Module 7_1

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

260

Subject

Information Systems

Date

Jan 9, 2024

Type

docx

Pages

10

Uploaded by JudgeWorld11937

Report
1 7.1 Project: Case Study 2013 Target Data Breach Timothy Dunsmore Southern New Hampshire University PHL-260: Ethical Problem-Solving Lori Swick December 7, 2023
2 Part One: Case Analysis The 2013 Target data breach was one of the most high-profile data breaches of the decade, impacting customers across the country. Cybercriminals utilized an email-based phishing scam, tricking an employee from one of Target’s third-party vendors, an HVAC contractor, into providing their credentials (Young, 2021). From there, the stolen credentials were used to infiltrate Target’s network and install malware on several point-of-sale systems on November 15th. Followed by officially launching the malware and beginning the collection of customer data from Target’s point-of-sale systems on November 27th. Three days later, the malware was detected, and Target HQ was notified (Mukumbi, 2016). It was not until being notified by the U.S. Department of Justice about the malware on December 12, that Target began to investigate the incident. It was December 19, 2013, when Target released an official statement on the matter (Rockefeller, 2014). The breach led to several point-of-sale systems being compromised by malware, giving cybercriminals access to millions of customers personal and financial data (Young, 2021). It is not known who was directly responsible for the attack, however, the malware, named “BlackPOS”, was coded and developed by two Russians, ages 17 and 23 at the time, to sell the program to be used for security testing (Kumar, 2014). It is believed they had the help of another anonymous programmer they met online, who used the exploit for malicious purposes. The malware, or portions of it was later found to have been involved in other attacks too (Kumar, 2014). Target faced many consequences in the aftermath of the breach, including recovery expenses, hundreds of lawsuits, decreased customer confidence, lost profits, and widespread criticism related to the company’s delayed initial response (Steinberg, 2021).
3 The ethical issues of the case include the failure of Target to protect its customers’ data, the lack of transparency in Target’s initial response to the breach, and the potential violation of customers’ privacy rights (Young, 2021). The key members involved in the case include Target’s corporate leadership, the management team, the cybersecurity team, and the customers whose data was compromised. Accountability of effective risk management, slow crisis response, and reputational damage suffered rippled to the very top of Target leadership as well as the entire retail industry (Steinberg, 2021). The significance of the case lies in the fact that it highlights the importance of cybersecurity and the need for organizations to take proactive measures to protect their customers’ data. One ethical framework that can be used to analyze this case is the utilitarian framework. The utilitarian framework focuses on maximizing the overall happiness or well-being of society and focused on the impact of decisions. The principles from this framework that apply to the case include the need to protect customers’ privacy rights, the importance of transparency in communication, and the need to take proactive measures to prevent data breaches (SNHU, n.d.). The utilitarianism framework can be used to examine the ethical issues of the case by evaluating the impact of Target’s actions on its customers and society, assisting in identifying the ethical implications of the case. For example, Target’s failure to protect its customers’ data resulted in a breach of their privacy rights and caused widespread financial and emotional harm. The breach led to several point-of-sale systems being compromised by malware, giving cybercriminals access to millions of customers’ personal and financial data. This caused a great loss of trust in Target and a decrease in customer confidence.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4 The ISC2 code of ethics is a collection of requirements that apply to how information security professionals act, interact with others, including employers, and make decisions (Infosec, 2022). The 2013 Target data breach highlights several ethical issues that are addressed by the ISC2 code of ethics. Target failed to protect its customers’ data, which is a violation of the code’s principle of protecting society, the common good, necessary public trust and confidence, and the infrastructure. Target’s lack of transparency in its initial response to the breach is a violation of the code’s principle of acting honorably, honestly, justly, responsibly, and legally. The potential violation of customers’ privacy rights is also a violation of the code’s principle of providing diligent and competent service to principals (ISC2, n.d.). The ISC2 code of ethics can be used to analyze the case by evaluating Target’s actions against the principles outlined in the code. Target’s failure to protect its customers’ data is a clear violation of the code’s principle of protecting society, the common good, necessary public trust and confidence, and the infrastructure (Infosec, 2022). By analyzing Target’s actions against the principles outlined in the code, it becomes clear that Target failed to meet its ethical obligations to protect its customers’ data and prevent data breaches. The 2013 Target data breach has many possible solutions to this case. A recommended solution being Target could implement stricter cybersecurity measures and policies, such as encrypting customer data, updating its systems and software, conducting regular audits and tests, and training its employees and vendors on best security practices. This solution would prevent or reduce the likelihood of future data breaches, as well as enhance Target's reputation as a responsible and reliable information security provider.
5 This solution’s strength is that it would address the root causes of the breach, such as the vulnerabilities in Target's systems and processes, and the actions of the cybercriminals. It would also demonstrate Target's commitment to improving its cybersecurity and protecting its customers' data. A limitation of this solution is that it would require significant time, resources, and expertise to implement, and it might not guarantee complete security or prevent future breaches, as cyber threats are constantly evolving and adapting. The justification for this recommendation is that it is the most ethical solution, as it aligns with the utilitarian framework and the ISC2 code of ethics. It would maximize the overall happiness or well-being of society by preventing or reducing the likelihood of future data breaches, which would cause widespread financial and emotional harm to customers and society. It would also protect society, the common good, necessary public trust and confidence, and the infrastructure, as required by the ISC2 code of ethics. The recommended solution can be evaluated with the utilitarian ethical perspective, which focuses on maximizing the overall happiness or well-being of society and the impact of decisions. The recommended solution might be seen as ethical, as it would prevent or reduce the likelihood of future data breaches that cause widespread financial and emotional harm to customers and society. According to a study by IBM, the average cost of a data breach in 2022 was $4.35 million, and the average time to identify and contain a breach was 277 days (Data Breach, 2023). It is also known data breaches can have long-term effects on customer trust and loyalty, as well as brand reputation and value. With stricter cybersecurity measures and policies, Target would not only save money and time, but also protect its customers’ privacy rights and enhance its reputation and trustworthiness. The solution would also align with the ISC2 principle of protecting society, the common good, necessary public trust and confidence, and the
6 infrastructure, as it produces the greatest amount of good for the greatest number of people. By improving its cybersecurity and protecting its customers’ data, Target would benefit not only itself and its customers, but also society at large, as it would contribute to the common good and well-being of society by preventing or reducing the likelihood of future data breaches. The recommended solution would have positive ethical implications, such as enhancing Target's reputation and trustworthiness as an information security provider, increasing customer satisfaction and loyalty, improving Target's cybersecurity and resilience, and contributing to the common good and well-being of society by preventing or reducing the likelihood of future data breaches. The recommended solution would also have negative ethical implications, such as imposing additional costs and burdens on Target, its employees, and its vendors. Such as investing in new systems and software, conducting regular audits and tests, and undergoing training and education. It might also create new ethical challenges or dilemmas, such as balancing security and privacy, complying with different laws or regulations, or dealing with unforeseen or unintended consequences of the solution. Part Two: Reflection The 2013 Target data breach case study is a complex and challenging scenario that involves multiple ethical dilemmas. As an information security professional, I had to analyze the case from different perspectives and consider the potential consequences of my actions. Some of the difficult choices were: Should the breach be reported to the authorities or keep it confidential for fear of legal repercussions or reputational damage?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
7 Should the customers whose data was compromised be notified or wait until the investigation was completed? Should the established policies and procedures be followed or deviate from them if they are ineffective or inadequate? My moral intuition of the case was that Target failed to protect its customers’ data and trust, and that it should take responsibility for its mistakes and compensate its victims. However, I also recognized that there were other factors that influenced the outcome of the case, such as human error, malicious actors, technical vulnerabilities, organizational culture, and market conditions. My personal ethics helped me to guide my conclusions by applying some ethical principles from the framework I used. For example, the principle of justice states that one should treat others fairly and equitably. In this case, this meant that I should respect the rights and interests of all parties involved in the case, such as customers, employees, vendors, regulators, media, etc. The principle of integrity states that one should be honest and truthful in one’s actions and communications. In this case, this meant that I should disclose relevant information accurately and transparently. How different solutions may have been if I had used a different ethical framework depends on which framework you choose to use. For example, if you use a deontological framework, you may focus on following universal moral rules or duties regardless of their consequences. A possible solution using this framework could be to report the breach as soon as possible but refuse to cooperate with any external inquiries or investigations unless they are authorized by law. If you use a virtue ethics framework, you may focus on developing your moral character traits or virtues such as courage, wisdom, justice, etc., rather than following specific rules or
8 principles. A possible solution using this framework could be to report the breach honestly but also acknowledge your own limitations and mistakes. The ISC2 professional code of ethics aligns with my interests or values because it provides me with a clear set of guidelines for conducting myself ethically as an information security professional. It also helps me to maintain my credibility and reputation in my field. The importance of this code of ethics in society is evident because it affects not only individuals but also organizations and communities at large. By adhering to this code of ethics, information security professionals can contribute to protecting society’s safety and welfare from various threats such as cyberattacks, identity thefts, frauds, etc. They can also foster trust and confidence in technology by demonstrating their competence and integrity. References
9 Data Breach Action Guide | IBM . (2023). Www.ibm.com. https://www.ibm.com/reports/data- breach-action-guide#:~:text=It%20takes%20277%20days%20on Infosec. (2022, March 7). The (ISC)2 code of ethics: A binding requirement for Certification . Retrieved November 8, 2023, from https://resources.infosecinstitute.com/certifications/cissp/the-isc2-code-of-ethics-a- binding-requirement-for-certification/ ISC2. (n.d.) ISC2 Code of Ethics . Retrieved November 8, 2023, from https://www.isc2.org/Ethics Kumar, M. (2014, January 21). 23-year-old Russian hacker confessed to be original author of BlackPOS malware . The Hacker News. https://thehackernews.com/2014/01/23-year-old- russian-hacker-confessed-to.html Mukumbi, K., (2016). Target's debit/credit card data breach . In Sage Business Cases. SAGE Publications, Ltd. Retrieved November 8, 2023, from https://doi.org/10.4135/9781473953369 SNHU. (n.d.). Guide to Ethics. Brightspace. https://learn.snhu.edu/d2l/le/content/1432820/viewContent/28037553/View Steinberg, S., Neary, A., & Neary, S. (2021). Target cyber attack: A columbia university case study . Columbia SIPA. Retrieved November 8, 2023, from https://www.sipa.columbia.edu/sites/default/files/2022-11/Target%20Final.pdf Rockefeller, C. (2014, March 26). A “Kill Chain” Analysis of the 2013 Target Data Breach . U.S. Senate Committee on Commerce, Science, & Trasporation. Retrieved November 8, 2023,
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
10 from https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db- a3a67f183883 Young, K. (2021, November 1). Cyber case study: Target data breach . CoverLink Insurance - Ohio Insurance Agency. Retrieved November 8, 2023, from https://coverlink.com/cyber- liability-insurance/target-data-breach/

Related Documents

BlumensteinElliott_CST610_Project2 (3).docx
Blumenstein_E_CST610_Project_4.edited (1).docx
Blumenstein_E_CST610_Project_4.docx
Blumenstein_E_CST610_Project_3.docx
Module_3.2.docx
Module_2.2.docx
Week 5 Discussion.docx
Week 6 Discussion.docx
Guided Practice Report Template.docx
Guided Practice Report Template.docx
Soleil Dixon-Widman School Board Meeting - Field Experience.docx
to-be-continued-CHCDIS010-Assessment-Task-3-Portfolio.pdf