Target Data Breach Case Study PDF

Preview

Summary

Download Target Data Breach Case Study PDF

Description

1 Introduction Cybercrime is an increasing threat within society due to the increased technological presence and reliance within today’s society (Australian Federal Police, 2019). This case study will firstly provide an overview of the Target data breach cybercrime case, including outlining who was involved, the crimes committed, and the damage caused. It will then describe and explain two theories and apply those theories to this cybercrime case to help explain why this crime was committed. Lastly, this case study will discuss possible prevention strategies for this cybercrime as well as possible future cybercrimes based on the theories discussed earlier in this case study. Case Overview The Target data breach occurred between November 27th and December 18th of 2013 (Weiner, 2018). During this breach, 40 million credit and debit card numbers along with 70 million records of personal information were stolen (Weiner, 2018). A Latvian hacker, Ruslan Bondars, aged 37, was found guilty of creating the program used by the hacker to assist them in gaining access to Targets systems, ‘Scan4You’, and was sentenced to 14 years imprisonment. Bondars did not however have any direct involvement in the breach itself and it is believed the hacker who committed the breach on Targets database was most likely a Ukrainian named Andrey Hodirevski (Weiner, 2018). The ‘Scan4You’ program can be used by hackers to determine whether a certain security system would deem their software as malicious or whether they would gain access to the system undetected. However, as stated by the court, the program ‘Scan4You’ was not actually used to breach Targets systems or steal any information, it was used by the hacker to determine where in Targets system client information was stored (Weiner, 2018). Bondars stated in court that the malware used by the hacker was run through an anti-virus detection program and that Targets security system did in fact detect the breach however ignored it (Weiner, 2018). The direct victims of this data breach are the customers who shopped at Target using a debit or credit card, in the US between the 27th of November and the 18th of December 2013 (Morad, 2019). These victims had many things stolen, including; personal information such as email addresses and phone numbers, encrypted PIN data, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on the back of cards (Morad, 2019). All this information could

2 have been used by the hacker to commit identity theft and use the victim’s information to access their money, use their identity to open new credit cards, bank accounts and even apply for loans. The other victim within the case is Target. Though some people may think they are partially at fault due to detecting the threat but ignoring it, they are still a victim within this case. Their ‘secure’ systems were compromised, and their customers information stolen. The effects on their business could have be detrimental, customers not returning to shop at Target for fear of their personal information being stolen, their stocks taking a hit within the economy, the costs to have their security system resecured and upgraded which included designating a chief information security officer and maintaining a written information security program. Target also had to provide additional security training to their employees (Morad, 2019). But perhaps the costliest aspect for Target was the settlement they made with the customers effected by the data breach, offering $10,000 to any customer who could provide evidence of unauthorised, unreimbursed charges on their credit or debit cards and/or damage to their credit report. As part of the settlement Target also offered one year of free credit monitoring and identity theft protection to all customers who shopped in U.S. stores (Morad, 2019). According to Targets 2016 Annual Report (Target, 2016) the total cost to them as a result of the data breach was $292 million dollars as at 2016. Theory Description and Review The first theory that will be discussed within this case study is routine activities theory. Cohen and Felson (1979) developed the key concepts of routine activities theory stating that crime needs three key elements to occur. These are; a motivated offender, a suitable victim or target and the absence of a guardian who could prevent such a crime from taking place (Ministry of Children, Community & Child Services, 2019). Crimes occur when all three key elements converge in time and space. Routine activities theory is a macro level view as it looks at the social and economical changes that can influence crime within a society ( Ministry of Children, Community & Child Services, 2019). It is expressed by Cohen and Felson (1979) that the absence of one of these key elements would result in the crime being avoided/prevented. For example; when routine activities start to shift from people’s homes to other locations the likelihood of crime increases. This is due to the motivated offender and suitable targets converging in time and space and while the individuals are not home, their house is not only a suitable

3 target but also free of a guardian to prevent the crime from occurring, thus all three key elements are present, and the crime is highly likely to be committed (Criminal Justice, 2019). The biggest development within the theory was its development for use in further specifying the necessary elements required for a crime to take place and identifying those who have the power to prevent it (Criminal Justice, 2019). It is discussed that those who have the potential to prevent these crimes from occurring are collectively known as controllers though they have specific names depending on what they are specifically watching over (Criminal Justice, 2019). For example, those who exert some social control over potential offenders are known as handlers. Guardians are those who protect suitable targets within society; for example, an individual walking with a colleague to their car late at night. Lastly, managers watch over specific places such as a landlord or apartment manager or a store manager (Criminal Justice, 2019). Through further developing and identifying those who are capable of preventing crimes, policies were able to be put in place to prevent future crimes from occurring. There isn’t much literature/research on routine activities theory’s applicability to white-collar crime in general let alone cybercrime specifically. What is noted however is that routine activities theory can be used to examine potentially criminal situations and assist professionals in putting in action adequate precautions to prevent crime from occurring in the first place (Maes, 2011). However, routine activities theory can be used to do this for all crimes, not just white-collar crime/cybercrime. The second theory that will be discussed within this case study is the person x situation interaction model. The person x situation interaction model is the theory that different situations and circumstances affect personality and behaviour in different ways. For example, an individual behaves differently at a funeral than they would at a sporting event or a wedding because those different situations and environments provide completely different atmospheres, one sadness and grief ridden, the other fun and celebratory (Personality Psychology, 2019). The theory also explores that some individuals are quiet and introverted at funerals and at a sporting event or wedding, suggesting that personality is also a strong reasoning as to why people commit certain behaviours and even crimes (Personality Psychology, 2019). The theory expresses that both personality and situations/environment interact to produce certain behaviours.

4 There is no further developments of this theory to expand on the above key elements of the theory. There is also no research or literature that directly links the person x situation interaction model to white collar crime or cybercrime specifically. Application of Theory Using routine activities theory, we can begin to explain how this cybercrime occurred. Routine activities theory is the concept that a crime is committed when three key elements converge in time and space; a motivated offender, a suitable target, and the absence of a guardian (Ministry of Children, Community & Child Services, 2019). The Target data breach was committed by a hacker who was extremely motivated in gaining customer information and using such information to gain money and power over those individuals from whom they stole personal information. They used a program, ‘Scan4You’, to determine if Target was a suitable target/victim for them to prey on. In other words, they used the program to determine if Target had the magnitude of personal information for them to gain access to, an amount that would provide them great power and control over Target and their customers (Weiner, 2018). The program also allowed them to determine where they would find the customer information they were looking for as well as determine if they would gain access to Targets systems undetected. There are two possible guardians in this case, a parent or significant other (depending on the hackers age, if they were younger and living at home a parent would have been more present in their lives) who could have kept an eye on the hacker to see if any of their actions or behaviour was suspicious leading up to the offence. The second guardian in this case was targets security systems detecting the threat and preventing it from accessing the data sought, Targets security systems detected a threat, however ignored it and thus the breach occurred. Once the motivated hacker had determined a suitable target and realised the absence of a guardian to ‘protect’ the target or prevent them from committing the offence, in other words once all three elements had converged in time and space, meeting together in a single moment, the crime was committed. By applying the routine activities theory, we can identify the key elements of the theory specific to the Target data breach case and are then able to determine ways in which this crime could have been avoided and prevent these types of crimes (cybercrimes) from reoccurring in the future.

5 Using the person x situation interaction model, we can also explain how this crime occurred. Person x situation interaction model is the theory that certain people’s behaviours are determined by the situations they face combined with their personalities and depending on the combination, their behaviour will be determined (Personality Psychology, 2019). In the criminal sense, it basically means that when someone with high criminality is placed in a high criminogenic situation, a criminogenic situation being an environment that contributes to criminal behaviour and worsens criminal tendencies (US Legal, 2019), that’s when most crimes are committed. The model expresses that the higher the criminality and criminogenic situation, the more likely crimes are to occur. With the Target data breach, the hacker was highly motivated and knowledgeable about how to commit this crime undetected/without immediate consequence and how to use the information gained to their advantage, clearly showing their high criminality. When they were placed in a high criminogenic situation or environment, in this case the high criminogenic environment being the clear opportunity to commit the breach without being caught by Target’s security systems, the crime was committed. Through this examination and application of the person x situation interaction model, we are able to recognise that due to the high criminality of the hacker and the high criminogenic environment, this crime was extremely likely to occur as a result according to the model. Implications of Theory for Prevention The implications for theory prevention for the routine activities’ theory are; decreasing the offenders’ motivations, decreasing suitable targets and increasing capable guardians by increasing the number of guardians and increasing the capability of existing guardians (Bartlett CCJ218, 2019). There are a few options for prevention strategies that could have been used to prevent the Target data breach and could be used in the future to prevent similar cybercrimes that draw on the routine activities’ theory for a foundation. The first prevention strategy is linked to the key element of routine activities theory of decreasing offender motivations. By decreasing the motivations or benefits to committing a crime, the offender is less likely to commit the crime as they would not deem it ‘worth it’ when weighing up the risks and the benefits. Thus, removing one of the key elements needed to be present and converged in time and space for a crime to be committed according to the routine activities’ theory. The prevention strategy that could have been used to decrease the offender’s motivation is

6 having the customers personal information stored in another system/place or not stored at all. By removing the customers personal information from the main system and having it stored in a separate place that is continuously monitored by individuals who only monitor that smaller system could have prevented the breach as the offender may decide that due to the added effort and higher risk that the risks are too high compared to the benefits in succeeding and therefore it is not worth the attempt. Also, if the customers personal information was not stored at all, the offender’s motivation would be completely eradicated due to there being no option to steal something that doesn’t exist on a database. Thus, reducing the offenders’ motivations would have significantly reduced the chances of this crime being committed. The second prevention strategy is linked to the point of guardians and ensuring there is increased numbers of guardians as well as increased guardian capabilities. By increasing the number of guardians, it increases the probability that at least one is present and able to prevent the crime from occurring. The more eyes on the system, the more likely someone will spot the threat. Thus, removing one of the key elements needed to be present and converged in time and space for a crime to be committed according to the routine activities’ theory. The prevention strategy that could have been used to increase guardians and their capabilities could have been to hire increased cyber security personnel. It is stated in an article by Marks (2017) that the Target security system did in fact show threats however the human security team in Bangalor missed them. If there were increased personnel in this team, with more eyes on the system to sweep over it for threats, it would have been more likely that someone within that team would have picked up on the threat, reported it and prevented the crime from occurring. Thus, having increased number of guardians would have increased the chances of the threat being caught and ultimately the crime prevented. The implications for theory prevention for the person x situation interaction model are; screening out individuals of high risk with criminal history checks and reducing criminogenic properties and opportunities of the situation with internal controls and policies (Bartlett CCJ218, 2019). The prevention strategy that could have been used to reduce the criminogenic properties of the situation is the introduction of internal controls and policies. As stated earlier, as part of Targets settlement they had to have their security system resecured and upgraded which included designating a chief

7 information security officer and maintaining a written information security program (Morad, 2019). This step could have been taken at the beginning of their data storage system creation to ensure that there were no breaches to their systems and no customer information stolen. Though this would have cost Target money to implement, if this was implemented at the beginning, before the data was beginning to be stored then the breach would never have occurred and the other costs Target have endured as a result of the data breach would be non-existent, thus saving them money in the long run and ensuring the security and safety of their customers personal information. Thus, by implementing these policies and internal checks this cybercrime could have been prevented. Conclusion In conclusion, by applying the routine activities theory and the person x situation interaction model to certain cases/crimes we can begin to explain why these certain crimes are committed. We are also able to help establish ways in which those specific types of crimes (cybercrimes) could have been prevented and ways in which these preventions can be applied to other types of white-collar crime.

8 References

Australian Federal Police. (2019). Cyber Crime. Australia Federal Police. Retrieved 16th of January, 2019 from https://www.afp.gov.au/what-we-do/crime-types/cyber-crime

Bartlett, D. (2019). CCJ218 White Collar Crime: Theories of White Collar Crime [Lecture]. Retrieved 16th of January, 2019 from https://bblearn.griffith.edu.au/webapps/blackboard/execute/displayLearningUnit?course_id=_72902_1 &content_id=_4132823_1

Cohen, L.E., and Felson, M. (1979). Classics in Environmental Criminology. In M. Andresen, P. Brantingham and J. Kinney (Eds.), Social Change and Crime Rate Trends: A Routine Activity Approach (pp 588-608). Boca Raton: CRC Press Criminal Justice. (2019). Routine Activities Theory. Criminal Justice. Retrieved 16th of January, 2019 from http://criminal-justice.iresearchnet.com/criminology/theories/routine-activities-theory/2/ Marks, S. (2017). What Target Should Have Done to Prevent Their Security Breach. Business.com. Retrieved 16th of January, 2019 from https://www.business.com/articles/target-done-prevent-securitybreach/

Maes, J.A. (2011). Can Routine Activities Theory Be Applied to Explain White Collar Crime? a CrimeSpecific Analysis Using Reverse Redlining. Regis University. Retrieved 16th of January, 2019 from https://epublications.regis.edu/cgi/viewcontent.cgi?article=1479&context=theses

Ministry of Children, Community & Child Services. (2019). Review of the Roots of Youth Violence: Literature

Reviews,

Volume

5,

Chapter

3.

Retrieved

16th

of

January,

2019

from

http://www.children.gov.on.ca/htdocs/English/professionals/oyap/roots/volume5/chapter03_rational_ choice.aspx

Morad, R. (2019). Target Data Breach Victims Could Get Up to $10,000. Life Lock | Data Breaches. Retrieved 16th of January, 2019 from https://www.lifelock.com/learn-data-breaches-target-data-breachvictims-could-get-up-to-10000.html

9 Personality Psychology. (2019). Person Situation Interaction. Doctor Steve Abel. Retrieved 16th of January,

2019

from

https://www.doctorabel.us/personality-psychology/personsituation-

interaction.html

Target.

(2016).

Annual

Report

2016.

Retrieved

16th

of

January,

2019

from

https://corporate.target.com/_media/TargetCorp/annualreports/2016/pdfs/Target-2016-AnnualReport.pdf?ext=.pdf US Legal. (2019). Criminogenic Law and Legal Definition. US Legal Definitions. Retrieved 16th of January, 2019 from https://definitions.uslegal.com/c/criminogenic/

Weiner, R. (2018). Hacker linked to Target data breach gets 14 years in prison. The Washington Post. Retrieved on the 16th of January, 2019, from https://www.washingtonpost.com/local/publicsafety/hacker-linked-to-target-data-breach-gets-14-years-in-prison/2018/09/21/839fd6b0-bd17-11e8b7d2-0773aa1e33da_story.html?noredirect=on&utm_term=.fdcfffbb101a...