Case Study: The Target Breach: A Case Study in Incident Response

"It is not a question of whether you will be breached. It is a question of when, and what you will do about it." -- Attributed to multiple cybersecurity practitioners

Overview

The Target Corporation data breach of 2013 remains one of the most studied incidents in data security history -- not because it was the largest breach (it was not) or the most technically sophisticated (it was not), but because it exposed failures at every level of incident response: detection, escalation, containment, communication, and organizational accountability. The breach compromised approximately 40 million credit and debit card accounts and 70 million customer records, ultimately costing Target an estimated $300 million in total expenses and fundamentally reshaping how corporations approach cybersecurity governance.

This case study analyzes the breach through the frameworks developed in Chapter 30: the six-phase incident response model, the principles of crisis communication, the root cause analysis methodology, and the ethical obligations that extend beyond legal compliance.

Skills Applied: - Applying the six-phase incident response framework to a real-world breach - Identifying the gap between detection capability and organizational response - Evaluating crisis communication against the five principles from Section 30.4.2 - Conducting root cause analysis that traces proximate causes to organizational decisions

The Attack: How It Happened

The Entry Point

In September 2013, attackers targeted Fazio Mechanical Services, a small HVAC and refrigeration contractor based in Sharpsburg, Pennsylvania. Fazio had a business relationship with Target -- the company monitored energy consumption and heating/cooling systems in some Target stores. As part of this relationship, Fazio had been granted remote access to Target's network for electronic billing, contract submission, and project management.

The attackers compromised Fazio's systems -- likely through a phishing email containing the Citadel Trojan -- and obtained credentials that provided network access to Target's systems. Fazio, a 125-employee company, reportedly used a free version of Malwarebytes as its primary anti-malware protection and lacked the sophisticated cybersecurity infrastructure that might have detected the compromise.

The Lateral Movement

Once inside Target's network, the attackers exploited the fact that Fazio's vendor credentials were not segmented from Target's payment systems. The attackers moved laterally through the network, ultimately deploying a variant of the BlackPOS malware on Target's point-of-sale (POS) terminals. The malware was designed to capture credit and debit card data from the memory of POS devices during the brief moment when card data was unencrypted during transaction processing -- a technique known as RAM scraping.

Between November 27, 2013 (the day before Thanksgiving) and December 15, 2013, the malware captured payment card data from approximately 40 million transactions across 1,797 Target stores.

The Exfiltration

The attackers established staging servers within Target's network to aggregate the captured data, then exfiltrated it to external servers -- initially to locations in the United States, then to servers in Russia. The exfiltration generated network traffic that Target's security monitoring systems were configured to detect.

The Detection Failure

FireEye's Alerts

Target had invested approximately $1.6 million in a FireEye network monitoring system, installed just months before the breach. The system was specifically designed to detect malware and data exfiltration. On November 30, 2013 -- just three days after the malware was deployed -- FireEye generated alerts flagging the malicious activity.

The alerts were sent to Target's Security Operations Center (SOC) in Bangalore, India. The Bangalore team noted the alerts and forwarded them to Target's security team in Minneapolis.

Nothing happened.

The alerts were not escalated. The investigation was not initiated. The malware continued capturing card data for fifteen additional days.

Why the Alerts Were Ignored

Post-breach investigations identified several factors:

Alert fatigue. Target's security systems generated thousands of alerts daily. The signal-to-noise ratio was poor, and the SOC team had developed a pattern of treating most alerts as routine.

Organizational structure. The Bangalore SOC was a monitoring and forwarding operation, not a decision-making body. The team noted and forwarded alerts but lacked the authority or the contextual understanding to escalate aggressively.

Process gaps. There was no defined escalation protocol specifying that certain categories of FireEye alerts required immediate executive notification and emergency response. The alerts were treated as informational rather than actionable.

Automatic response disabled. FireEye had an automatic malware deletion feature that Target had opted not to activate. Had it been enabled, the system could have automatically quarantined the malware when it was first detected.

External Discovery

The breach was ultimately identified not by Target but by the United States Department of Justice. On December 12, 2013, DOJ notified Target that card data from its systems was appearing in underground markets. Security journalist Brian Krebs independently confirmed the breach and published the story on December 18, 2013 -- before Target's planned public announcement.

Target was second. And as Section 30.4.2 warns: "Being second -- having the breach revealed by a journalist or a regulator -- communicates concealment."

The Response

Initial Communication

Target acknowledged the breach on December 19, 2013 -- one day after Krebs's publication. CEO Gregg Steinhafel issued a statement confirming that approximately 40 million credit and debit card accounts were compromised. The initial disclosure was limited to payment card data.

On January 10, 2014, Target disclosed that an additional 70 million customer records -- including names, mailing addresses, phone numbers, and email addresses -- had also been compromised. The scope of the breach had expanded from 40 million to 110 million affected individuals.

Evaluating the Communication Against Crisis Principles

Be first: Target failed. The DOJ notified Target before Target identified the breach. Brian Krebs published before Target disclosed. The company was reactive, not proactive.

Be honest: Partially met. Target acknowledged the breach and did not deny it. However, the initial scope (40 million) had to be revised upward (to 110 million), creating the impression of either concealment or incompetence. Repeated scope expansions erode credibility because each revision makes the previous statement appear misleading.

Be specific: Partially met. Target's initial statements were criticized as vague and corporate, though subsequent communications became more specific about what data was compromised and what steps customers should take.

Be victim-centered: Mixed. Target offered free credit monitoring and identity theft protection to all affected customers -- a victim-centered measure. However, early communications were criticized for prioritizing corporate reputation management over customer needs.

Be continuous: Eventually met. Target provided ongoing updates as the investigation progressed, though the initial communication gaps created a trust deficit that was difficult to close.

The Accountability

Leadership Consequences

In March 2014, CIO Beth Jacob resigned. In May 2014, CEO Gregg Steinhafel resigned. Both departures were directly linked to the breach. Steinhafel's resignation was notable: it was one of the first instances of a Fortune 500 CEO losing their position due to a data breach. The message was clear -- breach accountability extends to the top of the organization.

Target subsequently hired its first Chief Information Security Officer (CISO), a role that had not previously existed as a standalone position. The company invested $100 million in chip-and-PIN technology to replace the vulnerable magnetic stripe system.

Financial Consequences

The total cost of the Target breach has been estimated at $300 million, including:

• $18.5 million in a multi-state attorney general settlement (47 states and DC)
• $10 million settlement of a class-action consumer lawsuit
• $67 million settlement with Visa
• $39.4 million settlement with banks and credit unions
• $100+ million in technology upgrades
• Additional costs for legal fees, forensic investigation, credit monitoring, and reputational damage

Regulatory and Industry Impact

The Target breach catalyzed significant changes beyond the company:

• Payment Card Industry (PCI) standards were strengthened, with increased emphasis on network segmentation and third-party vendor management.
• Chip-and-PIN adoption in the United States accelerated. Target became a vocal advocate for the transition from magnetic stripe to EMV chip technology.
• Board-level cybersecurity governance became a standard expectation. The Target breach demonstrated that cybersecurity was a board-level risk, not just an IT concern.
• Third-party risk management received heightened attention across industries. The entry through an HVAC vendor made "supply chain security" a boardroom priority.

Root Cause Analysis

Applying the root cause analysis methodology from Section 30.6.2:

Proximate cause: Malware on POS terminals captured payment card data
        Why?
Attackers gained access through a third-party vendor's credentials
        Why?
Vendor had network access that was not segmented from
payment systems
        Why?
Target's network architecture did not enforce the principle
of least privilege for vendor access
        Why?
Security architecture decisions prioritized operational
convenience over access control rigor
        Root cause:
Organizational structure in which security was subordinated
to operational efficiency, with no CISO to advocate for
security architecture at the executive level

A parallel chain addresses the detection failure:

Proximate cause: Malware ran for 19 days after detection alerts
        Why?
FireEye alerts were not escalated from the Bangalore SOC
        Why?
No escalation protocol required immediate executive
notification for this alert category
        Why?
Alert volume was high, signal-to-noise ratio was poor,
and the SOC lacked authority to initiate emergency response
        Why?
Monitoring was treated as a technical function, not
integrated into organizational incident response governance
        Root cause:
Disconnect between technical detection capability and
organizational response capability -- the systems could
see the attack, but the organization could not act on
what the systems saw

The Deeper Lesson

The Target breach illustrates a paradox that Chapter 30 addresses directly: Target had the tools to prevent the breach and failed anyway. The FireEye system worked. It detected the malware. It generated the alerts. The technology performed its function. The organization failed to act on what the technology revealed.

This is the gap between technical capability and organizational governance. It is the same gap that Chapter 26 (ethics programs), Chapter 27 (stewardship infrastructure), Chapter 28 (assessment processes), and Chapter 29 (model documentation) are designed to close. Technology generates information. Governance translates information into action. Without governance, the most sophisticated monitoring system in the world is an alarm that nobody answers.

Discussion Questions

1. The alert fatigue problem. Target's SOC team received thousands of alerts daily, and the critical FireEye alert was not escalated. How should organizations design escalation protocols to ensure that critical alerts receive appropriate attention in high-volume environments? Is this a technical problem, an organizational problem, or both?

2. Third-party accountability. Fazio Mechanical Services, a 125-employee HVAC company, used a free antivirus product as its primary cyber defense. Should Target have been responsible for ensuring its vendors met minimum security standards? How far does an organization's security obligation extend into its supply chain?

3. The CEO's resignation. Steinhafel resigned five months after the breach disclosure. Was this appropriate accountability, or was it scapegoating leadership for a systemic failure? Using the blameless postmortem framework from Section 30.6.1, how would you assign organizational (not individual) responsibility?

4. Speed vs. accuracy. Target's initial disclosure (40 million accounts) had to be revised upward to 110 million. Is it better to disclose quickly with incomplete information or to wait until the full scope is known? How does this map to the tension between the "be first" and "be honest" principles of crisis communication?

5. The remediation standard. Target offered free credit monitoring and identity theft protection. Apply Eli's Equifax objection (Section 30.5.2) to this remedy. Was the remediation proportionate to the harm? What would a care-ethics-informed remedy have looked like?

Your Turn: Mini-Project

Option A: Incident Response Redesign. Based on the Target case, design the incident response plan that should have been in place. Include: team composition, escalation protocols for monitoring alerts, third-party vendor security requirements, communication templates for different audiences, and post-incident review procedures.

Option B: Communication Rewrite. Find Target's actual breach disclosure statement (publicly available). Rewrite it to fully comply with the five principles of crisis communication from Section 30.4.2. Identify what changed and why.

Option C: Third-Party Risk Framework. Design a vendor risk management program for a retail company with Target's scale. Specify: minimum security requirements for vendors with network access, monitoring requirements, audit rights, and breach notification obligations. Address the challenge of applying these requirements to small vendors like Fazio.

References

• Krebs, Brian. "Sources: Target Investigating Data Breach." KrebsOnSecurity, December 18, 2013.

• Riley, Michael, Benjamin Elgin, Dune Lawrence, and Carol Matlack. "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It." Bloomberg Businessweek, March 13, 2014.

• United States Senate Committee on Commerce, Science, and Transportation. "A 'Kill Chain' Analysis of the 2013 Target Data Breach." March 26, 2014.

• Shu, Xiaokui, Ke Tian, Andrew Ciambrone, and Danfeng Yao. "Breaking the Target: An Analysis of Target Data Breach and Lessons Learned." arXiv preprint arXiv:1701.04940, 2017.

• National Institute of Standards and Technology. "Computer Security Incident Handling Guide." NIST Special Publication 800-61 Revision 2, August 2012.

• Manworren, Nathan, Joshua Letwat, and Olivia Daily. "Why You Should Care About the Target Data Breach." Business Horizons 59, no. 3 (2016): 257-266.