●  Monitor press coverage to assess what requires a public statement, discussing the incident
                       publicly only when relevant decision makers have reached consensus on the narrative.


            Target’s 2013 data breach and Home Depot’s 2014 data breach are instructive in what to do, and what
            not to do, regarding communication following an incident.

            A forensics firm Target hired to investigate its breach found that hackers stole information connected to
            roughly 40 million credit and debit card accounts. The perpetrators also obtained about 70 million Target
            customers’ personal information. Target became aware of the incident when U.S. Department of Justice
            officials alerted the company that stolen data was online and people had begun to report fraudulent credit
            card charges.


            Home Depot’s breach resulted in hackers gaining access to roughly 40 million customers’ payment card
            data. The company also said the cyberattack exposed the email addresses of at least 52 million.


            Target  initially  denied  many  of the  breach  claims,  and  pushed  a  message  that conveyed there was
            “nothing to see here.” That only fanned the flames of public unrest once the breach realities became
            undeniable.


            Home  Depot,  in  contrast,  swiftly  publicly  acknowledged  the  breach,  explained  their  action  plan  and
            executed a process that felt competent.

            Both companies endured negative consequences. The company’s chief information officer resigned in
            March 2014. Target’s CEO resigned in May 2014. Target reported in 2016 that its breach cost $291
            million. The company settled with 47 states and the District of Columbia for $18.5 million in 2017.


            Home Depot in 2020 reached a $17.5 million settlement after a multistate investigation into its incident.
            The company said the breach cost the company $198 million.


            Public  perception  of  the  two  companies  were  and  remain  different,  however,  due  to  the  respective
            differences in communication strategies Target and Home Depot deployed.

            We  don’t  know  whether  Home  Depot  had  a  plan  in  place  then  executed  a  comprehensive  incident
            response plan. But its transparency and structured, effective communication regarding the breach paid
            off.








            Cyber Defense eMagazine – January 2023 Edition                                                                                                                                                                                                       62
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.