target data breach case study 10242014
TRANSCRIPT
1
Joseph White
Dr. Brown
Leadership in the Digital Era
October 22, 2014
Data Breaches: Target gets hit on the bull’s-eye
Data breaches can create substantial problems in today’s global work and personal
environments and continue to pose a huge risk to people from all walks of life. A data breach is
an intentional or unintentional release of secure information to an unsecure environment. Data
breaches can be used to obtain personal information and financial information from people,
government institutions, educational institutions, and private businesses.
After the data breaches, the unsecure information can be sold to black market 3rd parties
for financial gain, used to blackmail people, sold to government and business competitors, used
to withdraw funds from bank accounts, or used to set up fraudulent accounts with other people’s
data.
The Target Corporation, NYSE: TGT, which is headquartered in Minneapolis, MN was
attacked by internet hackers during the time period of November 27, 2013 and December 15,
2013. On December 19, 2013, the retail business made its official media release that its Point of
Sales operating systems had been contaminated by malware causing the release of over 70
million financial records. This retail chain has over 1,400 store locations that span across the
United States, and is second only to Walmart in consumer retail sales. This news created a
nationwide panic from shoppers whom had used their debit and credit cards at Target during this
2
time period. Similar to a health outbreak that touched all corners of the country, this data breach
was a financial thunderstorm that had the possibility of affecting millions of honest Americans.
In order to properly describe this case in full clarity, I will first describe the steps to deter
a data breach, then describe the nature of a generic information technology data breach, and
follow with a dive into the specific events and numbers of the Target case. I will conclude with
establishing a correlation between digital leadership and how it can shape the approach and
resolution of data breaches.
First, whenever an organization forms, it preferably will have multiple employees, with
multiple technical devices. In order to consolidate information and secure a hub for all devices
to link to, an organization will invest in a server. This server will house the databases for the
organization’s information, records, procurements, personnel, business strategies, and anything
else the organization touches. This server system can also store the websites, browser history,
telephone connections, and any other telecommunications applications.
Second, in order to get all the organization’s devices on the same page, a network has to
be formed to allow linkage from the organization’s information to the people who utilize it. This
network can be through cables directly attached to the server and into a wall, or it can be
wirelessly generated into a specific area. With the increasing demand of mobility, organizations
are often issuing smart devices for people to remotely access the network for information.
As the reader can guess, with every step in this infrastructure build out, information
security becomes more difficult, complex, and expensive to manage. The security of a laptop
without internet access on a desk at home, is very secure. As you connect more computer
devices to that initial device, the security risk increases. Add in a few internet browsing services,
3
and a few software downloads, the risk increases substantially. Couple the internet access with
wireless entry, and an organization now has a very vulnerable infrastructure.
By this point in the explanation, the reader must be wondering what steps an organization
can take to protect its valuable assets from theft. A basic step that most computers come with
initially is a system access point with password or fingerprint entry. This requires the end user to
have knowledge that they specifically know that can grant them access into the device. Similar
to a door with a lock, the entering party must possess a key to get through the initial barrier.
Afterwards, an organization can place parental or administrative barriers on what an end
user can view. Similar to TV restrictions decades ago, where certain channels were blocked
from children, the same theory applies to computer users. A network administrator may block
certain email sites, social media sites, websites, or downloads from touching the operating
systems, software, and hardware.
This level of tier 1 security works great for data breach prevention from most thieves.
However, as criminals’ intelligence increases, the level of security must follow suit. The next
level of security that an organization can develop to protect its information technology
infrastructure is a firewall. A firewall is a gatekeeper device that prevents certain IP addresses,
emails, and downloads from touching a server, an operating system, a hard drive, or a software
application. To be technically specific, the firewall watches individual data packages for
specific codes. If the data codes are within the acceptance criteria of the network, then the data
may pass. However, if the data code is suspicious, the entrance may be blocked. As firewalls
progress, they may now identify information via the sender, the website, the software, or other
protocols. Firewall devices were developed in the 1980’s during the early years of the World
Wide Web. As technology advanced, firewalls became increasingly important, and began to
4
come standard with most operating systems, modems, and software applications. But similar to
door locks and car ignition panels, there are always ways to crack even the best locks.
Now that the deterrent security side of information technology has been explained in
basic terms, it is time to explain why these security checks are put in place. Criminal
organizations have similar departments that operate like a legitimate line of business. Where a
government body has a technology team to combat cyber-attacks and fraud teams to combat
financial crime; criminal organizations have teams that create plans to steal funds and collateral,
as well as, develop malware applications to attack computers and other technical devices. It is
appalling to think that organizations operate in this nature, but it is a realistic threat that
governments, schools, and businesses spend billions of dollars to combat every year.
The most common way that a criminal can attack an individual’s or organization’s
technology is through the creation and implementation of malware. Malware, short for
malicious software, is any software used to disrupt computer operation, gather sensitive
information, or gain access to private computer systems. Anyone who has owned a computer in
the past 15 years has had to deal with malware in one form or another. Whether it be a software
application that intentionally freezes a computer, adware that displays annoying messages on
your web browser, or a Facebook email distribution virus that steals your contact information,
malware is a serious threat that affects the productivity and availability of the global workforce.
Many people believe that new versions of computers, websites, software, and phones are
created to increase sales or handle faster download speeds. However, many implementations and
patches are created solely for the purpose of data breach and malware security. If a person stops
and thinks for minute, hackers and criminals are constantly finding ways to disable property and
steal information every year. It is crucial for organizations to stay one step ahead of the hackers
5
to maintain a secure and functional organization. If a business knew a bank did not have the
most up to date security software to protect their money, would they trust their account with
them? The answer is no. If a person knew that their smartphone’s text messages were
susceptible to data breaches from outside eyes, would they fear sending some information over
the phone? Yes, the person would. These kind of fears are exactly what stops people from
taking positive action and allows the criminals to take what they want.
Malware can attack a computer or network in many ways because there are several
different types. The first type is a virus, which is a malware program that, when executed,
replicates by inserting copies of itself into other computer programs, data files, or the boot sector
of the hard drive. After inserting itself into files, it can slow computer speeds, erase data, display
annoying messages, or shut down important computer functions. The term virus is used because
it continues to replicate itself and damages everything that it touches.
The second type of malware is a Trojan horse. A Trojan horse is a malicious application
that displays itself as something that it is not, with the intent on having the computer system
accept it as honorable and have the user install for other purposes than what it will do. Trojan
horses are the most common form of malware, and are installed on computers through
downloads and emails every day. If a person has negative issues with performance of their
operating system or web browser, then most likely, they have downloaded a Trojan horse that
needs to be deleted.
After the installation of a malware application, this program may take additional actions
on a computer or server to conceal its identity. Root kits are maneuvers to change the operating
system to stop the user from seeing or deleting the malware. Because of root kits, hard drives
6
may need to be wiped, or software applications may need to be completely deleted and re
installed.
Another malicious tactic of malware is the creation of a backdoor within the firewall or
computer network. This backdoor allows for re-entry of computer viruses, Trojan horses,
adware, spyware and other forms of computer hacking. Whenever an information security
threat has been realized, the investigators must always look for evidence of a backdoor event and
close up all gaps and risks.
Moving on to the case at hand, the Target Corporation, which has operated as one of
United States largest retail business was attacked by hackers between the time period of
November 27, 2013 and December 15, 2013. This time period just happens to be the busiest
time of the year for retail stores, due to the surrounding holidays of Thanksgiving and Christmas.
As knowledge was gathered, word was released unofficially on December 18, 2013 that there
was a data breach at Target. On December 19, 2013, Target executives made the official
notification to the press that a data breach had occurred and that its employees were too late to
stop the theft.
As the case began to be investigated internally and externally, the initial amount of
customers impacted went from 40 million, then to 70 million, and eventually to 110 million
people. The Target Corporate then sent out a communications letter to its customers explaining
the crime. The communications letter informed the public that Target would financially assist
with consumers’ credit checks, account reactivations, and credit card re issuing. Target had to
save its reputation at all costs, and because of this lapse in information systems security, it was
going to cost the company millions.
7
In mid-January of 2014, Target confirmed that a malicious software had been uploaded
into its Point of Sale operating systems at all of its stores. The malicious software was
eventually traced back to Russia, where software developers had created a malware package and
had sold it to roughly 60 black market criminal organizations within the European Union.
The malware operated on the Windows operating system and would scan the credit card
data, extract it, and send it via FTP. It is obviously unknown were the exact location that data
was sent to, but it has been confirmed that the data is being sold in batches across the globe.
There have been several arrests in this case. Criminals have been taking the stolen credit
information and attempted to open account or clone the original credit cards to make purchases.
Federal authorities and banking representatives have been monitoring the reported credit card
accounts for activity and are making great strives to work their way back to the original dealers.
To give a brief description of the specific malware that was used in this case study, it is
best to start from the origin. The Point of Sale malware went into testing in February of 2013.
The unofficial title of the malware was “Dump CC Memory Grabber” and went on sale shortly
after that. As discussed earlier in this case, the malware was a POS Trojan horse version of
malware.
The official name of the malware was “Kaptoxa-Rescator” which was named after the
Russian application developer that weaponized the software for evil purposes. The technical
way that the malware worked was as follows:
1. The malware would disable Target’s internal network firewall.
a. The malware would create an auto run entry to start up at the boot of the POS
2. The malware would infect the POS system upon execution command.
8
3. The malware would then begin to scrap the credit card data from the data files.
a. Tracks 1 and 2(User name, Pin Number, Account Number)
4. The malware would then save the credit card data to a .dll file and prompt it for transfer
5. The malware would then establish a share for the file to load into for delivery.
6. The malware would then send the share as a text file from the internal server at Target to
the criminal’s server offshore.
The initial asking price of the malware was outrageous, in the eyes of the black market
community. So like most businesses, the malware company created three separate platforms for
different business needs. The first platform, was the budget version. This version cost criminals
1,800 USD, and did not have an encrypted log. There was also no support for this software. The
second version cost criminals 2,000 USD, but came encrypted and offered helpdesk support. The
final version, was sold for 2,300 USD, offered all the features above, but also installed updates as
they were patched out. Obviously, many criminals saved up their funds and purchased the
malware from the Russian creator and began staking out easy “targets”.
After the crime had been reported, federal authorities eventually worked their way back
to the POS malware dealer and began to monitor his communication channels. As more retail
stores began to get hit with this hacking software, more buzz around underground chat rooms
became apparent. Authorities began making arrests for the outlawed software, and began
monitoring people discussing the malware, similar to terrorist groups.
Once the criminal organizations that stole Target financial information finished their
hacking, they began to sell the stolen credit card account information in “dumps”. Each “dump”
was sold from a range of 15.00 to 60.00 USD per card. The criminals were even nice enough
9
business men to replace cards numbers of deactivated accounts with accounts that were not
deactivated.
Now that the actual cyber-crime has been explained, it is time to shift to the response
tactics of the business and customers. The Target Corporate immediately deleted the malware
Trojan horse. It then swept the network for the entry and backdoor that the malware used to
enter the network. Some experts have guessed that the data breach created through the vendor
portal. Like many other data breaches, the cyber hackers used the portal page that many external
contractors use to enter the Target Corporation network. Not to get confused with the official
Target public website, www.target.com , the vendor intranet portal information could be
accessed from a stolen company laptop or smartphone.
The business then began external damage control, by reaching out to various financial
institutions to explain the situation, and setting up legal negotiations and payment plans for the
costs inferred with account deletion and modifications. Experts have estimated the costs to the
Target Corporation to be over 110 million dollars. Many financial experts have forecasted the
end total to be well over 1 billion dollars, when technical and legal costs are concluded.
From an internal damage control to the organization, the company image took a huge hit.
The share price per unit dropped from by 25%, to 75 cents on the dollar. Target was open with
the public, and acknowledged the fact that the company did have some fault in this criminal
matter. There was time and knowledge that this malware had been on the market since February
of that year, and Target failed to test gaps for possible threats. Due to the lack of awareness and
preparedness, the corporation’s former chief executive, Gregg Steinhafel, resigned in May of
2014.
10
From a risk mitigation stand point, the Target Corporation did have financial insurance
measures in place to help reduce the burden. Insurance policies paid out over 38 million dollars
in fees to assist with the damage control.
Now to shift from the response tactics of the organization, to the long term scope and
business direction that was impacted, Target had numerous problems going forward. With such
a hard hit to its image, the company’s plan to operationalize over 100 stores in Canada fell
through due to customer anxiety about purchasing goods from their stores.
“While the environment in both the U.S. and Canada continues to be challenging, and
results aren’t yet where they need to be, we are making progress in our efforts to drive U.S.
traffic and sales, improve our Canadian operations and advance Target’s digital transformation,”
Mr. Mulligan (Target CEO) said to the New York Times.
Target also decided to close several of its stores in locations across the country. By
cutting overhead, the costs may have been re allocated to other portions of the business,
including the millions that were to be invested in their technology infrastructure. After this detail
explanation of events, it is astounding how one malware tool, that cost a criminal 2000 USD to
purchase, will wind up costing a major corporation millions of dollars, hundreds of jobs, and
raise merchandise costs for the common customer. It is because of cases like this, that there
needs to be leadership instituted into this new digital era, and they need to be prepared on how to
handle data breaches from a proactive and reactive level.
Leadership in the digital era is a very complicated topic for many reasons. The first
reason that comes to mind is the untraditional nature of knowledge and power possession within
this new era. To many people within the business, education, and government environments, the
11
more knowledge that a person possesses, the more power a person has. In a traditional
organizational model, the people at the top are the most experienced, most senior, most
knowledgeable, and the most mature people within the organization. This model works and has
worked great for accounting firms, lending firms, service firms, goods and merchandise
companies, and government organizations. As people age and mature, they gain knowledge that
can help their organization make better decisions and defend against risk and opposing groups.
However, due to the increase in technology needs within organizations for its speed,
accountability, uniformity, and memory storage capabilities, organizations must rely on an
entirely new generation of leaders to leverage systems to obtain their goals. As technology
changes and adapts, younger employees become increasingly more valuable due to their
educations, ability to adapt to change, and their technological upbringings. Similar to a
grandfather explaining to a grandchild how a rotary phone worked, grandchildren are now
explaining how a WIFI connect works on a cellphone to their grandparents. This is a huge shift
in leadership dynamics, and can affect the ways families and organizations interact with each
other.
Major organizations are now being forced to give power, leverage, decision making,
executive status, and stock options to employees that have not even turned 30 years old. People
in their late forties are being passed over for promotions and jobs, for people that possess
technical experience and capabilities within the digital era.
This new style of conducting business creates both opportunities and problems for both
young leaders and older advisors. As young people educate themselves and live their lives, they
mature mentally and physically. Because of this lack of life experience, and lack of mental
experience, they are prone to emotions, rash decision making, favoritism, short term thinking,
12
and over thinking simple situations. These types of behaviors are frowned upon in most
organizations and tend to lead towards failure in the long run. This is why most managerial
strategy positions are appointed to people of middle age and experience.
By maturing through life, senior leaders have experienced all these behaviors, and have
learned from their mistakes. Senior leaders tend to think more than speak and move. They tend
to be more thorough with their work and decision processes. They also use more logic and
reasoning with decisions, rather than emotion and social politics. These traits are all necessary to
make strong and righteous leadership decisions.
But with every set of risks, lay opportunities. With a youthful mind, a junior leader is
more prone to creativity, to ask “why” and “why not”, and to think outside the normal lane of
operations. Because of this style of thinking, innovations are created every day that make our
lives easy to manage. Because of free and innovative thought, that grandfather’s rotary phone, is
now a mobile computer that can send a face time conversation to the other user. It is amazing
what a young mind can imagine and create. Traditional organizational models are being
outsmarted and out produced by younger, smarter, faster, and open minded professionals that are
thinking outside the box. To be fair, tradition is tradition for a reason. Most people that deviate
from the norm, will fail and be drawn back to the middle. However, little by little, through
youthful, risk taking, and motivated mindsets, junior leaders are shattering common beliefs and
new ways of life and organizational management are becoming known every year.
This leadership trend was not just created recently, but held back during recent years for
numerous reasons including: war, financial depression, health, and cultural movements. Prior to
the United States’ birth, young leaders including Christopher Columbus, Moses, and Leonardo
Davinchi traveled across oceans that were on the edges of cliffs, looked up into the stars at a
13
universe that revolved around our planet, and traveled to new lands that were not thought to have
existed. Human kind is drawn to innovation and risk, the thrill of possible victory, and
expanding the way our minds conceive life. Technology has been, and will continue to be the
next frontier of human exploration. Because of this theory, our society needs youthful leaders to
step up and take calculated risks, while using logic and reasoning of an older and wiser leader
would rely on.
A second digital leadership issue that should be discussed is the leader’s ability to adapt
to change. Leaders can lead through numerous means, and have several different ways to obtain
objectives. Rather than focus on the way to drive to these objectives, it is time to focus on the
reality that final objectives are constantly changing. A strong leader can always head from point
A to point B. This is a simple way to conduct business, and is great for smaller sized
organizations and businesses. Unfortunately, in today’s world, organizations are merging
together to provide better products and services, which causes the level of process complexity to
increase, substantially.
Instead of going from point A to point B, a leader now must go from A to B, to G, back
to C, decide between J and T, etc. Each decision could affect the success rate of their operations,
and each decision must be able to be flexible to change.
There is an old saying that is passed from person to person that states “In man’s quest for
survival, it is not the strongest or smartest that survives, it is the one with the ability to adapt to
change”. This is incredibly true in regards to leadership in the digital era. Technology changes
every year, every version, every implementation, and with every person that touches it. If a
leader wants to continue to lead, he or she must accept the fact that technology is a necessity to
successful leadership. Whether making a phone call, or emailing a document, leaders must be
14
able to do, or at least understand the concept of what actions are being taken to achieve their
objectives. They also must be able to think ahead of the game, and make preparations to the
upcoming changes in digital technology. Setting up phone lines, email accounts, firewalls,
servers, remote routers, laptops, software systems, or social media sites are all aspects of
successful digital organizations. A leader must be able to understand and speak to the fact these
functions must be created, maintained, upgraded, and protected on a weekly, monthly, and
annual basis.
A final digital leadership topic that needs to be understood and executed is the
methodology of aggressing forward by using a strong defense. Successful organizations and
successful people all must deal with constant threats to their prosperity. Human kind can be
very malicious and jealous toward people and groups that are on the rise in our global society.
Great leaders understand these emotions and actions and prepare their defenses from their
oppositions. Opposing groups can be titled or labeled as criminals, activists, competitors,
politicians, former employees, or even colleagues. Depending where a person stands on
particular issues, anyone could fall into one of these categories. Leaders of organizations must
be able to identify potential threats to their technical infrastructure and their IT personnel. Once
these threats have been identified, quantified, and prioritized, mitigation strategies must be
formed. A digital leader must be able to combat the risk through insurance policies, target
hardening procedures, employee training, constant communication, risk allocation, and risk
acceptance.
Setting up network firewalls, passwords, securing documents, wiping hard drives, and
most importantly keeping up with technical innovations are the best ways to prevent leadership
opposition from gaining ground on the organization or slowing progress toward objectives. Most
15
leaders are not valued and looked up to for their work during times of ease and tranquility. Most
leaders are made famous by how they respond to stress, problems, controversy, criticism, and
failures.
A great way for digital leaders to prevent risk or harm to their groups is to establish risk
management programs, regulatory programs, business innovation groups, and to keep the best
talent on staff to combat external forces. By giving specific people the responsibility of risk
prevention, they will put extra time into studying materials and staying current with new
problems that plaque the globe. In addition, compensating employees for their time and work
will keep the best and brightest within your organization. Incentives like free dinner, bonuses,
vacations, and raises all keep employees’ eyes open and on their toes. Leading an organization
is like driving a car. A person can be a professional racecar driver, but if he didn’t invest in new
tires or brakes, the driver will eventually fall into some problems. By investing in preventive
measures and staying aware of your present and future environment, a leader can stay focused on
their future direction and their current objectives.
By incorporating the Target Corporation Data Breach case into these digital leadership
topics discussed above, the reader can begin to see what could have been done to prevent this
crime from occurring, and what can be done to stop this problem from happening again.
Placing myself into the shoes of the Target Corporation’s CIO’s shoes, I would have
played my cards as follows. Knowing that technology is constantly changing, and malware is
always adapting to antivirus protection, I would have established accountability and risk
prevention by creating a unit that strictly monitors the creation and selling of new malware tools.
The tool that attacked Target had been created months ahead of time. This time period could
16
have been used to create a new firewall code to identify and disable the Trojan horse from
entering the system.
In addition to technology insurance, I would have created a relationship and a contract
with a high level, high priced, and consumer recognized information security firm, in order to
monitor and more importantly, mitigate the risk of a cyber-attack. By bringing another player to
the game, it would take stress off the business to find all the weaknesses and place blame, by
allowing a non-affiliated and objective source to gauge the strength of the systems. Also, it
allows the company to show consumers that Target made every effort to prevent a digital attack
and save their personal data.
Following this measure, I would have questioned the time that the data sits in the POS
system, before it is moved to a secure server. This time period may or may not be able to be
shortened. Either way, I would want to know for sure, in order to testify that my company did
everything it could to lower the risk of theft. Generally, when discussing data transfer times, the
transfer tends to be during the early A.M hours, and can be accelerated...for a price (millions).
The executive staff would need to find a comfortable middle ground for the price they are will to
pay, in order to have their data secured faster.
Furthermore, I would have been aware that the November and December months are the
busiest retail months of the year. This time period is when the majority of my profits are being
drawn in, and thus, the biggest risk to be taken by thieves. Similar to banks watching their front
doors at the end of day, I would have had a specialized team of subject matter experts to monitor
the systems for any possible Trojan horse or viruses during this time period. I would have hired
the best and most experienced in the business for these specific two months of sales.
17
Upon additional thought, I would also have encouraged consumers to be aware of
possible financial data thefts at other businesses, and pushed for cash sales to ensure personal
information security. Some consumers may have just laughed it off, while other may have taken
it seriously. Either way, it would show my company’s due diligence to deter criminal activity.
Many organizations fear that including the common citizen in the high level threats to society
will incite fear. However, in certain instances, by relaying information to the public, they can act
as additional eyes and ears to dangerous threats. They can also prevent themselves from
becoming victims to crime, including data theft.
After reading the past page alone, the reader can see the gaps in preparation that a multi-
billion dollar corporation failed to observe, acknowledge, and prepare for. I am a graduate
student, under the age of 30, with a basic understanding of information security, and I could
think of these prevention tips in one hour, and could probably think of several more if given the
time and financial compensation. There is no excuse for a corporation to not have thought of
these, and done a better job of protecting the consumers. I am not the type to blame the victim in
most criminal cases, however, when a certain level of responsibility is given to a person or
company, this creates liability and trust that must not be broken. It is easy to play Monday
morning quarterback and pick apart a plan that has been sitting on a desk for over a year, but a
more precise, calculated, and insured plan should have been invested in and executed prior to the
holiday season.
Looking forward to the future from a digital leadership perspective, I would expect a
federal level governmental body to establish a task force to coordinate the private sector
companies, financial institutions, healthcare organizations, and any other major targets to begin
digital disaster preparation plans. I would make this preparation and coordination a regulation
18
that must be followed, and I would establish trusting communication and teamwork as the key
components. By creating these plans, accountability would be established, knowledge would be
gained, and target hardening would be obtained.
By operating on the same regulatory standard for information security, the organizations
could act as a “block watch”, and look out for each other in questionable times. If a criminal
justice unit finds a new malicious code or digital threat, it should be passed on immediately
through this governmental department and into the hands of the organizations. It is unfortunate
that the Target Corporation got caught with their pants down, but it is safe to assume that every
other retailer learned from their case. It is not a question of if this type of crime will happen
again, but when and where will the criminals strike next. Unfortunately, sometimes it takes a
disaster for the business end of an organization to invest in and respect their technology
professionals. But one thing is for sure, both groups rely heavily on each other to survive.
To end on a positive note, people tend to learn from putting their hand on a hot stove. By
displaying and acknowledging this crime to the masses, the consumer can adapt and become
educated. This will allowed the citizens to assist with data protection. Instead of always using
their card during the holiday rush, many consumers may elect to withdrawal cash. Many
consumers may watch their checking account history at an increased granular detail. Similar to a
social compact in colonial times, a group effort will be needed to combat crime in the digital era.
By making information security threats known to the common man, it makes the work of a
professional criminal that much harder.
Technology gives people the freedom that no other generations have ever had. It
increases communications, work bandwidth, travel, entertainment, education, and personal
diversity. People can do what they want, when they want, where ever they want. People no
19
longer have to fit in with their surroundings, stay where they grew up, speak the language that is
around them, or work and learn the way that is pushed on them. People can now choose the
direction that they want to follow, and technology is their vehicle to their success point. It is
important for leadership to understand, accept, and control this reality. Leadership in the digital
era must learn to leverage these truths to provide their citizens, customers, and employees with
the best possible experience that the digital era can provide. Freedom is one of human kind’s
most sought after desires, and the hardest possession to take away. A true leader embraces
freedom, adapts to change, and confronts the future head on, on the front line. The digital era
has come to this world, and with time, our new industry and governmental leaders will bring
about changes to our way of life, and every person should be excited for the new and endless
directions that the digital era provides to them.
20
Works Cited
"Data Breach FAQ." Payment Card Issue FAQ. Target Corporation, 20 Dec. 2013. Web. 02 Dec. 2014.
Abrams, Rachel. "Target Puts Data Breach Costs at $148 Million, and Forecasts Profit Drop." The New York Times. The New York Times, 05 Aug. 2014. Website. 01 Dec. 2014.
Harris, Shon, and Polisetty Veera Subrahmanya. Kumar. CISSP All-in-one Exam Guide, Sixth Edition. New York: McGraw-Hill, 2013. Print.
Jamieston, Alastair, and Erin Mcclam. "Millions of Target Customers' Credit, Debit Card Accounts May Be Hit by Data Breach." NBC News. N.p., 19 Dec. 2014. Website. 03 Dec. 2014.
Krebs, Brian. "The Target Data Breach, by the Numbers." Krebs on Security RSS. Krebs on Security, 14 May 2014. Website. 03 Dec. 2014.
Sidel, Robin, and Dan Yadron. "Target Hit by Credit Card Breach." The Wall Street Journal. Dow Jones & Company, 19 Dec. 2013. Website. 03 Dec. 2014.
Target Data Breach: Anatomy of an Attack. Perf. Stephen Coty and Diane Garey. AlertLogic, 2014. Slide program.
Zmuda, Natalie. "How Target Used Data Breach to Shake Up Its Brand." Advertising Age ANA Annual Meeting 2014 RSS. N.p., 17 Oct. 2014. Website. 03 Dec. 2014.