Running Head: A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA

BREACHES

ÙawEGGWW4T4YQY5ATHU6TUHTJYJWY

A Case Study Analysis Target and Home Depot Data Breaches

Name of Student

Institutional Affiliation
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

A Case Study Analysis Target and Home Depot Data Breaches

Introduction

Data privacy and cyber security are real risks to companies: in the wake of data breach,

most employees may be terminated or face personal liability, the company may face regulatory

investigations, multitude lawsuits, disruption of business, fall of stock price, and the reputation

of the enterprise may weaken. Hacking is a serious issue, a potential threat to every computer

system. Cybercrime or internet hacking, according to Computer Crime Research Center Aghatise

E. Joseph is an internet crime committed using a computer as a tool or a victim targeted (Joseph,

n.d.). Notably, it is much challenging to categorize general internet crimes into distinct groups

since most cyber crimes evolve on a daily basis. However, public relations professionals provide

a proportionate procedure of handling internet security crises to restore the company reputation.

It all counts down on trust of the consumers to the company that their personal information will

be safe despite the crisis. Therefore, how companies respond to data breaches can damage or

build the corporate reputation and hard-earned trust. Since data breaches compromises are often

complex, the procedure of making a rapid communications decisions required to curb the

potential harm of the data breach is often challenging.

The situations are often further complicated owing to the reality that every data breach

differs from the other, and there may be no precedent within the organization to respond to the

crisis. The impact of mishandled breach can reach throughout the business both in short and

long-term; lost sales, bad press, litigation and mitigation alongside uphill battle to rebuild the

company reputation. Apparently, most of the breaches involved compromise or theft of

identifiable information, such as addresses, names, and social security numbers. Many

information security professionals will remember 2104 as the year of the big data breaches, and
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

with a good reason. Besides the occurrence of numerous high-profile hack attacks, the year

incorporated various lesser known incidents that nevertheless led to significant theft records,

according to a report by Timothy, (2015). Breach crimes went up to a total of 1, 540 representing

46 percent from the increase 1,056 in 2013.

More importantly, the dramatic rise in data records involved in the breaches that jumped

78 percent from approximately 575 million in 2013 to more than one billion in 2014 (Timothy,

2015). Following the time perspective, in 2014 alone, some 2,803,036 data records were stolen

every day, 116,793 every hour and 1,947 every minute and so on (Timothy, 2015). Despite the

growing interest of technological encryption as a security measure to protect privacy and

information, only 58 percent of the data breach incidents in 2014 representing less than 4 percent

of the total involved that was encrypted in fully or partially. However, beyond the numbers were

the economic, social, and political impacts of the breaches. Some of the big data breaches in the

year 2014 names Home Depot and entertainment company Sony Pictures Entertainment. This

reality- based case study will examine two examples of cyber crime that happen in 2013/2014:

the data breach at Target and the one at Home Depot. This study highlights the strengths and

weaknesses of public relations at Target and Home Depot during their recent data breach crises.

The public relations and marketing plans that Target and Home Depot pursued while they were

victims of cyber crime will be analyzed, followed by communications recommendations that

may help keep an already bad situation from becoming worse. The case study prepares a robust

analysis of data breach crisis response using Target and Home Depot. It identifies the data breach

scenario in the company, their response followed by evaluation and recommendation of data

breach response based on public relations literature.

Problem Statement
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

Cyber attacks make news headlines almost every day these days, essentially, when they

hit global credit card companies, major retailers, and high-tech leaders. Recently, financial data

breaches have exposed a good number of company’s personal information concerning finances,

healthcare, personally identifiable information (PII), and legal issues. The criminal act of cyber

has predominantly been affected by outside hacking computer systems of institutions and the

insiders with or without authorized access to the information. According to Timothy (2015), 78

percent of all records compromised during the initial six months of 2014 were exposed as a result

of the outside hackers. More recently, Target and Home Depot has fallen victims of these

incidences recording huge financial losses. Specifically, Home Depot reported 56 million

customer email addresses and payment cards while Target reported 40 million payment cards

and 70 million records of customer names, telephone numbers, addresses, and emails.

The data of small and middle size companies are increasingly being hacked. Target and

Home Depot is considered one of the worst data breaches in history of American data breach

crimes. Cyber security has been named top five global company risks for companies, according

to World Economic Forum. It is reported that the plethora of new hackers opportunities include

mobile device use, increased use of cloud computing and corporate espionage. Despite the

looming cyber threats, according to Timothy, many senior company managers remain denial and

have not been able to put up robust public relations measures to respond to data breaches crises

through professionalized communication strategies. Accordingly, data breaches that result in

compromising of personal information or disclosure of personally identifiable information from

consumers or employees, in particular, can have a significant impact on the company’s bottom

line. Public relations strategies help prepare the companies for a quick response to data breach

scenarios by ensuring proper communication strategy to mitigate the crisis.

Background of Data Breach

While there are emerging efforts to promote internet security systems, hackers continue

to poke holes in a number of industries, instigating disorder to both the consumers and the

corporations that trust their information will be protected. Definitely, mishandling of consumer

data and inadequate company safeguards can come at a high price from lawsuits and consumer

mistrust, resulting in devalued company stocks. Primarily, the security data breaches at Target

and Home Depot cost the company approximately $248 million and 3 billion dollars

respectively.

Home Depot Data Breach

Home Depot retail references an American based retailer dealing with home

improvement and product services. The company operates numerous big-box format stores

across the U.S. Mexico and all the ten provinces of Canada. The breach against the United States

based home improvement specialty retailer involved financial access attack that mentions 109

million records and scored 10.0 on the risk assessment scale. This was considered on of the

largest attacks of the year based on the records compromised, Hill (2014) reports. According to

the company official statement, its payment data systems got attacked. Notably, the files that

contained the stolen email addresses never contained payment card information, passwords or

other sensitive personal or private information, the report reads. More specifically, in September

2014, the US home improvement retailer, Home Depot, established it experienced a breach in

security that affected approximately 56 million debit and credit cards in United States and

Canada (Hill, 2014). The data breach criminals used unique, custom-built malware to steal the

account numbers from the point of sale systems of Home Depot. The do-it-yourself retailer owns

and operates 180 stores in Canada and more than 2, 200 in the United States. Reports from Home
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

Depot Company indicated that cyber criminals armed with custom-built malware stole

approximately 56 million cards numbers from the customers from April to September 2014. The

disclosure made the crime the biggest incident card breach on record.

The disclosure that was first released in September indicated that the malicious software

used by the unknown cyber criminals to steal debit and credit cards was mainly installed on the

payment systems in the self-checkout at retail stores. While investigations revealed that the

criminals stole fewer cards in the period of five months breach than they might otherwise. Home

Depot release dated September 18, 2014, through investigations indicated that the cyber thieves

used unique, custom built malware to evade detection. Apparently, the malware had not been

seen previously in other cyber attacks, according to the Home Depot security partners (Home

Depot Security Breach, 2014). It is estimated that the cyber attack put payment card information

at risk for nearly 56 million unique payment debit and credit cards. Hill, (2014) finds that that the

malware is believed to have been present from April to September 2014. Besides, Home Depot

statement established that it had completed a security upgrade that would deter any further

breach of its system in its retail stores in United States and would roll out updated and enhanced

encryption of the stores in Canada. According to Home Depot Security Breach (2014), the

terminals identified with the malware were taken out of service and eliminated from the systems

of the company. Today, the Canadian debit and credit cards have chip technology that protects

the customers. Home Depot subsequently assured the customers that there is no evidence the

cyber criminals gained access to the customers PINs.

Target Data Breach

The Home Depot cyber crime story is no an isolated incident. On December 19, 2013,

United States-based retail giant Target provided a statement indicating that it had suffered a
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

major credit card data breach between November 27 and December 25, 2013. The released

statement confirmed a previous report of the December 18 data breach. A report by In Hardy,

(2014) indicates that Target engaged both the federal law enforcement including private incident

response firm and U.S Secret Service to investigate the nature and scale of the data breach.

However, on December 23, Target suggested that malware installed on point of sale (POS)

terminals provided an edge for the breach, a fact that the statement release of the company

confirmed in early January 2014. However, Target representatives have released little narrative

and technical detail on the attacks, which is often typical for institutions that have suffered cyber

crime incidences.

According to statement released by Target, from November to December 2013,

information on approximately 40 million payment cards, for example, debit, credit, and ATM

cards, and personally identifiable information (PII) on 70 million consumers were compromised.

Reports from the Secret Service indicated that it was investigating the breach and is yet to release

further details. However, the Congressional hearings, the executive vice president from Target

testified that an intruder used vendor access to the system of the company to place malware on

the point –of-sale (POS) registers. According to the testimony, In Hardy (2014) writes the

malware recaptured debit and credit card information before it got encrypted, and this rendered it

more difficult, or rather impossible to read. Additionally, the hacker captured some strongly

encrypted personal information numbers (PIN), according to Burg (2014). The report validates

that it was very unlikely that all the 40 million payment cards that got compromised at Target

could be used in fraudulent transactions. As such, some cards, the report reads would be canceled

before they begin working and attempts to use valid cards were denied by the issuing financial

information. Finally, there were zero attempts to make fraudulent use of the credit cards.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

According to reports from the media, financial institutions responded to the Target

Breach by issuing new credit and debit cards of their cardholders while others decided to depend

on antifraud monitoring approach. More specifically, Wells Fargo, JPMorgan Chase, and

Citibank replaced their debit cards, rather than credit cards, U.S Bank and Bank of Africa

depending on the detection of the fraud (Geneiatakis, Scheer & European Commission, 2013).

Most currently, Target reported that the data breaches costs 248 million dollar. However,

independent sources made back to back envelope and estimated that it ranges from 240 million

dollars to 2.2 billion dollars in fraudulent charges alone. Yet this is exclusive of the additional

potential costs to consumers concerned about personal information or credit histories; penalties

or fines to Target and financial institutions (Weiss & Miller, 2015). The data breach of Target

was alongside that of Home Depot was one of the numerous cyber crimes in the history of

United States. The concerns of consumers over the Target data breached fueled further

congressional attention on its data security. Therefore, the Congress held seven hearings on six

various committees related to these topics to examine the events surrounding Target breach. The

hearings, according to Weiss and Miller (2015), was predominantly held to ensure improvement

of the data security standards, notifying consumers when their data have been compromised and

protecting consumers’ personal information data.

Case Studies

Target Corporation

Detailed Story of the Target Breach Target data breach dates back to the months of

November and December of 2013 when unknown cybercriminals breached the data security of

the company. Kassner, (2015) indicates that the business confirmed that 40 million debit and
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

credit cards account numbers and details were stolen. Furthermore, in the month of January 10,

2014 the company announced that personal information, including addresses email addresses,

names, and phone numbers of nearly 70 million customers were also stolen during the cyber

crime act. Owing to the testimony of Target vice president and financial executive to the Senate,

a report was released by the committee of Senate that concluded that Target missed opportunities

to prevent the data breach crime. According to Kassner (2015), the November-December

incident involved cyber criminals that successfully collected, staged and eventually exfiltrated

data related to credit and debit payment cards. Notably, a number of finer details remain unclear;

however, quite a few have emerged. Speculations streamed from various reliable sources

maintaining that the security products of Target Corporation never had in place that was

necessary to stop the breach.

Target Corporation involved both the federal law enforcement including the US Secret

Service, and private incident response firm that aided in the investigation of scale and nature of

the data breach. Besides, Target suggested that the malware installed on the POS terminals was

the significant component of the breach as confirmed by the company in January 2014. Target

representatives, however, released little technical detail on the attacks that indicate a downturn in

obtaining verifiable details about the cyber crime (Janczewski & Colarik, 2008). Widespread

speculations have emerged on how the cyber criminals successfully executed the large-scale

attack that went undetected for approximately three weeks. Despite assertions that payment card

companies obligates any enterprise accepting payment card to adhere to the PCI rules

highlighting security of their payment card processing, Target testified that its systems were

reviewed in September 2013 and certified as compliant (Janczewski & Colarik, 2008).

Moreover, the magnetic stripes on the back of United States credit cards are, for instance
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

not encrypted. However, media reports indicate that a malware known as a “memory scraper”

captured information from the payment cards of the customer by reading the memory of the POS

system before it got encrypted (Munson, 2014). In a nutshell, the reports from both the media

and the company provides that an intruder obtained the credentials of a vendor that enabled the

access to the Target vendor billing and invoicing system that escalated the intrusion in the POS

system of target. This allowed the introduction of the malware into target’s POS system, and the

initial warnings about the malware got ignored by the security professionals of the company. As

such, the software of Target was used to spread the malware to virtually all of Targets POS

devices. Besides, the credit and debit cards data were stored in innocuously named files that was

sent to servers outside the system of Target and then on the other servers. Surprisingly, the

warnings about communicating the data were overlooked.

The company estimates that the 40 million payment and 70 million PII data breaches had

at least 12 million people in common, translating to a figure of 98 million as the number of the

affected customers, according to Retail Association (2014). Additionally, the Fazio Mechanical

Services that provided ventilation, heating, and air conditioning (HVAC) services for the

company indicated that it was used to breach the payment system of Target. Accordingly, reports

indicates that a Fazio computer authorized to submit project management and contract billing to

the company reportedly was compromised by the intruders, the report reads. Besides, media

reports provided that Fazio became a victim of phishing email containing the malware that was

used to install other malware on the network of target, including Target’s POS system that

records card transactions and all payments (Retail Association, 2014).

Target Breach Timeline

According to a report by Senate committee on the Judiciary (2014), companies that suffer
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

data breaches due to cyber crimes rarely publish their detailed timelines. However, Target

became an exception to this rule, perhaps because the company senior management was made to

testify before the Congress. Senate committee on the Judiciary (2014), reports that according to

testimony of Target executive vice president and chief financial officer, John J. Mulligan, the

documented significant dates of the crimes are as follows.

The testimony indicates that on November 12, 2013 Cyber criminals or intruders

breached the computer system of Target Company. It is anticipated that the intrusion was

detected by the company security systems, yet the security professionals of Target failed to take

any action until the time the law enforcement of the breach provided a notification (Senate

committee on the Judiciary, 2014). In December 12, 2013, the Senate records, the Department of

Justice (DOJ) provided a notification to Target that there was an apprehensive activity involving

the debit, credit and ATM cards that had been used in the company. On December 13, 2013,

senior officials from Target met with the Department of Justice and the United States Secret

Service for further information on the suspicion. On December 14, 2013, the company hired

external professionals to offer a robust forensic investigation into the matter. On December 15,

2013, Target released a statement confirming that malware had been installed and that most of

the malware had been eliminated.

As time goes by, on December 16 and 17 of 2013, the company provided a notification to

the payment processors and card networks that the breach had indeed occurred (Senate

committee on the Judiciary, 2014). December 18, 2013 the company removed the remaining

malware and in the 19th of December 2013, the company released an official public

announcement of the breach. Later, on December 27, 2013, the company provided further details

relating to the crime adding that the encrypted PIN data had been stolen. Thereafter, on January
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

9, 2014, Target discovered the theft of PII and on January 10, 2014 the company confirmed

through a public announcement that PII had been stolen (Senate committee on the Judiciary,

2014).

Home Depot Case Study

Home Depot is a retail business with 2,266 stores and 79 billion dollars in annual

revenue. Previously, before the hackers intruded into the payment accounts of Home Depot, the

stores in Canada and US, it had suffered to smaller hacks. However, the company confirmed the

major hack on September 8, 2014 nearly one week after credit card data that was linked to its

customers went up for sale on a black-market website, according to (Laasby, 2014). The hack put

56 million cards of the company at risk and more than 40 million Target, breach victims. Internal

documents of Home Depot, according to Laasby, (2014), indicated that the Atlanta-based retailer

had chosen to keep extra measures on security deactivated despite being designed to detect

intrusion of any malicious software in the system. The reports provided in a statement from

Home Depot indicated that the cyber criminals used custom-made software to evade detection,

thus relying on tools that had never been used in account hacking.

Home Depot Customer update on data breach reports that a massive batch of debit and

credit cards belonging to Home Depot went on sale on a criminal internet site that lined the

hackers to Target and P.F. Chang’s. The credit card information got offered on sale a day after

the underground site that had stolen financial information. According to the reports, the breach

could have begun in late April 2014, according to Krebs security reports. Besides, Home Depot

spokesman, Paul Drake, reinstated that there was unusual activity in their software and was

working with the financial partners and law enforcement officials to investigate the matter. The

hackers stolen information from the cards issued by the European financial institutions further
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

confirming that a breach occurred, and that effort were being made for instant notify the

customers (Reingold, 2014). However, Home Depot press never released any specifics related to

the duration the malware was in its systems, the points of sale compromised, and how the

hackers gained access to its networks, according to Reingold (2014). However, rumors leaked

that there may be an insider connection that allowed the hackers to gain access to Window XPe

terminals of Home Depot.

While limited details were provided to the public about Home Depot data breach, sources

familiar with the investigation referenced that the hack never hit the registers of the store. A

press statement later released by Home Depot that outlined the findings of the inquiry of the data

breach confirmed that the criminals used a third-party vender’s username and password to access

the perimeter of the company network. The stolen credentials alone; however, never provided

direct access to the point of sale devices of Home Depot (Egan & Anderson, 2015). Thereafter,

the hackers acquired elevated rights that made them to navigate portions of network of Home

Depot and to deploy unique, custom-built malware on its self-checkout systems in Canada and

U.S. Additionally, the previously disclosed payment card data, the statement reads, separated the

files containing nearly 53 million email addresses that were also stolen during the breach.

However, the statement confirmed that the files never contained passwords and payment card

information or other sensitive personal information.

Home Depot Timeline of Data Breach

The first information on the Home Depot data breach was disclosed on September 2,

2014 that also sought to assure the customers that the used malware was eliminated in both the

stores. Multiple financial institutions reported on September, 7 2014 that they were receiving

alerts from MasterCard Visa about particular debit and credit cards compromised in the breach
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

suggesting that the cyber criminals were stealing from card data from Home Depot, marking five

full days after the data breach news first broke. Moreover, Home Depot acknowledged that on

Monday, September 8, 2014, that it had suffered a breach of debit and credit card involving its

members in Canada and U.S. stores dating back to April 2014 (Egan & Anderson, 2015). Despite

the retail acting swiftly to assure its customers and the financial institutions that there was no

debit card PIN was compromised, reports came that multiple financial institutions have

experienced a steep increase over the previous day in fraudulent ATM withdrawals on the

customer accounts (Home Depot Press Release, 2014).

On September 9, 2014, Home Depot confirmed that a network intrusion has led to the

compromise of its customer credit and debit payment card data for potentially the customers in

the entire unit that shopped at the retailer dating back to April 2014 (Home Depot Press Release,

2014). On that very day, the details started after a well-known security blogger reported that a

large quantity of the stolen cards for the customers started to appear in underground markets.

Home Depot, therefore, on September, 13, 2014 rolled out the encryption project in its U.S. and

Canada stores that was then estimated to be complete early in 2015.

Home Depot Respond

According to Morran (2014), almost a week after security blogger Krebs warned that

Home Depot could be the victim of data breach extending to its U.S. and Canada stores, the

company never confirmed nor denied the breach occurred. While Target made the initial

disclosure to the scope of the breach and later revised them in a series of updates, Home Depot

did not respond swiftly. Despite the cases being different, Home Depot initially denied that no

breach had occurred and in their defense, Home Depot spokeswoman Paula Drake indicated that

they never had any updates on the situation. Therefore, Home Depot waited until they
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

established the parameters of the breach to disclose other details finally. Frequently, the

company released statements aimed at updating the customers on the investigation into the

breach in the payment data system (Morran, 2014). Finally, the company confirmed that hackers

stole separate files containing credentials of the clients, and every effort was made to notify

individual customers that became a victim of the breach. Constantly, the company assured the

customers that they were not liable for the fraudulent charges to their accounts and offered a free

identity protection services such as credit monitoring to the customers that used payment cards at

home Depot from April 2014.

Despite responding a week later, the company provided an initial press release denying

the breach justifying that they had no facts on the breach. However, the company later provided a

detailed report on the data breach, though the company never specified what information was

stolen by the hackers. Also, reports indicated that payment cards had gone up for sale on an

online black market that indicated that they contained adequate data to create a fake card. Home

Depot also failed to provide the timeline of the data breach, however, insisted that the

investigations go back as far as April 2014, according to (Greising & Lisa, 2014). Despite the

mixed feelings over the in the reports, Home Depot stressed that it had closed the leak, and the

malware had been eliminated from the systems. It also moved to assure the customers that it was

working on enhancing security measures and promised further updates of the breach (Greising &

Lisa, 2014). While it never disclosed the specific stores that were affected by the breach, the

company indicated that the consumers were not liable and also warned the customers to be on

guard against phishing scams used to trick people to provide personal information in response to

phony emails.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

Home Depot acknowledged that the size of the hack made it more likely for the company

to face steep costs. The finance security professionals led by Bill Guard estimated the potential

cost f the fraud to cost as high as 3 billion dollars for the company. Therefore, Home Depot

hastened to assure the investors that it was on the track to meet its target sales in the third

quarter. According to Morran, (2014), the September 18, 2014 news release from the company

provided an estimation of the growth of sales indicating that it would grow by 4.8 percent

besides raising its approximation of third-quarter per share profit to 4.54 billion dollars from 4.52

billion dollars. The profit estimates, according to Home Depot Press Release, considered the cost

of investigating the data breach, providing credit monitoring services to the customers and as

professional and legal services. Therefore, the company made a pledge that no customer would

be on the hook for any fraudulent charges. However, the company never factored in the losses

related to the breach such as liability on debit and credit cards of the customers as well as from

any civil litigation. Yet, the undocumented costs had material adverse effects on the financial

results of the company in the fourth quarter or future periods.

Target Corporation Respond

Retail Association, (2014) reports that, overall, the company reacted slowly in

communicating the problem to the customers. The security breach of Target, Munson (2014)

writes, fell into horrible timing. The attack happened during the December, a shopping season

that obviously caught the retailers offside. However, the chance to be the first to break the news

was completely in its control, and they waited for seven days after learning about the theft before

alerting the customers. The company, according to John Biggs for TechCrunch, reacted quite

slowly on the breach as Krebs Security provided information a week earlier. This made most of

the customers to learn about the breach from the media rather than from the company itself for
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

the first time. Also, the communication with the consumers was inadequate including the banner

informing the customers of the breach that was too small to see. In essence, there was a

communication breakdown in the response strategy used by Target Corporation and the angry

customers flooded the social media.

Later, when the company released an official report admitting the data breach, the

company first apologized to the customers for the incident and stated that the breach had shaken

the confidence of their guests. Target took responsibility of the guests seriously and indicated

that they had learned from the incident and hopes to make the company more secure for the

customers in the future. Also, the press release of Target documented the timeline and the events

of the breach based on the investigations. Munson, (2014) writes that Target assured the

customers that they were working closely with the U.S. Secret Service and the U.S. Department

of Justice on the investigations to assist in bringing the criminals to book.

Primarily, Target categorically provided information based on their knowledge. This

included the events and the timelines of the events in depth. With reference to protection of the

customers and guests, Target responded by protecting the guests and strengthening the security

system. The immediate actions were documented. Firstly, Target Corporation undertook an end-

to-end review of the entire network and promised to make security enhancements appropriately.

The company also responded by increasing fraud detection for the Target REDcard guests.

According to Geneiatakis, Scheer and European Commission (2013), the company outlined that

so far, they had not witnessed any fraud on the payment cards as a result of the breach, however,

the statement acknowledged that they ad seen a very slowly amount of additional fraud on the

Target Visa Card. Thirdly, target considered reissuing new Target debit and credit cards

immediately to any customer that requested one and also offered one year free identity theft
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

protection and credit monitoring to the customers that ever shopped at the U.S. Target stores.

The protection, as explained, included free daily credit monitoring, credit report, unlimited

access to personalized assistance from professionals of fraud resolution agent and identity theft

insurance.

Furthermore, target informed the customers that they had zero liabilities for any

fraudulent charges accrued on their payment cards due to the data breach incident. According to

the report, Target challenged the customers to consider monitoring their accounts and promptly

alert their issuing financial institution or Target for any suspicious activity. Target’s response

also included accelerating their investment in the chip-enabled technologies for their REDcards

and stores’ POS terminals. The company assured the stakeholders the chip-enabled technologies

would be critical to enhancing customer protection. Target also responded by initiating a creation

of 5 million dollars investment in campaign with Better Business Bureau, the National Cyber

Forensics, and Training Alliance, and the National Cyber Security Alliance to advance public

awareness and education about cyber security and the dangers of consumer scams (Kassner,

2015).

Earlier, Target had launched a retail industry Cybersecurity and Data Privacy Initiative

that was seen as a response to emphasize in informing the public dialogues alongside providing

an enhanced practices pertinent to improved payment security and consumer privacy and cyber

security. The report touched on their response in investing in security measures that included

firewalls, intrusion detection and prevention capabilities, malware detection software, and data

loss prevention. In an effort to assure their customers of the future security, the moving forward

slogan in their response, Target called for teamwork and updating payment card technology and

strengthening protections for the consumers. In a nutshell, the company launched robust public
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

relations counterattack based on daily news briefing and flurry of statements and photos

designed to show the company was aggressively responding to the data breach crisis.

Data Breaches against Expert Recommendations

If a company experiences a huge crisis, there is no shortcut: the companies will definitely

suffer and without elaborate strategies the company might never be the same again. The point of

debate holds that instead of responding to a crisis as a defeat, the company should recognize the

fact that it is another opportunity window and find the best approach out of the crisis, essentially,

with its brand image and reputation intact. Therefore, numerous public relations experts have

echoed their recommendations to companies that become victims of the crisis.

In his book, “Public Relations Strategies and Tactics” Wileox suggests various

mechanisms of communicating during a crisis. According to Wileox (1988), a company should

designate a single spokesperson that should be someone trusted by the media and who has

authority to speak on behalf of the organization. Wileox recommends that company’s top

executive is often best spokesman. Secondly, the organization management should remain

accessible and provide after-hours phone number, respond positively to media calls, and become

open to questions. Also, if the question is sensitive and might sabotage investigations, it is

essential to mention. Accordingly, these recommendations promptly match the events that

occurred in both Target and Home Depot during the crisis. Especially, Home Depot insisted that

it could not provide other sensitive details concerning the timelines of the data breach as the

matter was under investigation. Besides, both the companies communicated, though late, to the

public through the press release that was read by their respective executives. Additionally, Target

officials provided the scope of the data breach, and even remained accessible including
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

appearing before the Senate to testify on the crisis. While both companies responded late to the

crises, they relied on investigations and later provided daily news updates, Afterhours phone

number. Target, for instance, remained accessible to the media and even responded to interview

when they were requested to do so. For example, Target had an interview with Bulls Eye press

that also tackled the questions that were asked by the public.

Wileox further reinstates that companies in crisis should monitor news coverage and

telephone inquiries including establishing the media reports on the crisis and compare with the

organization’s view. Also, the organization should be familiar with the needs and deadlines of

the media and provide timely information to meet both the print and broadcast deadlines.

Wileox, (1988) recommends that the organization should communicate with the key public,

employees, government agencies, the investment community, officials and focus on their

relations with the media. Primarily, some of these principles did not go well with the companies.

Firstly, they both responded late a week after the events. Target, for instance, responded a week

late making the media rely on rumors to report to the public. Besides, the company never

responded to the media allegations positively insisting that there was no such breach until one

week after the event. Reports even circulated in the media indicating that there were Target

credit cards being sold in online credit market that could be used for fraudulent transactions.

Similarly, Home Depot denied access to the customer payment cards contrary to the

media reports that some indeed the intruders accessed the payment cards. These assertions

indicate that the companies never remained familiar with media needs. However, the companies

both communicated amicably to the public by telling the truth based on their knowledge and

investigations. Also, they got in contact with relevant investigative bodies to assist in validating

the matter. Especially, target involved the U.S. Secret service and U.S. Judicial Service
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

Commission in their investigations (Janczewski & Colarik, 2008). Lastly, both companies

provided frequent updates to the customers and the public over the findings of the investigations.

Wileox, (1988) further mentions that organizations should take responsibility for solving

the problem though must not admit or deny guilt. Also, they should set up an information center

for information updates, and provide a constant flow of information. Wileox writes that an

organization in crisis can only build credibility by addressing bad news quickly, and when the

information is withheld, the cover-up becomes the story. With reference to Target, the

organization stated explicitly that there is no customer that would be liable for the charges

resulting from the fraudulent transactions. The organization offered to take full responsibility and

went ahead to provide free security monitoring and credit and debit cards for any customer that

demanded. Similarly, Home Depot took full responsibility and provided all the customers that

had been shopping in their retails from April with new credit and debit cards.

Also, Home Depot reinstated that no customer would be liable for the charges resulting

from the fraudulent use of their payment cards (Janczewski & Colarik, 2008). Based on a

constant flow of information, both the organizations reacted slowly to the crisis providing formal

press release a nearly a week after the crisis. Despite justifying their late response by not relying

on rumors, after the initial investigations, both companies provided continuous update for the

customers over the investigation validations. However, Home Depot and Target failed to

establish an information center for providing information updates. Rather, the companies rushed

to technological responses including creating chip-enabled technologies to protect the customers.

Referring to Howard (2013), in his book, “On Deadline Managing Media Relations”, an

organization should know who has the information. According to Howard information, exists in

the department, public, and federal state organizations. Krebs security initially broke the news of
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

the data breach, though it is not clear whether the companies identified specific individuals with

the information, they both indicated that their security systems detected unusual activity in their

software. Also, organizations should be accessible and monitor the media. Similar to the

recommendations outlined by Wileox (1988), Home Depot, and Target remained available and

even attended to interview questions from the media. While the literature remains mixed, Eric

Weiss and Mille (2015), argues that the companies became accessible and denied the reports of

data breaches until investigations were conducted. The fact that there is information that they

refused to comment deeply on the matter immediately and to choose to rely on the studies

indicates that they were accessible, however, did not react swiftly to the crisis. According to

Howard, being available to the reporters is necessary for providing the media with facts.

Therefore, the media initially relied on news from outside sources due to what can be described

as physical accessibility rather than informational accessibility of the companies.

Howard, (2013) further mentions that in times of crisis, organizations should understand

the feeding media needs and establish robust communication with employees. According to his

writings, media reporting on an organization’s crisis requires facts, and it is favorable to give

whatever information available. Contrary to the actions taken by Home Depot, nearly a week

time, the organization kept telling the media there existed ongoing investigation that would

provide reports of a massive data breach. The company later confirmed that its in-store payment

systems were significantly compromised by cyber criminals (Joseph, n.d.). Target Corporation

provided the scope of the breach to the media, according to Janczewski and associate and later

revised through a series of the press release. The response was quite slow as the breach emerged

a week earlier by Krebs on Security. This made the media pick up rumors for reporting that

turned out to be accurate for both the organizations. Moreover, Howard admits that
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

communication with employees provides the best line of defense or offense. As such, top

management should provide frequent updates to help keep the employees from speculation and

spreading the rumors. Home Depot reportedly blamed the employees by indicating that they

relied on the outdated Systematic antivirus software from 2007 and failed to monitor the network

for unusual behavior. Such allegations may not go well with the employees, according to

Howard as it increases media speculation. However, Target involved the employees actively in

the crisis update and mitigation. Target even went further a step to provide employee education

and to inform them of the policies and procedures for protecting sensitive data on corporate and

personal devices.

Furthermore, Howard inscribes that organizations should recognize that incomplete and

at times incomplete media coverage is inevitable during the crisis. As such, Howard advises that

organizations can realistically get facts right and portray the reputation through the media by

being concerned and actively involved in fixing what went wrong. This recommendation was

well applied by both the companies. Target, for instance, provided continuous press release, took

responsibility and offered additional services such as public awareness of education to

cybercrime risks and prevention. Home Depot also is on record providing measures showing

their concern. They released an official press release acknowledging that indeed there was a

breach, accepted the customers from charges resulting from the deceitful transactions and

engaged in high-tech development of security of customers alongside convincing investigations.

Number seven in his recommendations, Howard provides that organizations involved I

crisis should make a plan and employ a wise use of the website during the crisis. According to

him, creating a dark site devolved for areas of vulnerability is essential. Lastly, Howard finds

that understanding that “first beats better” in the mad scramble during the crisis. Therefore, the
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

organization should assist the media keeping the basic facts right by constantly updating the

website. Referring to the scenarios, Home Depot, and Target failed to assist the media initially

making the media depend on rumors. However, immediate measures were taken to remove the

malware that the intruders used to hack their system. There were extra security measures taken

by both the companies concerning website safety including installing launching a retail industry

Cybersecurity alongside Data Privacy Initiative as in the case of Target Corporation.

Lukaszewski, (2013) also echoed his concerns over crisis communication by emphasizing

on the details the organization CEO is obligated to comprehend about reputation risk and crisis

management. First, Lukaszewski advises the organization CEO to remain calm because crisis

communication requires a high level of professionalism from the spokesperson. Essentially, the

organization’s spokesperson should reassure customers and demonstrate confidence and

competence and focus on resolving the issues. Denoting to Target, the company moved swiftly to

apologize to the customers and stated that the business was determined to work very hard to earn

the confidence of the guests back (Janczewski & Colarik, 2008). Furthermore, the company

responded by supporting the customers and strengthening the security. Besides, Target

spokeswoman Molly Synder observed that the company had moved quickly to inform the

customers based on the facts discovered by the complex investigation. Home Depot through their

CEO Frank Blake in the company of spokeswoman Paula Drake insisted on communicating the

facts as the company did not have investigated updates on the situation. However, after the

investigation, the company assured the customers that they had patched any holes, and the

system was safe for the customers to shop.

Secondly, Lukaszewski (2013) provides that companies should coordinate all comments

with the crisis website. While it is undocumented whether the companies created a crisis website,
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

the companies widely used the press media to release the news as most of the customers learned

from the crisis via the media. The companies both insisted on reports from investigations and

stated clearly that they would wait for the complex investigation reports to provide accurate

information. Target, however, hinted the scope of the breach and later revised, something that

angered the customers and created confusion. The fact that the customers of both the companies

learned the data breach over the media, it shows that there was inadequate information

coordination from the comments from various parties. Munson, (2014) writes that all shoppers at

Target learned in December, largely from the media sources and it took one week for Home

Depot to respond hinting that the company never established coordination of the crisis

comments.

Third in the order, Lukaszewski recommends a quick action noting that an action should

be taken between one to two hours. Home Depot and Target acted rather slowly keeping the

media in dark for nearly a week. However, they did comment that the matters were under

investigation and would release an official statement as immediately substantial information is

established. The media was never treated with the utmost quality and professionally as the

companies declined to comment on the matter. While they were within their limits and legal

parameter, it would be essential to provide the information available. Home Depot failed to

provide any matter that could be reported to the shoppers forcing the media to depend on

unconfirmed rumors mostly from Krebs security. Target, however, provided the scope of the

matter which was later revised accordingly. According to Lukaszewski, organizations should

only release the information about the victims after notifying the families and within the

permission of the families. However, this might have never been the case as any specific

individual was named to have been affected. Instead, an approximate figure of the victims was
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

given, and the companies offered to provide new credit and debit cards as well as relieving the

victims from charges resulting from the duplicitous transactions.

Moreover, Lukaszewski (2013) writes that the organization in crisis should provide the

media with useful information. Target made initial disclosures on the scope of the breach and

later revised them in a series of updates that resulted in confusion while Home Depot, though

later released useful information, failed to provide any valuable information immediately the

public learnt of the data breaches. Rather, the spokespersons from both Home Depot and Target

reinstated that the matter was under investigation and would wait until it is over to be able to

offer any substantial information. While this provides legal benefits for the companies, it was

harmful to them as it forced the media to report on unofficial information that later got confirmed

to be true by the respective companies. Lukaszewski also writes that organizations in crisis

should avoid “I don't know." Far too often, and if that’s the answer, it is better to use a

declarative approach. Notably, the companies took a good step of basing their reports on the

investigation, which is rather important than providing unconfirmed details to the media.

Lastly, an organization stuck in a crisis should devote a specific website to the

controversies experienced. According to him, the web site should reside a growing repository

useful, helpful and current information, including laws, rules, studies, regulations, correction,

questions and answers, and clarification information. The literature of both Home Depot and

Target does not specify the establishment of an independent crisis management website.

However, the press release and other detailed information were constantly provided to the media

based on reports from the investigation. For instance, Target made initial disclosures on the

scope of the breach and later revised them in a series of updates that resulted in confusion.

However, Home Depot provided a series of information based on updates from the investigation.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

Therefore, while there is no literature validating the validation of a particular website, the

companies provided frequent updates to the customers and the public through the media and their

respective websites.

Future Recommendations

Despite the fact that data breach is a cyber criminal offense chargeable in the judicial

system, they act as some of the few circumstances that serves to test the reputation of the

company and their competency to solve a crisis. Whether the impact is sustained or immediate, a

crisis affects stakeholders within and outside the company. Based on the Home Depot and Target

Corporation case studies, some aspects of crisis mitigation were adequately adhered to,

according to the three above experts analyzed. Therefore, the recommendations are based on the

areas where both the companies expressed weaknesses.

1. Home Depot and Target should be accessible to the media and provide continuous

updates to the media. This includes responding professionally to the media through the

respective public relations or communication office. Also, in the future, the companies

should provide available information to the media so that the media cannot depend on the

rumors from outsiders. This would ensure only facts are reported and keep the customers

updated with first-hand information.

2. The companies should establish a central information center with a developed website.

The media and customers can be updated using the website, rather than using a single

website for the company. The central information center should also be secured with the

current technology such as chip technology to deter any intrusion.

3. In the future, Home Depot and Target Corporation should establish the source of

information through the crisis management department. As such, the department should

respond to any security firm reports with seriousness and never take any information for

granted. Any information received based on security matters should be investigated

accordingly.

4. Home Depot and Target should move fast to react immediately the crisis hits. The

company management should ensure the respective public relations office moves with

swift to ensure rumors does not spread to the media and the customers. However, if the

matter is under legal investigations assure the customers of their security, safety and

demonstrate confidence and calm. It is also important to avoid providing unconfirmed

information to the media, later to change after the investigations are complete. In case the

real crisis is not known, maintain accessibility and appeal to the customers to be calm.

5. The companies should also tell the truth to the public and disclose all necessary

information such as the type of breach, timeline, affected customers and financial losses

the company has suffered. This should be followed by a public apology and assure the

customers that all measures have been taken to ensure such a crisis cannot occur again in

the future. This requires providing information on the measures taken to ensure security

of the customer details and payment cards.

6. Outside the company, legislative tracking, media analysis, industry report, polls and

surveys should be factored to ensure potential threats are brought into surface. Within the

company, it is important to conduct a series of interviews with the senior management.

The business plans, previous experiences and relationships are analyzed. The industry
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

key contacts media and oversight functions are identified and the existing communication

plans inspected and reviewed for relevance.

7. The companies should ensure a complete communication audit and develop manual

issues. The communication document developed should contain the history and context

of the company involvement and the position of the company. The visibility levels should

be described and adversaries and allies identified.

Conclusion

Crisis management is a significant role of pubic relations in a given company. The failure

in crisis management can cause a serious harm to company stakeholders and even the very

existence of the organization. Cyber crime is a serious threat to the financial loss of the company

that can lead to collapse of the organization. Public relations practitioners form a critical part of

the crisis management teams. Therefore, a set of best practices and lessons learned from

individual crisis management goals would be instrumental for the public relations professionals.

However, most companies often ignore their public relations office and rush to technological

advances. While technology will ensure future security, public relations would serve a bigger

purpose of maintaining the reputation of the company. Based on the two case studies, it would be

fair to conclude that there was average adherence to crisis communication strategies as

recommended by the aforementioned communication experts.

References

Burg, N. (2014). Five lessons for every business from target's data breach. Forbes. Retrieved

from: http://www.forbes.com/sites/sungardas/2014/01/17/five-lessons-for-every-business-

from-targe...

Egan, J., & Anderson, T. (January 01, 2015). Considerations for a Model of Public-Private

Sector Collaboration in the Provision of Disaster Relief.

Eric Weiss, N., & Miller, R. (2015). The Target and Other Financial Data Breaches: Frequently

Asked Questions. Congressional Research Service, 7-5700. Retrieved from

https://fas.org/sgp/crs/misc/R43496.pdf ).

Geneiatakis, D., Scheer, S., & European Commission. (2013). Personal data breaches: A

feasibility study on a cyber exercise. Luxembourg: Publications Office.

Greising, D. & Lisa V. (2014). In wake of Target, Home Depot tight with info in breach response.

Reuters

Hill. C. (2014). DOJ Indicts 3 Men Accused Of 'Largest Data Breach In History. The Two-way

news from NPR

Home Depot Press Release: The Home Depot Reports Findings in Payment Data Breach

Investigation Retrieved from:

https://corporate.homedepot.com/MediaCenter/Documents/Press%2520Release.pdf

Home Depot Security Breach: Lessons learnt. bsi retrieved from:

https://corporate.homedepot.com/MediaCenter/Documents/FAQs.pdf
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

Home Depot. Customer update on data breach. Retrieved from:

https://corporate.homedepot.com/mediacenter/pages/statement1.aspx

In Hardy, M. (2014). Target store data breaches: Examination and insight.

Janczewski, L., & Colarik, A. M. (2008). Cyber warfare and cyber terrorism. Hershey:

Information Science Reference.

Joseph, A. (n.d.). Cybercrime definition. Retrieved January 27, 2015, from http://www.crime-

research.org/articles/joseph06/

Journal, March 26, 2014, at http://blogs.wsj.com/cio/2014/03/26/retail-association-card-security-

costs-outweighbenefits for many/.

Kassner, M. (2015). Anatomy of the Target data breach: Missed opportunities and lessons

learned. Security and privacy: New challenge.

Laasby, G. (2014). 53 million email addresses stolen in Home Depot data breach. Journal

Sentinel.

Morran, C. (September 18, 2014).Home Depot Confirms Data Breach; Started As Far Back

As April. Consumerist

Munson, L. (2014). Target data breach: Why UK business needs to pay attention,

Computerweekly.com

Reingold, J. (January 01, 2014). When Your Legacy Gets Hacked Frank Blake concluded his

stellar run as CEO of Home Depot with a smooth succession plan. But will his reputation

be singed by the company's gigantic data breach?. Fortune European Edition-, 170, 7, 22.
A CASE STUDY ANALYSIS TARGET AND HOME DEPOT DATA BREACHES

Retail Association: Card Security Costs Outweigh Benefits for Many,” Wall Street Journal: CIO

Senate committee on the Judiciary. (2014). Written testimony. Hearing on privacy in the digital

age: preventing data breaches and combating cyber crimes. Testimony of John Mulligan

executive vice president and chief financial officer of Target.

Timothy, K. (2015). Data breach bill moves forward in the House. The Hill.