Autopsy of a Data Breach: The Target Case

Description

Autopsy of a Data Breach: The Target Case: Abstract

This case revisits the events in late 2013 that gave rise to what was at the time the largest breach of confidential data in history. Indeed, on December 19, 2013, Target announced that its computer network had been infiltrated by cybercriminals who stole 40 million debit and credit card numbers as well as the personal information of some 70 million additional customers. The case presents the cybercriminals’ activities leading up to the breach, details of the commission of the theft, the measures that Target had put in place to deter such attacks, its ill-fated response during the attack and, finally, the impact of the breach on Target as well as on the retail industry as a whole.

Teaching objectives

The case allows students to:

• Familiarize themselves with the basic vocabulary related to information security
• Understand how threats can materialize, resulting in a major data breach (approaches and actors)
• Identify the vulnerabilities of a business (by analyzing and understanding the different sources of risk)
• Become aware of the fact that humans continue to be the weak link in the chain of information security
• Understand the principal control measures a business can deploy to protect itself
• Identify and understand the specific issues raised by information security, notably in a digital business environment

Main themes covered

• Information security
• Credit cards
• Controls
• Vulnerability of an organization

Concepts and theories related to the case

• Risk management: risk sources and controls in an IT environment

Additional information

Also available in French.

Teaching notes are available for teachers only. Contact the HEC Montréal Case Centre for more information.