Page 62 - Cyber Defense eMagazine January 2023
P. 62
● Monitor press coverage to assess what requires a public statement, discussing the incident
publicly only when relevant decision makers have reached consensus on the narrative.
Target’s 2013 data breach and Home Depot’s 2014 data breach are instructive in what to do, and what
not to do, regarding communication following an incident.
A forensics firm Target hired to investigate its breach found that hackers stole information connected to
roughly 40 million credit and debit card accounts. The perpetrators also obtained about 70 million Target
customers’ personal information. Target became aware of the incident when U.S. Department of Justice
officials alerted the company that stolen data was online and people had begun to report fraudulent credit
card charges.
Home Depot’s breach resulted in hackers gaining access to roughly 40 million customers’ payment card
data. The company also said the cyberattack exposed the email addresses of at least 52 million.
Target initially denied many of the breach claims, and pushed a message that conveyed there was
“nothing to see here.” That only fanned the flames of public unrest once the breach realities became
undeniable.
Home Depot, in contrast, swiftly publicly acknowledged the breach, explained their action plan and
executed a process that felt competent.
Both companies endured negative consequences. The company’s chief information officer resigned in
March 2014. Target’s CEO resigned in May 2014. Target reported in 2016 that its breach cost $291
million. The company settled with 47 states and the District of Columbia for $18.5 million in 2017.
Home Depot in 2020 reached a $17.5 million settlement after a multistate investigation into its incident.
The company said the breach cost the company $198 million.
Public perception of the two companies were and remain different, however, due to the respective
differences in communication strategies Target and Home Depot deployed.
We don’t know whether Home Depot had a plan in place then executed a comprehensive incident
response plan. But its transparency and structured, effective communication regarding the breach paid
off.
Cyber Defense eMagazine – January 2023 Edition 62
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.