Target Data Breach Analysis - Case Study Example

FINAL ESSAY Name Institution Professor Course Date Final Essay: Target Data Breach Analysis Introduction Target, the second-largest United States’ discount retailer, did experience a heavy blow in relation to its reputation when a 2013 data breach did compromise the personal information of more than 100 million. In December, the company did announce that the credit and debit card information of close to 40 million customers was at risk because of a data hack, which took place around the Black Friday weekend. The purpose of this research essay is to examine the case of Target’s data breach. In the course of exploring this incident, the research essay will offer a summary of the event prior to provision of an analysis of the way in which the company sought to handle the issue. This is through incorporation of various theories and concepts in understanding the effectiveness and efficiency in relation to handling of the business incidents. Summary of the Incident Around September, a Target Corp contractor, Fazio Mechanical HVAC, did face an infiltration using email borne malware (Citadel Trojan), thus the platform for the stealing of the credentials applicable in accessing Target Corp online billing system. In addition, researchers believe that the system applicable in accessing the Target Corporation network did not integrate or utilize Strong Authentication. From this point, it is essential to note that the access to the Target network did enable the hacker to access PoS systems prior to the installation subsequent malware. From late November 27 to December 15, the malware focused on capturing the cardholder data (Weiss & Miller, 2015). During the incident, approximately 40 million credit and debit cards, as well as personal information for 70 million others were stolen. According to the technological practitioners, this action was not in isolation, thus the potentiality of incorporating six other retail breaches in the same period. In addition to the data loss, as well as required notification, Target Corp had to deal with the consumer action and financial institutions’ lawsuits. Such financial institutions did play a critical role in issuing the cards whose data was among the breach (Weiss & Miller, 2015). Furthermore, Target had to adopt and integrate a plan in the course of handling the issue while seeking to restore its image and reputation in the market and industry of operation. Theoretical Perspective In the course of responding to diverse business crisis, organizations or companies focus on adoption and implementation of different techniques aiming at saving or restoring their reputation within the industry and market of operation. In this section, it is valuable to offer a brief description of the issues in relation to the restoration of the image of the companies facing different ethical issues. Benoit’s Image Restoration Strategies Benoit focused on demonstrating the fact that business entities should respond to the crisis through adoption and implementation of a diverse approach. In the first instance, there is need to integrate a denial strategy, which focuses on integration of two approaches: simple denial and shifting the blame. Secondly, the organizations need to focus on integration of the strategy, which seeks to evade the responsibility in relation to the crisis. In this context, there is need to adopt a provocation strategy, which calls for response to act of another (Benoit, 1997). In addition, there is need to incorporate a defeasibility strategy, which relates to lack of information or ability in relation to the event or crisis. Similarly, it is valuable to consider an accident strategy, which demonstrates the fact that the crisis was a mishap (Kiambi & Shafer, 2015). Finally, there is need to convince the target audience on the fact that the crisis was an act of good intentions. Benoit’s strategy also calls for the companies to integrate the strategy relating to reduction of the offensiveness of the event or crisis. This is through incorporation of aspects such as bolstering, minimization, differentiation, attack accuser, and transcendence, as well as compensating the victims. These aspects are valuable towards reduction of the offensiveness of the event in the midst of the destroyed reputation and image in the market and industry of operation. The approach will provide the platform for the integration of the corrective action, which relates to a plan to solve, as well as prevent the crisis (Benoit, 1997). Finally, Benoit’s strategy focuses on the need to integrate a mortification strategy, which is provision of apology for the act or crisis, thus the opportunity for the company to restore its image and reputation in the industry and market of operation. Coombs’ Crisis Response Strategies Coombs did focus on integration of diverse strategies in the course of address or responding to crisis, which might affect the image and reputation of the firm. In the first instance, the theory calls for denial strategy, which seeks to prove no crisis exists or that organization has no responsibility for the crisis. Secondly, the firm focuses on integration or incorporation of a diminish strategy. According to this strategy, crisis manager has the obligation of accepting that a crisis did occur and that his or her organization is involved (Kim & Sung, 2014). Nevertheless, the strategy enables the crisis manager to change the attributions stakeholders tend to make about a crisis with the objective of reducing the reputational damage (Coombs, 2006). From this perspective, the approach is essential in minimizing the perceived damage by the crisis. The third strategy is this approach or theory is the deal strategy. In this context, there are expectations from the shareholders and stakeholders for the company to behave in certain ways with the obligation of rebuilding the legitimacy through discourse. For instance, the critical manager praises stakeholders or reminds them of past good works of the company prior to demonstrating concern for the victims in the relevant crisis (Coombs, 2006). The crisis manager will also focus on expression of compassion where the crisis manager offers money or gifts with the intention of compensating the target audiences or victims of the crisis. Similarly, the crisis manager should indicate the fact that the organization feels bad about the crisis prior to integration of an apology (Bovée, 2003). This enables the crisis manager to indicate that the organization takes full responsibility for the crisis, thus the need to ask stakeholders for forgiveness. Allen and Caillouet’s Message Strategies Allen and Caillouet did focus on integration of a PR strategy, which enables organizations to respond to crisis effectively and efficiently with the objective of enhancing the image and reputation within the market and industry of operation. In the first instance, the strategy calls for an organization to make an excuse, which enables the firm to negate the responsibility for an event or crisis. In this context, there is need to incorporate three aspects of denial: denial of intention, denial of volition, and denial of agency (Allen & Caillouet, 1994). In the denial of intention, the company should demonstrate the fact that the consequences were unforeseeable or the institution was unaware of the action and decision effects. In addition, the denial of volition enables the firm to demonstrate the fact that it could not control the crisis in question (Dardis & Haigh, 2009). Finally, the denial of agency demonstrates that the organization did not make a decision or perform a particular behavior, but did not produce the crisis in question. These aspects will enable the firm to consider integration of a justification strategy in which the company accepts responsibility for the effect, but does not accept responsibility for the negative actions in relation to the crisis in question. In this context, the company might consider to use denial of injury, denial of victim, and condemnation of condemner in the course of justifying its actions during the crisis in question (Allen & Caillouet, 1994). Furthermore, the theory focuses on the use of ingratiation strategy, which enables the firm to gain audience approval through incorporation of techniques such as self-enhancing communication. In this aspect, there is need for the company to attempt to persuade the stakeholders on the positive qualities, traits, motives, and intentions (Allen & Caillouet, 1994). The company might also focus on adopting an intimidation strategy, which is majorly applicable in conjunction with threats. The company will also incorporate an apology in which the firm admits the organization’s guilt, as well as need for punishment (Bell & Smith, 2010). These theoretical perspectives are valuable in the course examining how Target did respond in relation to one of the largest data breach. Target Response Plan In the course of understanding how Target did respond to the data breach incident, it is essential to focus on utilization of a chronological analysis of the events during the crisis. Between November 27 and December 15 2013, personal information inclusive of names, mailing addresses, and phone numbers of 40 million customers or holders of the credit and debit cards at Target were exposed to fraud. This was essential in enabling Target to embark on a response plan, which did start with a meeting of the executives with the United States’ Justice Department. Secondly, Target Corp focused on hiring a third-party forensics team to investigate the data breach incident. In addition, Target Corp sought to confirm that criminals did infiltrate its system prior to installing malware on its point-of-sale network, thus potentially stealing the guest payment and credit card data. Target Corp focused on removing the malware from ‘virtually all’ registers in the United States’ stores. In the midst of these actions, the public were still unaware of the data breach. On the 18th day of December 2013, KrebsOnSecurity, a data and security blog, focused on reporting the data breach first to the public, thus provision of the platform for the Secret Service to investigate the issue (Parker, 2015). On 19 December 2013, Target Corp sought to acknowledge the breach publicly while indicating that it was under investigation. The company did also provide information on the accessed information inclusive of the debit and credit card numbers, as well as expiration dates. The company did note that there was no indication of implications on the PIN number. The consequence of the announcement was the approach by the customers or stakeholders to jam the company’s website, as well as customer service hotlines (Weiss & Miller, 2015). According to the CEO of the company in a letter addressed to the Target Guest, “As you have likely heard by now, Target experienced unauthorized access to payment card data from U.S. Target stores. We take this crime seriously. It was a crime against Target, our team members and most importantly you - our valued guest.” In addition, the communication by the CEO to the stakeholders sought to make clarification on diverse important or significant issues. In this report, the CEO did not that unauthorized access took place in the United States’ Target stores, but zero implications on the Canadian stores, as well as target.com. The approach focused on the reduction of the offensiveness of the issue or crisis among the target audiences or stakeholders. In addition, the communication sought to calm the consumers on the fact that not all customers were victims of the fraud or data breach (Blackmon, 2014). Furthermore, in the communication report, the CEO did not that the stakeholders would not be responsible for the fraudulent charges. In the course of compensating for the victims of the crisis, the company sought to offer free credit monitoring services for the victims of the fraud (Gray & Ehoff, 2015). Moreover, JP Morgan Chase & Co focused on placing daily limits on spending, as well as withdrawals for the debit card customers affected by the Target breach as a mechanism to limit the potential damage from the data breach. In order to curb future issues in relation to data breach, Target Corp sought to invest $100 million towards updating its technological systems, thus the perfect platform for the introduction of chip-and-PIN technology for the debit and credit card users by early 2015. In addition, Bob DeRodes took over as the Chief Information Officer of the company in attempt to restore the image and reputation of the firm. Similarly, the CEO of Target Corp Gregg Steinhafel sought to resign from his responsibilities and duties to express the commitment of the company towards restoring its image and reputation following the crisis in question. Conclusion The objective of an organization in handling a crisis is to improve or restore its image and reputation in accordance with the perception of the consumers or the target audiences within the market and industry of operation. Effective communication is one of the perfect platforms in relation to handling the crisis, which might affect the image and reputation of the firm. Target Corporation sought to implement diverse techniques in the course of responding to the data breach of 2013. List of References Allen, M. W. & Caillouet, R. H. 1994. Legitimation endeavors: Impression management strategies used by an organization in crisis. Communication Monographs, 61, 44-62. Bell, A. H., & Smith, D. M. 2010. Management communication. Hoboken, N.J: John Wiley & Sons. Benoit, W. L. 1997. Image repair discourse and crisis communication. Public Relations Review, 23, 177-186. Blackmon, G. A. 2014. Problems at the Register: Retail Collection of Personal Information and the Data Breach. Case W. Res. L. Rev., 65, 861. Bovée, C. L. 2003. Contemporary public speaking. Rowman & Littlefield. Coombs, W. T. 2006. The protective powers of crisis response strategies: Managing reputational assets during a crisis. Journal of Promotion Management, 12, 240-260. Dardis, F., & Haigh, M. M. 2009. Prescribing versus describing: Testing image restoration strategies in a crisis. Corporate Communications, 14(1), 101-118. Gray, D., & Ehoff Jr, C. 2015. Sarbanes-Oxley And Dodd Frank: Then There Was Fraud. Journal of Business & Economics Research (JBER), 13(1), 19-26. Kiambi, D. M., & Shafer, A. 2015. Corporate Crisis Communication: Examining the Interplay of Reputation and Crisis Response Strategies. Mass Communication and Society, 1-22. Kim, S., & Sung, K. H. 2014. Revisiting the Effectiveness of Base Crisis Response Strategies in Comparison of Reputation Management Crisis Responses. Journal of Public Relations Research, 26(1), 62-78. Parker, J. M. 2015. Data Security Law-Who Can Enforce Violations of Data Security Breach Notification Statutes?-In re Target Corp. Data Security Breach Litigation, No. 14- 2522, 2014 WL 7192478 (D. Minn. Dec. 18, 2014). Am. J. Trial Advoc., 38, 631-631. Weiss, N. E., & Miller, R. S. 2015. The Target and Other Financial Data Breaches: Frequently Asked Questions. In Congressional Research Service, Prepared for Members and Committees of Congress February (Vol. 4, p. 2015). Read More