1. Read the attached case, Targeting Target given in next page and answer the following.

You are expected to read some journal paper/book/book chapter/conference paper along with the case and write the answer based on literature review.

1. Explain in detail how did the hackers steal Targets customer data.

[3 marks]

2. Describe thoroughly what types of technology could big retailers use to prevent identity thieves from stealing information. [3 marks]
3. Critically analyse what can organizations do to protect themselves from hackers looking to steal account data. [3 marks]
4. Discuss the best ways to protect yourself from identity theft. [3 marks]

Write references which you have read, other than the case, for answering above questions: only journal/book/book chapter/conference paper (minimum 3 references should be included in this section)

Case: Targeting Target

The biggest retail hack in U.S. history wasnt particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Targets security and payments system designed to steal every credit card used at the companys 1,797 U.S. stores. At the critical momentwhen the Christmas gifts had been scanned and bagged and the cashier asked for a swipethe malware would step in, capture the shoppers credit card number, and store it on a Target server commandeered by the hackers.

Its a measure of how common these crimes have become, and how conventional the hackers approach in this case, that Target was prepared for such an attack. Six months earlier, the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye, whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Targets security operations center in Minneapolis would be notified.

On Saturday, Nov. 30, 2013, the hackers had set their traps and had just one thing to do before starting the attack: plan the datas escape route. As they uploaded exfiltration malware to move stolen credit card numbersfirst to staging points spread around the U.S. to cover their tracks, then into their computers in RussiaFireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then

Nothing Happened!

For some reason, Minneapolis didnt react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the companys data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbersand 70 million addresses, phone numbers, and other pieces of personal informationgushed out of its mainframes.

When asked to respond to a list of specific questions about the incident and the companys lack of an immediate response to it, Target chairman, president, and chief executive officer Gregg Steinhafel issued an emailed statement: Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience. While we are still in the midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards. However, as the investigation is not complete, we dont believe its constructive to engage in speculation without the benefit of the final analysis.

More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damages. Thats on top of other costs, which analysts estimate could run into the billions. Target spent $61 million through February 1, 2014, responding to the breach, according to its fourth-quarter report to investors. It set up a customer response operation, and in an effort to regain lost trust, Steinhafel promised that consumers wont have to pay any fraudulent charges stemming from the breach. Targets profit for the holiday shopping period fell 46 percent from the same quarter the year before; the number of transactions suffered its biggest decline since the retailer began reporting the statistic in 2008.