systems. It also moved to assure the customers that it was
working on enhancing security measures and promised further updates of the breach (Greising &
Lisa, 2014). While it never disclosed the specific stores that were affected by the breach, the
company indicated that the consumers were not liable and also warned the customers to be on
guard against phishing scams used to trick people to provide personal information in response to
phony emails.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Home Depot acknowledged that the size of the hack made it more likely for the company
to face steep costs. The finance security professionals led by Bill Guard estimated the potential
cost f the fraud to cost as high as 3 billion dollars for the company. Therefore, Home Depot
hastened to assure the investors that it was on the track to meet its target sales in the third quarter.
According to Morran, (2014), the September 18, 2014 news release from the company provided
an estimation of the growth of sales indicating that it would grow by 4.8 percent besides raising
its approximation of third-quarter per share profit to 4.54 billion dollars from 4.52 billion dollars.
The profit estimates, according to Home Depot Press Release, considered the cost of
investigating the data breach, providing credit monitoring services to the customers and as
professional and legal services. Therefore, the company made a pledge that no customer would
be on the hook for any fraudulent charges. However, the company never factored in the losses
related to the breach such as liability on debit and credit cards of the customers as well as from
any civil litigation. Yet, the undocumented costs had material adverse effects on the financial
results of the company in the fourth quarter or future periods.
Target Corporation Respond
Retail Association, (2014) reports that, overall, the company reacted slowly in
communicating the problem to the customers. The security breach of Target, Munson (2014)
writes, fell into horrible timing. The attack happened during the December, a shopping season
that obviously caught the retailers offside. However, the chance to be the first to break the news
was completely in its control, and they waited for seven days after learning about the theft before
alerting the customers. The company, according to John Biggs for TechCrunch, reacted quite
slowly on the breach as Krebs Security provided information a week earlier. This made most of
the customers to learn about the breach from the media rather than from the company itself for
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
the first time. Also, the communication with the consumers was inadequate including the banner
informing the customers of the breach that was too small to see. In essence, there was a
communication breakdown in the response strategy used by Target Corporation and the angry
customers flooded the social media.
Later, when the company released an official report admitting the data breach, the
company first apologized to the customers for the incident and stated that the breach had shaken
the confidence of their guests. Target took responsibility of the guests seriously and indicated
that they had learned from the incident and hopes to make the company more secure for the
customers in the future. Also, the press release of Target documented the timeline and the events
of the breach based on the investigations. Munson, (2014) writes that Target assured the
customers that they were working closely with the U.S. Secret Service and the U.S. Department
of Justice on the investigations to assist in bringing the criminals to book.
Primarily, Target categorically provided information based on their knowledge. This
included the events and the timelines of the events in depth. With reference to protection of the
customers and guests, Target responded by protecting the guests and strengthening the security
system. The immediate actions were documented. Firstly, Target Corporation undertook an endto-end review of the entire network and promised to make security enhancements appropriately.
The company also responded by increasing fraud detection for the Target REDcard guests.
According to Geneiatakis, Scheer and European Commission (2013), the company outlined that
so far, they had not witnessed any fraud on the payment cards as a result of the breach, however,
the statement acknowledged that they ad seen a very slowly amount of additional fraud on the
Target Visa Card. Thirdly, target considered reissuing new Target debit and credit cards
immediately to any customer that requested one and also offered one year free identity theft
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
protection and credit monitoring to the customers that ever shopped at the U.S. Target stores. The
protection, as explained, included free daily credit monitoring, credit report, unlimited access to
personalized assistance from professionals of fraud resolution agent and identity theft insurance.
Furthermore, target informed the customers that they had zero liabilities for any
fraudulent charges accrued on their payment cards due to the data breach incident. According to
the report, Target challenged the customers to consider monitoring their accounts and promptly
alert their issuing financial institution or Target for any suspicious activity. Target’s response also
included accelerating their investment in the chip-enabled technologies for their REDcards and
stores’ POS terminals. The company assured the stakeholders the chip-enabled technologies
would be critical to enhancing customer protection. Target also responded by initiating a creation
of 5 million dollars investment in campaign with Better Business Bureau, the National Cyber
Forensics, and Training Alliance, and the National Cyber Security Alliance to advance public
awareness and education about cyber security and the dangers of consumer scams (Kassner,
2015).
Earlier, Target had launched a retail industry Cybersecurity and Data Privacy Initiative
that was seen as a response to emphasize in informing the public dialogues alongside providing
an enhanced practices pertinent to improved payment security and consumer privacy and cyber
security. The report touched on their response in investing in security measures that included
firewalls, intrusion detection and prevention capabilities, malware detection software, and data
loss prevention. In an effort to assure their customers of the future security, the moving forward
slogan in their response, Target called for teamwork and updating payment card technology and
strengthening protections for the consumers. In a nutshell, the company launched robust public
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
relations counterattack based on daily news briefing and flurry of statements and photos
designed to show the company was aggressively responding to the data breach crisis.
Data Breaches against Expert Recommendations
If a company experiences a huge crisis, there is no shortcut: the companies will definitely
suffer and without elaborate strategies the company might never be the same again. The point of
debate holds that instead of responding to a crisis as a defeat, the company should recognize the
fact that it is another opportunity window and find the best approach out of the crisis, essentially,
with its brand image and reputation intact. Therefore, numerous public relations experts have
echoed their recommendations to companies that become victims of the crisis.
In his book, “Public Relations Strategies and Tactics” Wileox suggests various
mechanisms of communicating during a crisis. According to Wileox (1988), a company should
designate a single spokesperson that should be someone trusted by the media and who has
authority to speak on behalf of the organization. Wileox recommends that company’s top
executive is often best spokesman. Secondly, the organization management should remain
accessible and provide after-hours phone number, respond positively to media calls, and become
open to questions. Also, if the question is sensitive and might sabotage investigations, it is
essential to mention. Accordingly, these recommendations promptly match the events that
occurred in both Target and Home Depot during the crisis. Especially, Home Depot insisted that
it could not provide other sensitive details concerning the timelines of the data breach as the
matter was under investigation. Besides, both the companies communicated, though late, to the
public through the press release that was read by their respective executives. Additionally, Target
officials provided the scope of the data breach, and even remained accessible including
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
appearing before the Senate to testify on the crisis. While both companies responded late to the
crises, they relied on investigations and later provided daily news updates, Afterhours phone
number. Target, for instance, remained accessible to the media and even responded to interview
when they were requested to do so. For example, Target had an interview with Bulls Eye press
that also tackled the questions that were asked by the public.
Wileox further reinstates that companies in crisis should monitor news coverage and
telephone inquiries including establishing the media reports on the crisis and compare with the
organization’s view. Also, the organization should be familiar with the needs and deadlines of the
media and provide timely information to meet both the print and broadcast deadlines. Wileox,
(1988) recommends that the organization should communicate with the key public, employees,
government agencies, the investment community, officials and focus on their relations with the
media. Primarily, some of these principles did not go well with the companies. Firstly, they both
responded late a week after the events. Target, for instance, responded a week late making the
media rely on rumors to report to the public. Besides, the company never responded to the media
allegations positively insisting that there was no such breach until one week after the event.
Reports even circulated in the media indicating that there were Target credit cards being sold in
online credit market that could be used for fraudulent transactions.
Similarly, Home Depot denied access to the customer payment cards contrary to the
media reports that some indeed the intruders accessed the payment cards. These assertions
indicate that the companies never remained familiar with media needs. However, the companies
both communicated amicably to the public by telling the truth based on their knowledge and
investigations. Also, they got in contact with relevant investigative bodies to assist in validating
the matter. Especially, target involved the U.S. Secret service and U.S. Judicial Service
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Commission in their investigations (Janczewski & Colarik, 2008). Lastly, both companies
provided frequent updates to the customers and the public over the findings of the investigations.
Wileox, (1988) further mentions that organizations should take responsibility for solving
the problem though must not admit or deny guilt. Also, they should set up an information center
for information updates, and provide a constant flow of information. Wileox writes that an
organization in crisis can only build credibility by addressing bad news quickly, and when the
information is withheld, the cover-up becomes the story. With reference to Target, the
organization stated explicitly that there is no customer that would be liable for the charges
resulting from the fraudulent transactions. The organization offered to take full responsibility and
went ahead to provide free security monitoring and credit and debit cards for any customer that
demanded. Similarly, Home Depot took full responsibility and provided all the customers that
had been shopping in their retails from April with new credit and debit cards.
Also, Home Depot reinstated that no customer would be liable for the charges resulting
from the fraudulent use of their payment cards (Janczewski & Colarik, 2008). Based on a
constant flow of information, both the organizations reacted slowly to the crisis providing formal
press release a nearly a week after the crisis. Despite justifying their late response by not relying
on rumors, after the initial investigations, both companies provided continuous update for the
customers over the investigation validations. However, Home Depot and Target failed to
establish an information center for providing information updates. Rather, the companies rushed
to technological responses including creating chip-enabled technologies to protect the customers.
Referring to Howard (2013), in his book, “On Deadline Managing Media Relations”, an
organization should know who has the information. According to Howard information, exists in
the department, public, and federal state organizations. Krebs security initially broke the news of
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
the data breach, though it is not clear whether the companies identified specific individuals with
the information, they both indicated that their security systems detected unusual activity in their
software. Also, organizations should be accessible and monitor the media. Similar to the
recommendations outlined by Wileox (1988), Home Depot, and Target remained available and
even attended to interview questions from the media. While the literature remains mixed, Eric
Weiss and Mille (2015), argues that the companies became accessible and denied the reports of
data breaches until investigations were conducted. The fact that there is information that they
refused to comment deeply on the matter immediately and to choose to rely on the studies
indicates that they were accessible, however, did not react swiftly to the crisis. According to
Howard, being available to the reporters is necessary for providing the media with facts.
Therefore, the media initially relied on news from outside sources due to what can be described
as physical accessibility rather than informational accessibility of the companies.
Howard, (2013) further mentions that in times of crisis, organizations should understand
the feeding media needs and establish robust communication with employees. According to his
writings, media reporting on an organization’s crisis requires facts, and it is favorable to give
whatever information available. Contrary to the actions taken by Home Depot, nearly a week
time, the organization kept telling the media there existed ongoing investigation that would
provide reports of a massive data breach. The company later confirmed that its in-store payment
systems were significantly compromised by cyber criminals (Joseph, n.d.). Target Corporation
provided the scope of the breach to the media, according to Janczewski and associate and later
revised through a series of the press release. The response was quite slow as the breach emerged
a week earlier by Krebs on Security. This made the media pick up rumors for reporting that
turned out to be accurate for both the organizations. Moreover, Howard admits that
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
communication with employees provides the best line of defense or offense. As such, top
management should provide frequent updates to help keep the employees from speculation and
spreading the rumors. Home Depot reportedly blamed the employees by indicating that they
relied on the outdated Systematic antivirus software from 2007 and failed to monitor the network
for unusual behavior. Such allegations may not go well with the employees, according to Howard
as it increases media speculation. However, Target involved the employees actively in the crisis
update and mitigation. Target even went further a step to provide employee education and to
inform them of the policies and procedures for protecting sensitive data on corporate and
personal devices.
Furthermore, Howard inscribes that organizations should recognize that incomplete and
at times incomplete media coverage is inevitable during the crisis. As such, Howard advises that
organizations can realistically get facts right and portray the reputation through the media by
being concerned and actively involved in fixing what went wrong. This recommendation was
well applied by both the companies. Target, for instance, provided continuous press release, took
responsibility and offered additional services such as public awareness of education to
cybercrime risks and prevention. Home Depot also is on record providing measures showing
their concern. They released an official press release acknowledging that indeed there was a
breach, accepted the customers from charges resulting from the deceitful transactions and
engaged in high-tech development of security of customers alongside convincing investigations.
Number seven in his recommendations, Howard provides that organizations involved I
crisis should make a plan and employ a wise use of the website during the crisis. According to
him, creating a dark site devolved for areas of vulnerability is essential. Lastly, Howard finds that
understanding that “first beats better” in the mad scramble during the crisis. Therefore, the
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
organization should assist the media keeping the basic facts right by constantly updating the
website. Referring to the scenarios, Home Depot, and Target failed to assist the media initially
making the media depend on rumors. However, immediate measures were taken to remove the
malware that the intruders used to hack their system. There were extra security measures taken
by both the companies concerning website safety including installing launching a retail industry
Cybersecurity alongside Data Privacy Initiative as in the case of Target Corporation.
Lukaszewski, (2013) also echoed his concerns over crisis communication by emphasizing
on the details the organization CEO is obligated to comprehend about reputation risk and crisis
management. First, Lukaszewski advises the organization CEO to remain calm because crisis
communication requires a high level of professionalism from the spokesperson. Essentially, the
organization’s spokesperson should reassure customers and demonstrate confidence and
competence and focus on resolving the issues. Denoting to Target, the company moved swiftly to
apologize to the customers and stated that the business was determined to work very hard to earn
the confidence of the guests back (Janczewski & Colarik, 2008). Furthermore, the company
responded by supporting the customers and strengthening the security. Besides, Target
spokeswoman Molly Synder observed that the company had moved quickly to inform the
customers based on the facts discovered by the complex investigation. Home Depot through their
CEO Frank Blake in the company of spokeswoman Paula Drake insisted on communicating the
facts as the company did not have investigated updates on the situation. However, after the
investigation, the company assured the customers that they had patched any holes, and the
system was safe for the customers to shop.
Secondly, Lukaszewski (2013) provides that companies should coordinate all comments
with the crisis website. While it is undocumented whether the companies created a crisis website,
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
the companies widely used the press media to release the news as most of the customers learned
from the crisis via the media. The companies both insisted on reports from investigations and
stated clearly that they would wait for the complex investigation reports to provide accurate
information. Target, however, hinted the scope of the breach and later revised, something that
angered the customers and created confusion. The fact that the customers of both the companies
learned the data breach over the media, it shows that there was inadequate information
coordination from the comments from various parties. Munson, (2014) writes that all shoppers at
Target learned in December, largely from the media sources and it took one week for Home
Depot to respond hinting that the company never established coordination of the crisis
comments.
Third in the order, Lukaszewski recommends a quick action noting that an action should
be taken between one to two hours. Home Depot and Target acted rather slowly keeping the
media in dark for nearly a week. However, they did comment that the matters were under
investigation and would release an official statement as immediately substantial information is
established. The media was never treated with the utmost quality and professionally as the
companies declined to comment on the matter. While they were within their limits and legal
parameter, it would be essential to provide the information available. Home Depot failed to
provide any matter that could be reported to the shoppers forcing the media to depend on
unconfirmed rumors mostly from Krebs security. Target, however, provided the scope of the
matter which was later revised accordingly. According to Lukaszewski, organizations should
only release the information about the victims after notifying the families and within the
permission of the families. However, this might have never been the case as any specific
individual was named to have been affected. Instea
BREACHES
A Case Study Analysis Target and Home Depot Data Breaches
Name of Student
Institutional Affiliation
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
A Case Study Analysis Target and Home Depot Data Breaches
Introduction
Data privacy and cyber security are real risks to companies: in the wake of data breach,
most employees may be terminated or face personal liability, the company may face regulatory
investigations, multitude lawsuits, disruption of business, fall of stock price, and the reputation
of the enterprise may weaken. Hacking is a serious issue, a potential threat to every computer
system. Cybercrime or internet hacking, according to Computer Crime Research Center Aghatise
E. Joseph is an internet crime committed using a computer as a tool or a victim targeted (Joseph,
n.d.). Notably, it is much challenging to categorize general internet crimes into distinct groups
since most cyber crimes evolve on a daily basis. However, public relations professionals provide
a proportionate procedure of handling internet security crises to restore the company reputation.
It all counts down on trust of the consumers to the company that their personal information will
be safe despite the crisis. Therefore, how companies respond to data breaches can damage or
build the corporate reputation and hard-earned trust. Since data breaches compromises are often
complex, the procedure of making a rapid communications decisions required to curb the
potential harm of the data breach is often challenging.
The situations are often further complicated owing to the reality that every data breach
differs from the other, and there may be no precedent within the organization to respond to the
crisis. The impact of mishandled breach can reach throughout the business both in short and
long-term; lost sales, bad press, litigation and mitigation alongside uphill battle to rebuild the
company reputation. Apparently, most of the breaches involved compromise or theft of
identifiable information, such as addresses, names, and social security numbers. Many
information security professionals will remember 2104 as the year of the big data breaches, and
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
with a good reason. Besides the occurrence of numerous high-profile hack attacks, the year
incorporated various lesser known incidents that nevertheless led to significant theft records,
according to a report by Timothy, (2015). Breach crimes went up to a total of 1, 540 representing
46 percent from the increase 1,056 in 2013.
More importantly, the dramatic rise in data records involved in the breaches that jumped
78 percent from approximately 575 million in 2013 to more than one billion in 2014 (Timothy,
2015). Following the time perspective, in 2014 alone, some 2,803,036 data records were stolen
every day, 116,793 every hour and 1,947 every minute and so on (Timothy, 2015). Despite the
growing interest of technological encryption as a security measure to protect privacy and
information, only 58 percent of the data breach incidents in 2014 representing less than 4 percent
of the total involved that was encrypted in fully or partially. However, beyond the numbers were
the economic, social, and political impacts of the breaches. Some of the big data breaches in the
year 2014 names Home Depot and entertainment company Sony Pictures Entertainment. This
reality- based case study will examine two examples of cyber crime that happen in 2013/2014:
the data breach at Target and the one at Home Depot. This study highlights the strengths and
weaknesses of public relations at Target and Home Depot during their recent data breach crises.
The public relations and marketing plans that Target and Home Depot pursued while they were
victims of cyber crime will be analyzed, followed by communications recommendations that
may help keep an already bad situation from becoming worse. The case study prepares a robust
analysis of data breach crisis response using Target and Home Depot. It identifies the data breach
scenario in the company, their response followed by evaluation and recommendation of data
breach response based on public relations literature.
Problem Statement
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Cyber attacks make news headlines almost every day these days, essentially, when they
hit global credit card companies, major retailers, and high-tech leaders. Recently, financial data
breaches have exposed a good number of company’s personal information concerning finances,
healthcare, personally identifiable information (PII), and legal issues. The criminal act of cyber
has predominantly been affected by outside hacking computer systems of institutions and the
insiders with or without authorized access to the information. According to Timothy (2015), 78
percent of all records compromised during the initial six months of 2014 were exposed as a result
of the outside hackers. More recently, Target and Home Depot has fallen victims of these
incidences recording huge financial losses. Specifically, Home Depot reported 56 million
customer email addresses and payment cards while Target reported 40 million payment cards and
70 million records of customer names, telephone numbers, addresses, and emails.
The data of small and middle size companies are increasingly being hacked. Target and
Home Depot is considered one of the worst data breaches in history of American data breach
crimes. Cyber security has been named top five global company risks for companies, according
to World Economic Forum. It is reported that the plethora of new hackers opportunities include
mobile device use, increased use of cloud computing and corporate espionage. Despite the
looming cyber threats, according to Timothy, many senior company managers remain denial and
have not been able to put up robust public relations measures to respond to data breaches crises
through professionalized communication strategies. Accordingly, data breaches that result in
compromising of personal information or disclosure of personally identifiable information from
consumers or employees, in particular, can have a significant impact on the company’s bottom
line. Public relations strategies help prepare the companies for a quick response to data breach
scenarios by ensuring proper communication strategy to mitigate the crisis.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Background of Data Breach
While there are emerging efforts to promote internet security systems, hackers continue
to poke holes in a number of industries, instigating disorder to both the consumers and the
corporations that trust their information will be protected. Definitely, mishandling of consumer
data and inadequate company safeguards can come at a high price from lawsuits and consumer
mistrust, resulting in devalued company stocks. Primarily, the security data breaches at Target
and Home Depot cost the company approximately $248 million and 3 billion dollars
respectively.
Home Depot Data Breach
Home Depot retail references an American based retailer dealing with home
improvement and product services. The company operates numerous big-box format stores
across the U.S. Mexico and all the ten provinces of Canada. The breach against the United States
based home improvement specialty retailer involved financial access attack that mentions 109
million records and scored 10.0 on the risk assessment scale. This was considered on of the
largest attacks of the year based on the records compromised, Hill (2014) reports. According to
the company official statement, its payment data systems got attacked. Notably, the files that
contained the stolen email addresses never contained payment card information, passwords or
other sensitive personal or private information, the report reads. More specifically, in September
2014, the US home improvement retailer, Home Depot, established it experienced a breach in
security that affected approximately 56 million debit and credit cards in United States and
Canada (Hill, 2014). The data breach criminals used unique, custom-built malware to steal the
account numbers from the point of sale systems of Home Depot. The do-it-yourself retailer owns
and operates 180 stores in Canada and more than 2, 200 in the United States. Reports from Home
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Depot Company indicated that cyber criminals armed with custom-built malware stole
approximately 56 million cards numbers from the customers from April to September 2014. The
disclosure made the crime the biggest incident card breach on record.
The disclosure that was first released in September indicated that the malicious software
used by the unknown cyber criminals to steal debit and credit cards was mainly installed on the
payment systems in the self-checkout at retail stores. While investigations revealed that the
criminals stole fewer cards in the period of five months breach than they might otherwise. Home
Depot release dated September 18, 2014, through investigations indicated that the cyber thieves
used unique, custom built malware to evade detection. Apparently, the malware had not been
seen previously in other cyber attacks, according to the Home Depot security partners (Home
Depot Security Breach, 2014). It is estimated that the cyber attack put payment card information
at risk for nearly 56 million unique payment debit and credit cards. Hill, (2014) finds that that the
malware is believed to have been present from April to September 2014. Besides, Home Depot
statement established that it had completed a security upgrade that would deter any further
breach of its system in its retail stores in United States and would roll out updated and enhanced
encryption of the stores in Canada. According to Home Depot Security Breach (2014), the
terminals identified with the malware were taken out of service and eliminated from the systems
of the company. Today, the Canadian debit and credit cards have chip technology that protects
the customers. Home Depot subsequently assured the customers that there is no evidence the
cyber criminals gained access to the customers PINs.
Target Data Breach
The Home Depot cyber crime story is no an isolated incident. On December 19, 2013,
United States-based retail giant Target provided a statement indicating that it had suffered a
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
major credit card data breach between November 27 and December 25, 2013. The released
statement confirmed a previous report of the December 18 data breach. A report by In Hardy,
(2014) indicates that Target engaged both the federal law enforcement including private incident
response firm and U.S Secret Service to investigate the nature and scale of the data breach.
However, on December 23, Target suggested that malware installed on point of sale (POS)
terminals provided an edge for the breach, a fact that the statement release of the company
confirmed in early January 2014. However, Target representatives have released little narrative
and technical detail on the attacks, which is often typical for institutions that have suffered cyber
crime incidences.
According to statement released by Target, from November to December 2013,
information on approximately 40 million payment cards, for example, debit, credit, and ATM
cards, and personally identifiable information (PII) on 70 million consumers were compromised.
Reports from the Secret Service indicated that it was investigating the breach and is yet to release
further details. However, the Congressional hearings, the executive vice president from Target
testified that an intruder used vendor access to the system of the company to place malware on
the point –of-sale (POS) registers. According to the testimony, In Hardy (2014) writes the
malware recaptured debit and credit card information before it got encrypted, and this rendered it
more difficult, or rather impossible to read. Additionally, the hacker captured some strongly
encrypted personal information numbers (PIN), according to Burg (2014). The report validates
that it was very unlikely that all the 40 million payment cards that got compromised at Target
could be used in fraudulent transactions. As such, some cards, the report reads would be canceled
before they begin working and attempts to use valid cards were denied by the issuing financial
information. Finally, there were zero attempts to make fraudulent use of the credit cards.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
According to reports from the media, financial institutions responded to the Target
Breach by issuing new credit and debit cards of their cardholders while others decided to depend
on antifraud monitoring approach. More specifically, Wells Fargo, JPMorgan Chase, and
Citibank replaced their debit cards, rather than credit cards, U.S Bank and Bank of Africa
depending on the detection of the fraud (Geneiatakis, Scheer & European Commission, 2013).
Most currently, Target reported that the data breaches costs 248 million dollar. However,
independent sources made back to back envelope and estimated that it ranges from 240 million
dollars to 2.2 billion dollars in fraudulent charges alone. Yet this is exclusive of the additional
potential costs to consumers concerned about personal information or credit histories; penalties
or fines to Target and financial institutions (Weiss & Miller, 2015). The data breach of Target was
alongside that of Home Depot was one of the numerous cyber crimes in the history of United
States. The concerns of consumers over the Target data breached fueled further congressional
attention on its data security. Therefore, the Congress held seven hearings on six various
committees related to these topics to examine the events surrounding Target breach. The
hearings, according to Weiss and Miller (2015), was predominantly held to ensure improvement
of the data security standards, notifying consumers when their data have been compromised and
protecting consumers’ personal information data.
Case Studies
Target Corporation
Detailed Story of the Target Breach Target data breach dates back to the months of
November and December of 2013 when unknown cybercriminals breached the data security of
the company. Kassner, (2015) indicates that the business confirmed that 40 million debit and
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
credit cards account numbers and details were stolen. Furthermore, in the month of January 10,
2014 the company announced that personal information, including addresses email addresses,
names, and phone numbers of nearly 70 million customers were also stolen during the cyber
crime act. Owing to the testimony of Target vice president and financial executive to the Senate,
a report was released by the committee of Senate that concluded that Target missed opportunities
to prevent the data breach crime. According to Kassner (2015), the November-December
incident involved cyber criminals that successfully collected, staged and eventually exfiltrated
data related to credit and debit payment cards. Notably, a number of finer details remain unclear;
however, quite a few have emerged. Speculations streamed from various reliable sources
maintaining that the security products of Target Corporation never had in place that was
necessary to stop the breach.
Target Corporation involved both the federal law enforcement including the US Secret
Service, and private incident response firm that aided in the investigation of scale and nature of
the data breach. Besides, Target suggested that the malware installed on the POS terminals was
the significant component of the breach as confirmed by the company in January 2014. Target
representatives, however, released little technical detail on the attacks that indicate a downturn in
obtaining verifiable details about the cyber crime (Janczewski & Colarik, 2008). Widespread
speculations have emerged on how the cyber criminals successfully executed the large-scale
attack that went undetected for approximately three weeks. Despite assertions that payment card
companies obligates any enterprise accepting payment card to adhere to the PCI rules
highlighting security of their payment card processing, Target testified that its systems were
reviewed in September 2013 and certified as compliant (Janczewski & Colarik, 2008).
Moreover, the magnetic stripes on the back of United States credit cards are, for instance
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
not encrypted. However, media reports indicate that a malware known as a “memory scraper”
captured information from the payment cards of the customer by reading the memory of the POS
system before it got encrypted (Munson, 2014). In a nutshell, the reports from both the media
and the company provides that an intruder obtained the credentials of a vendor that enabled the
access to the Target vendor billing and invoicing system that escalated the intrusion in the POS
system of target. This allowed the introduction of the malware into target’s POS system, and the
initial warnings about the malware got ignored by the security professionals of the company. As
such, the software of Target was used to spread the malware to virtually all of Targets POS
devices. Besides, the credit and debit cards data were stored in innocuously named files that was
sent to servers outside the system of Target and then on the other servers. Surprisingly, the
warnings about communicating the data were overlooked.
The company estimates that the 40 million payment and 70 million PII data breaches had
at least 12 million people in common, translating to a figure of 98 million as the number of the
affected customers, according to Retail Association (2014). Additionally, the Fazio Mechanical
Services that provided ventilation, heating, and air conditioning (HVAC) services for the
company indicated that it was used to breach the payment system of Target. Accordingly, reports
indicates that a Fazio computer authorized to submit project management and contract billing to
the company reportedly was compromised by the intruders, the report reads. Besides, media
reports provided that Fazio became a victim of phishing email containing the malware that was
used to install other malware on the network of target, including Target’s POS system that
records card transactions and all payments (Retail Association, 2014).
Target Breach Timeline
According to a report by Senate committee on the Judiciary (2014), companies that suffer
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
data breaches due to cyber crimes rarely publish their detailed timelines. However, Target
became an exception to this rule, perhaps because the company senior management was made to
testify before the Congress. Senate committee on the Judiciary (2014), reports that according to
testimony of Target executive vice president and chief financial officer, John J. Mulligan, the
documented significant dates of the crimes are as follows.
The testimony indicates that on November 12, 2013 Cyber criminals or intruders
breached the computer system of Target Company. It is anticipated that the intrusion was
detected by the company security systems, yet the security professionals of Target failed to take
any action until the time the law enforcement of the breach provided a notification (Senate
committee on the Judiciary, 2014). In December 12, 2013, the Senate records, the Department of
Justice (DOJ) provided a notification to Target that there was an apprehensive activity involving
the debit, credit and ATM cards that had been used in the company. On December 13, 2013,
senior officials from Target met with the Department of Justice and the United States Secret
Service for further information on the suspicion. On December 14, 2013, the company hired
external professionals to offer a robust forensic investigation into the matter. On December 15,
2013, Target released a statement confirming that malware had been installed and that most of
the malware had been eliminated.
As time goes by, on December 16 and 17 of 2013, the company provided a notification to
the payment processors and card networks that the breach had indeed occurred (Senate
committee on the Judiciary, 2014). December 18, 2013 the company removed the remaining
malware and in the 19th of December 2013, the company released an official public
announcement of the breach. Later, on December 27, 2013, the company provided further details
relating to the crime adding that the encrypted PIN data had been stolen. Thereafter, on January
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
9, 2014, Target discovered the theft of PII and on January 10, 2014 the company confirmed
through a public announcement that PII had been stolen (Senate committee on the Judiciary,
2014).
Home Depot Case Study
Home Depot is a retail business with 2,266 stores and 79 billion dollars in annual
revenue. Previously, before the hackers intruded into the payment accounts of Home Depot, the
stores in Canada and US, it had suffered to smaller hacks. However, the company confirmed the
major hack on September 8, 2014 nearly one week after credit card data that was linked to its
customers went up for sale on a black-market website, according to (Laasby, 2014). The hack put
56 million cards of the company at risk and more than 40 million Target, breach victims. Internal
documents of Home Depot, according to Laasby, (2014), indicated that the Atlanta-based retailer
had chosen to keep extra measures on security deactivated despite being designed to detect
intrusion of any malicious software in the system. The reports provided in a statement from
Home Depot indicated that the cyber criminals used custom-made software to evade detection,
thus relying on tools that had never been used in account hacking.
Home Depot Customer update on data breach reports that a massive batch of debit and
credit cards belonging to Home Depot went on sale on a criminal internet site that lined the
hackers to Target and P.F. Chang’s. The credit card information got offered on sale a day after the
underground site that had stolen financial information. According to the reports, the breach could
have begun in late April 2014, according to Krebs security reports. Besides, Home Depot
spokesman, Paul Drake, reinstated that there was unusual activity in their software and was
working with the financial partners and law enforcement officials to investigate the matter. The
hackers stolen information from the cards issued by the European financial institutions further
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
confirming that a breach occurred, and that effort were being made for instant notify the
customers (Reingold, 2014). However, Home Depot press never released any specifics related to
the duration the malware was in its systems, the points of sale compromised, and how the
hackers gained access to its networks, according to Reingold (2014). However, rumors leaked
that there may be an insider connection that allowed the hackers to gain access to Window XPe
terminals of Home Depot.
While limited details were provided to the public about Home Depot data breach, sources
familiar with the investigation referenced that the hack never hit the registers of the store. A press
statement later released by Home Depot that outlined the findings of the inquiry of the data
breach confirmed that the criminals used a third-party vender’s username and password to access
the perimeter of the company network. The stolen credentials alone; however, never provided
direct access to the point of sale devices of Home Depot (Egan & Anderson, 2015). Thereafter,
the hackers acquired elevated rights that made them to navigate portions of network of Home
Depot and to deploy unique, custom-built malware on its self-checkout systems in Canada and
U.S. Additionally, the previously disclosed payment card data, the statement reads, separated the
files containing nearly 53 million email addresses that were also stolen during the breach.
However, the statement confirmed that the files never contained passwords and payment card
information or other sensitive personal information.
Home Depot Timeline of Data Breach
The first information on the Home Depot data breach was disclosed on September 2,
2014 that also sought to assure the customers that the used malware was eliminated in both the
stores. Multiple financial institutions reported on September, 7 2014 that they were receiving
alerts from MasterCard Visa about particular debit and credit cards compromised in the breach
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
suggesting that the cyber criminals were stealing from card data from Home Depot, marking five
full days after the data breach news first broke. Moreover, Home Depot acknowledged that on
Monday, September 8, 2014, that it had suffered a breach of debit and credit card involving its
members in Canada and U.S. stores dating back to April 2014 (Egan & Anderson, 2015). Despite
the retail acting swiftly to assure its customers and the financial institutions that there was no
debit card PIN was compromised, reports came that multiple financial institutions have
experienced a steep increase over the previous day in fraudulent ATM withdrawals on the
customer accounts (Home Depot Press Release, 2014).
On September 9, 2014, Home Depot confirmed that a network intrusion has led to the
compromise of its customer credit and debit payment card data for potentially the customers in
the entire unit that shopped at the retailer dating back to April 2014 (Home Depot Press Release,
2014). On that very day, the details started after a well-known security blogger reported that a
large quantity of the stolen cards for the customers started to appear in underground markets.
Home Depot, therefore, on September, 13, 2014 rolled out the encryption project in its U.S. and
Canada stores that was then estimated to be complete early in 2015.
Home Depot Respond
According to Morran (2014), almost a week after security blogger Krebs warned that
Home Depot could be the victim of data breach extending to its U.S. and Canada stores, the
company never confirmed nor denied the breach occurred. While Target made the initial
disclosure to the scope of the breach and later revised them in a series of updates, Home Depot
did not respond swiftly. Despite the cases being different, Home Depot initially denied that no
breach had occurred and in their defense, Home Depot spokeswoman Paula Drake indicated that
they never had any updates on the situation. Therefore, Home Depot waited until they
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
established the parameters of the breach to disclose other details finally. Frequently, the company
released statements aimed at updating the customers on the investigation into the breach in the
payment data system (Morran, 2014). Finally, the company confirmed that hackers stole separate
files containing credentials of the clients, and every effort was made to notify individual
customers that became a victim of the breach. Constantly, the company assured the customers
that they were not liable for the fraudulent charges to their accounts and offered a free identity
protection services such as credit monitoring to the customers that used payment cards at home
Depot from April 2014.
Despite responding a week later, the company provided an initial press release denying
the breach justifying that they had no facts on the breach. However, the company later provided a
detailed report on the data breach, though the company never specified what information was
stolen by the hackers. Also, reports indicated that payment cards had gone up for sale on an
online black market that indicated that they contained adequate data to create a fake card. Home
Depot also failed to provide the timeline of the data breach, however, insisted that the
investigations go back as far as April 2014, according to (Greising & Lisa, 2014). Despite the
mixed feelings over the in the reports, Home Depot stressed that it had closed the leak, and the
malware had been eliminated from the systems. It also moved to assure the customers that it was
working on enhancing security measures and promised further updates of the breach (Greising &
Lisa, 2014). While it never disclosed the specific stores that were affected by the breach, the
company indicated that the consumers were not liable and also warned the customers to be on
guard against phishing scams used to trick people to provide personal information in response to
phony emails.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Home Depot acknowledged that the size of the hack made it more likely for the company
to face steep costs. The finance security professionals led by Bill Guard estimated the potential
cost f the fraud to cost as high as 3 billion dollars for the company. Therefore, Home Depot
hastened to assure the investors that it was on the track to meet its target sales in the third quarter.
According to Morran, (2014), the September 18, 2014 news release from the company provided
an estimation of the growth of sales indicating that it would grow by 4.8 percent besides raising
its approximation of third-quarter per share profit to 4.54 billion dollars from 4.52 billion dollars.
The profit estimates, according to Home Depot Press Release, considered the cost of
investigating the data breach, providing credit monitoring services to the customers and as
professional and legal services. Therefore, the company made a pledge that no customer would
be on the hook for any fraudulent charges. However, the company never factored in the losses
related to the breach such as liability on debit and credit cards of the customers as well as from
any civil litigation. Yet, the undocumented costs had material adverse effects on the financial
results of the company in the fourth quarter or future periods.
Target Corporation Respond
Retail Association, (2014) reports that, overall, the company reacted slowly in
communicating the problem to the customers. The security breach of Target, Munson (2014)
writes, fell into horrible timing. The attack happened during the December, a shopping season
that obviously caught the retailers offside. However, the chance to be the first to break the news
was completely in its control, and they waited for seven days after learning about the theft before
alerting the customers. The company, according to John Biggs for TechCrunch, reacted quite
slowly on the breach as Krebs Security provided information a week earlier. This made most of
the customers to learn about the breach from the media rather than from the company itself for
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
the first time. Also, the communication with the consumers was inadequate including the banner
informing the customers of the breach that was too small to see. In essence, there was a
communication breakdown in the response strategy used by Target Corporation and the angry
customers flooded the social media.
Later, when the company released an official report admitting the data breach, the
company first apologized to the customers for the incident and stated that the breach had shaken
the confidence of their guests. Target took responsibility of the guests seriously and indicated
that they had learned from the incident and hopes to make the company more secure for the
customers in the future. Also, the press release of Target documented the timeline and the events
of the breach based on the investigations. Munson, (2014) writes that Target assured the
customers that they were working closely with the U.S. Secret Service and the U.S. Department
of Justice on the investigations to assist in bringing the criminals to book.
Primarily, Target categorically provided information based on their knowledge. This
included the events and the timelines of the events in depth. With reference to protection of the
customers and guests, Target responded by protecting the guests and strengthening the security
system. The immediate actions were documented. Firstly, Target Corporation undertook an endto-end review of the entire network and promised to make security enhancements appropriately.
The company also responded by increasing fraud detection for the Target REDcard guests.
According to Geneiatakis, Scheer and European Commission (2013), the company outlined that
so far, they had not witnessed any fraud on the payment cards as a result of the breach, however,
the statement acknowledged that they ad seen a very slowly amount of additional fraud on the
Target Visa Card. Thirdly, target considered reissuing new Target debit and credit cards
immediately to any customer that requested one and also offered one year free identity theft
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
protection and credit monitoring to the customers that ever shopped at the U.S. Target stores. The
protection, as explained, included free daily credit monitoring, credit report, unlimited access to
personalized assistance from professionals of fraud resolution agent and identity theft insurance.
Furthermore, target informed the customers that they had zero liabilities for any
fraudulent charges accrued on their payment cards due to the data breach incident. According to
the report, Target challenged the customers to consider monitoring their accounts and promptly
alert their issuing financial institution or Target for any suspicious activity. Target’s response also
included accelerating their investment in the chip-enabled technologies for their REDcards and
stores’ POS terminals. The company assured the stakeholders the chip-enabled technologies
would be critical to enhancing customer protection. Target also responded by initiating a creation
of 5 million dollars investment in campaign with Better Business Bureau, the National Cyber
Forensics, and Training Alliance, and the National Cyber Security Alliance to advance public
awareness and education about cyber security and the dangers of consumer scams (Kassner,
2015).
Earlier, Target had launched a retail industry Cybersecurity and Data Privacy Initiative
that was seen as a response to emphasize in informing the public dialogues alongside providing
an enhanced practices pertinent to improved payment security and consumer privacy and cyber
security. The report touched on their response in investing in security measures that included
firewalls, intrusion detection and prevention capabilities, malware detection software, and data
loss prevention. In an effort to assure their customers of the future security, the moving forward
slogan in their response, Target called for teamwork and updating payment card technology and
strengthening protections for the consumers. In a nutshell, the company launched robust public
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
relations counterattack based on daily news briefing and flurry of statements and photos
designed to show the company was aggressively responding to the data breach crisis.
Data Breaches against Expert Recommendations
If a company experiences a huge crisis, there is no shortcut: the companies will definitely
suffer and without elaborate strategies the company might never be the same again. The point of
debate holds that instead of responding to a crisis as a defeat, the company should recognize the
fact that it is another opportunity window and find the best approach out of the crisis, essentially,
with its brand image and reputation intact. Therefore, numerous public relations experts have
echoed their recommendations to companies that become victims of the crisis.
In his book, “Public Relations Strategies and Tactics” Wileox suggests various
mechanisms of communicating during a crisis. According to Wileox (1988), a company should
designate a single spokesperson that should be someone trusted by the media and who has
authority to speak on behalf of the organization. Wileox recommends that company’s top
executive is often best spokesman. Secondly, the organization management should remain
accessible and provide after-hours phone number, respond positively to media calls, and become
open to questions. Also, if the question is sensitive and might sabotage investigations, it is
essential to mention. Accordingly, these recommendations promptly match the events that
occurred in both Target and Home Depot during the crisis. Especially, Home Depot insisted that
it could not provide other sensitive details concerning the timelines of the data breach as the
matter was under investigation. Besides, both the companies communicated, though late, to the
public through the press release that was read by their respective executives. Additionally, Target
officials provided the scope of the data breach, and even remained accessible including
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
appearing before the Senate to testify on the crisis. While both companies responded late to the
crises, they relied on investigations and later provided daily news updates, Afterhours phone
number. Target, for instance, remained accessible to the media and even responded to interview
when they were requested to do so. For example, Target had an interview with Bulls Eye press
that also tackled the questions that were asked by the public.
Wileox further reinstates that companies in crisis should monitor news coverage and
telephone inquiries including establishing the media reports on the crisis and compare with the
organization’s view. Also, the organization should be familiar with the needs and deadlines of the
media and provide timely information to meet both the print and broadcast deadlines. Wileox,
(1988) recommends that the organization should communicate with the key public, employees,
government agencies, the investment community, officials and focus on their relations with the
media. Primarily, some of these principles did not go well with the companies. Firstly, they both
responded late a week after the events. Target, for instance, responded a week late making the
media rely on rumors to report to the public. Besides, the company never responded to the media
allegations positively insisting that there was no such breach until one week after the event.
Reports even circulated in the media indicating that there were Target credit cards being sold in
online credit market that could be used for fraudulent transactions.
Similarly, Home Depot denied access to the customer payment cards contrary to the
media reports that some indeed the intruders accessed the payment cards. These assertions
indicate that the companies never remained familiar with media needs. However, the companies
both communicated amicably to the public by telling the truth based on their knowledge and
investigations. Also, they got in contact with relevant investigative bodies to assist in validating
the matter. Especially, target involved the U.S. Secret service and U.S. Judicial Service
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
Commission in their investigations (Janczewski & Colarik, 2008). Lastly, both companies
provided frequent updates to the customers and the public over the findings of the investigations.
Wileox, (1988) further mentions that organizations should take responsibility for solving
the problem though must not admit or deny guilt. Also, they should set up an information center
for information updates, and provide a constant flow of information. Wileox writes that an
organization in crisis can only build credibility by addressing bad news quickly, and when the
information is withheld, the cover-up becomes the story. With reference to Target, the
organization stated explicitly that there is no customer that would be liable for the charges
resulting from the fraudulent transactions. The organization offered to take full responsibility and
went ahead to provide free security monitoring and credit and debit cards for any customer that
demanded. Similarly, Home Depot took full responsibility and provided all the customers that
had been shopping in their retails from April with new credit and debit cards.
Also, Home Depot reinstated that no customer would be liable for the charges resulting
from the fraudulent use of their payment cards (Janczewski & Colarik, 2008). Based on a
constant flow of information, both the organizations reacted slowly to the crisis providing formal
press release a nearly a week after the crisis. Despite justifying their late response by not relying
on rumors, after the initial investigations, both companies provided continuous update for the
customers over the investigation validations. However, Home Depot and Target failed to
establish an information center for providing information updates. Rather, the companies rushed
to technological responses including creating chip-enabled technologies to protect the customers.
Referring to Howard (2013), in his book, “On Deadline Managing Media Relations”, an
organization should know who has the information. According to Howard information, exists in
the department, public, and federal state organizations. Krebs security initially broke the news of
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
the data breach, though it is not clear whether the companies identified specific individuals with
the information, they both indicated that their security systems detected unusual activity in their
software. Also, organizations should be accessible and monitor the media. Similar to the
recommendations outlined by Wileox (1988), Home Depot, and Target remained available and
even attended to interview questions from the media. While the literature remains mixed, Eric
Weiss and Mille (2015), argues that the companies became accessible and denied the reports of
data breaches until investigations were conducted. The fact that there is information that they
refused to comment deeply on the matter immediately and to choose to rely on the studies
indicates that they were accessible, however, did not react swiftly to the crisis. According to
Howard, being available to the reporters is necessary for providing the media with facts.
Therefore, the media initially relied on news from outside sources due to what can be described
as physical accessibility rather than informational accessibility of the companies.
Howard, (2013) further mentions that in times of crisis, organizations should understand
the feeding media needs and establish robust communication with employees. According to his
writings, media reporting on an organization’s crisis requires facts, and it is favorable to give
whatever information available. Contrary to the actions taken by Home Depot, nearly a week
time, the organization kept telling the media there existed ongoing investigation that would
provide reports of a massive data breach. The company later confirmed that its in-store payment
systems were significantly compromised by cyber criminals (Joseph, n.d.). Target Corporation
provided the scope of the breach to the media, according to Janczewski and associate and later
revised through a series of the press release. The response was quite slow as the breach emerged
a week earlier by Krebs on Security. This made the media pick up rumors for reporting that
turned out to be accurate for both the organizations. Moreover, Howard admits that
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
communication with employees provides the best line of defense or offense. As such, top
management should provide frequent updates to help keep the employees from speculation and
spreading the rumors. Home Depot reportedly blamed the employees by indicating that they
relied on the outdated Systematic antivirus software from 2007 and failed to monitor the network
for unusual behavior. Such allegations may not go well with the employees, according to Howard
as it increases media speculation. However, Target involved the employees actively in the crisis
update and mitigation. Target even went further a step to provide employee education and to
inform them of the policies and procedures for protecting sensitive data on corporate and
personal devices.
Furthermore, Howard inscribes that organizations should recognize that incomplete and
at times incomplete media coverage is inevitable during the crisis. As such, Howard advises that
organizations can realistically get facts right and portray the reputation through the media by
being concerned and actively involved in fixing what went wrong. This recommendation was
well applied by both the companies. Target, for instance, provided continuous press release, took
responsibility and offered additional services such as public awareness of education to
cybercrime risks and prevention. Home Depot also is on record providing measures showing
their concern. They released an official press release acknowledging that indeed there was a
breach, accepted the customers from charges resulting from the deceitful transactions and
engaged in high-tech development of security of customers alongside convincing investigations.
Number seven in his recommendations, Howard provides that organizations involved I
crisis should make a plan and employ a wise use of the website during the crisis. According to
him, creating a dark site devolved for areas of vulnerability is essential. Lastly, Howard finds that
understanding that “first beats better” in the mad scramble during the crisis. Therefore, the
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
organization should assist the media keeping the basic facts right by constantly updating the
website. Referring to the scenarios, Home Depot, and Target failed to assist the media initially
making the media depend on rumors. However, immediate measures were taken to remove the
malware that the intruders used to hack their system. There were extra security measures taken
by both the companies concerning website safety including installing launching a retail industry
Cybersecurity alongside Data Privacy Initiative as in the case of Target Corporation.
Lukaszewski, (2013) also echoed his concerns over crisis communication by emphasizing
on the details the organization CEO is obligated to comprehend about reputation risk and crisis
management. First, Lukaszewski advises the organization CEO to remain calm because crisis
communication requires a high level of professionalism from the spokesperson. Essentially, the
organization’s spokesperson should reassure customers and demonstrate confidence and
competence and focus on resolving the issues. Denoting to Target, the company moved swiftly to
apologize to the customers and stated that the business was determined to work very hard to earn
the confidence of the guests back (Janczewski & Colarik, 2008). Furthermore, the company
responded by supporting the customers and strengthening the security. Besides, Target
spokeswoman Molly Synder observed that the company had moved quickly to inform the
customers based on the facts discovered by the complex investigation. Home Depot through their
CEO Frank Blake in the company of spokeswoman Paula Drake insisted on communicating the
facts as the company did not have investigated updates on the situation. However, after the
investigation, the company assured the customers that they had patched any holes, and the
system was safe for the customers to shop.
Secondly, Lukaszewski (2013) provides that companies should coordinate all comments
with the crisis website. While it is undocumented whether the companies created a crisis website,
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES
the companies widely used the press media to release the news as most of the customers learned
from the crisis via the media. The companies both insisted on reports from investigations and
stated clearly that they would wait for the complex investigation reports to provide accurate
information. Target, however, hinted the scope of the breach and later revised, something that
angered the customers and created confusion. The fact that the customers of both the companies
learned the data breach over the media, it shows that there was inadequate information
coordination from the comments from various parties. Munson, (2014) writes that all shoppers at
Target learned in December, largely from the media sources and it took one week for Home
Depot to respond hinting that the company never established coordination of the crisis
comments.
Third in the order, Lukaszewski recommends a quick action noting that an action should
be taken between one to two hours. Home Depot and Target acted rather slowly keeping the
media in dark for nearly a week. However, they did comment that the matters were under
investigation and would release an official statement as immediately substantial information is
established. The media was never treated with the utmost quality and professionally as the
companies declined to comment on the matter. While they were within their limits and legal
parameter, it would be essential to provide the information available. Home Depot failed to
provide any matter that could be reported to the shoppers forcing the media to depend on
unconfirmed rumors mostly from Krebs security. Target, however, provided the scope of the
matter which was later revised accordingly. According to Lukaszewski, organizations should
only release the information about the victims after notifying the families and within the
permission of the families. However, this might have never been the case as any specific
individual was named to have been affected. Instea