In this episode, the guys chat about how easy it is to go off target with data security and how people are so willing to give up their privacy for a good customer experience. Nico talks about why it’s better to come out with problematic information quickly versus holding on to it until you have every detail down.
Target got worse before they got better. While that may be unusual, what isn’t unusual is that – like most brands, products, and people – no matter what order they did it in, Target still had to fail before they got better. Prior to the early 2010s Target seemed to be making consistent but more or less uneventful accomplishments. After 2013, however, is a different story. Today’s topic – Target data breach in 2010s.
What Happened then?
In 2013, two things happened that caused Target to be subject to a brief and mortifying downfall. One of those things happened to Target while the other was an experiment gone wrong on their end.
The smaller and first to happen of those two is Target Canada. In March, 2013, Target opened its first Canadian stores. Sadly, they weren’t meant to last. The expansion into Canada presented Target with a host of problems. The most notable obstacle might be the supply chain issues that resulted in stores with aisles of empty shelves and higher-than-expected retail prices.
On January 15, 2015, Target announced that all 133 of its Canadian outlets would be closed and liquidated by the end of the year. The failure of Target Canada certainly didn’t help Target by any means. But this failure wouldn’t have hurt them as badly as it did if it weren’t for the timing of their second failure – the one that happened to them.
Had Target’s 2013 data breach not happened eight months after the company launched its soon-to-be-short-lived subsidiary, it might not have felt like a second punch to the face.
On November 27th, 2013, Target started experiencing a data breach. ‘Started to experience a data breach’ because the breach lasted for a total of 19 days – from November 27th (two days before Black Friday) to December 15th. Part of the kicker here is that the breach reportedly went on for 16 of those 19 days before it was even detected. It would be 20 more days after the discovery before Target would notify the public about the breach.
Initially, Target believed around 40 million consumer credit and debit card information – including customer names, card number, expiration date, and CVV – had been stolen. In one of their earliest statements, Target claimed consumer PIN data hadn’t been part of the breach.
On January 10th, 2014 Target had another announcement to make. They announced that an additional 70 million people had been affected by the breach – bringing the estimated total to about 110 million customers. That wasn’t the only thing Target had to add. They also had to inform the public that on top of credit card information, the stolen customer information included names, mailing addresses, phone numbers, and email addresses. Obviously, there’s a moral of the story here but there’s a technical takeaway too. The most effective way to learn from the latter might be to break down the attack.
The anatomy of the attack on Target’s data consists of five different points:
- preliminary survey
- compromise of a third-party vendor or vendors
- leveraging Target’s vendor-portal access
- gaining control of Target servers
- Target’s point of sale (POS) systems.
Yahoo Data Breach
After the breach was announced, the biggest public criticism of Target was that they didn’t announce the breach sooner. For the customers whose personal information was stolen, that’s a fair criticism but, when looking at data breaches in the 2010s, it doesn’t give Target nearly enough credit. Target is not the only company to experience a data breach in the 2010s (or 2013 alone for that matter) but the 20 days they kept the breach under wraps pales in comparison to how long other companies, like Yahoo, kept their data breaches a secret.
The second Yahoo data breach was the smallest and was announced by the company first. Yahoo disclosed that “a” breach took place in late 2014 and affected over 500 million Yahoo! user accounts. This announcement came in September 2016.
The first data breach, which Yahoo announced second, occurred in August of 2013. It was initially believed to have affected 1 billion Yahoo users, as the company explained when they announced the breach in December 2016. Later, in October 2017, they realized that estimate was wrong and amended it to say that all 3 billion Yahoo users had been affected by the 2013 breach.
Target – After the Breach
Sadly, many saw the company’s reputation for being a top-rated shopping experience as being tarnished. In 2014, Target announced hefty increases in security spending and, according to BrandIndex, Target’s consumer perception took a 54.6% dip. That same year they rolled out a few new campaigns, including a corporate social responsibility campaign.
It all sounds maybe a little dire but by 2017, a study found that prior knowledge of Target’s breach and breach settlement made no difference to 39% of shoppers when it came to their likeliness to continue shopping there.
As of 2019, Target had 1,844 stores in the US. And in 2020, Target was ranked No. 37 on the Fortune 500 of the largest United States corporations by total revenue. Compared to before the data breach, things like having nearly 2,000 locations and making it into the Fortune 500 is pretty great.
What Can We Learn?
- Executive awareness: Look back at major milestones, see how much has changed in just a few years, and use what you’ve learned to make bigger strides to a (hopefully) more secure future.
- It’s not enough to be transparent, you also have to be timely: In the short and long run, it doesn’t matter that Target alerted the public fairly quickly compared to other compromised companies like Yahoo.
- Improve security when and however you can because… Americans trust retailers – that means it’s on retailers to not misuse that trust.
We speak about:
[05:00] Target Canada
[09:00] Target Data Breach
[17:35] Yahoo Data Breach
[18:50] Target after The Breach
[21:30] What can we learn
Episode Script Writer: Grace Wall
Research Analyst: Gertruda Gilyte