A Case Study Analysis Target and Home Depot Data Breaches

Name of Student

A Case Study Analysis Target and Home Depot Data Breaches

Introduction

Data privacy and cyber security are real risks to companies: in the wake of data breach, most employees may be terminated or face personal liability, the company may face regulatory investigations, multitude lawsuits, disruption of business, fall of stock price, and the reputation of the enterprise may weaken. Hacking is a serious issue, a potential threat to every computer system. Cybercrime or internet hacking, according to Computer Crime Research Center Aghatise E. Joseph is an internet crime committed using a computer as a tool or a victim targeted (Joseph, n.d.). Notably, it is much challenging to categorize general internet crimes into distinct groups since most cyber crimes evolve on a daily basis. However, public relations professionals provide a proportionate procedure of handling internet security crises to restore the company reputation. It all counts down on trust of the consumers to the company that their personal information will be safe despite the crisis. Therefore, how companies respond to data breaches can damage or build the corporate reputation and hard-earned trust. Since data breaches compromises are often complex, the procedure of making a rapid communications decisions required to curb the potential harm of the data breach is often challenging.

The situations are often further complicated owing to the reality that every data breach differs from the other, and there may be no precedent within the organization to respond to the crisis. The impact of mishandled breach can reach throughout the business both in short and long-term; lost sales, bad press, litigation and mitigation alongside uphill battle to rebuild the company reputation. Apparently, most of the breaches involved compromise or theft of identifiable information, such as addresses, names, and social security numbers. Many

with a good reason. Besides the occurrence of numerous high-profile hack attacks, the year incorporated various lesser known incidents that nevertheless led to significant theft records, according to a report by Timothy, (2015). Breach crimes went up to a total of 1, 540 representing 46 percent from the increase 1,056 in 2013.

More importantly, the dramatic rise in data records involved in the breaches that jumped 78 percent from approximately 575 million in 2013 to more than one billion in 2014 (Timothy, 2015). Following the time perspective, in 2014 alone, some 2,803,036 data records were stolen every day, 116,793 every hour and 1,947 every minute and so on (Timothy, 2015). Despite the growing interest of technological encryption as a security measure to protect privacy and

information, only 58 percent of the data breach incidents in 2014 representing less than 4 percent of the total involved that was encrypted in fully or partially. However, beyond the numbers were the economic, social, and political impacts of the breaches. Some of the big data breaches in the year 2014 names Home Depot and entertainment company Sony Pictures Entertainment. This reality- based case study will examine two examples of cyber crime that happen in 2013/2014: the data breach at Target and the one at Home Depot. This study highlights the strengths and weaknesses of public relations at Target and Home Depot during their recent data breach crises. The public relations and marketing plans that Target and Home Depot pursued while they were victims of cyber crime will be analyzed, followed by communications recommendations that may help keep an already bad situation from becoming worse. The case study prepares a robust analysis of data breach crisis response using Target and Home Depot. It identifies the data breach scenario in the company, their response followed by evaluation and recommendation of data breach response based on public relations literature.

Cyber attacks make news headlines almost every day these days, essentially, when they hit global credit card companies, major retailers, and high-tech leaders. Recently, financial data breaches have exposed a good number of company’s personal information concerning finances, healthcare, personally identifiable information (PII), and legal issues. The criminal act of cyber has predominantly been affected by outside hacking computer systems of institutions and the insiders with or without authorized access to the information. According to Timothy (2015), 78 percent of all records compromised during the initial six months of 2014 were exposed as a result of the outside hackers. More recently, Target and Home Depot has fallen victims of these

incidences recording huge financial losses. Specifically, Home Depot reported 56 million

customer email addresses and payment cards while Target reported 40 million payment cards and 70 million records of customer names, telephone numbers, addresses, and emails.

Background of Data Breach

While there are emerging efforts to promote internet security systems, hackers continue to poke holes in a number of industries, instigating disorder to both the consumers and the corporations that trust their information will be protected. Definitely, mishandling of consumer data and inadequate company safeguards can come at a high price from lawsuits and consumer mistrust, resulting in devalued company stocks. Primarily, the security data breaches at Target and Home Depot cost the company approximately $248 million and 3 billion dollars

respectively.

Home Depot Data Breach

Home Depot retail references an American based retailer dealing with home

Depot Company indicated that cyber criminals armed with custom-built malware stole

approximately 56 million cards numbers from the customers from April to September 2014. The disclosure made the crime the biggest incident card breach on record.

The disclosure that was first released in September indicated that the malicious software used by the unknown cyber criminals to steal debit and credit cards was mainly installed on the payment systems in the self-checkout at retail stores. While investigations revealed that the criminals stole fewer cards in the period of five months breach than they might otherwise. Home Depot release dated September 18, 2014, through investigations indicated that the cyber thieves used unique, custom built malware to evade detection. Apparently, the malware had not been seen previously in other cyber attacks, according to the Home Depot security partners (Home Depot Security Breach, 2014). It is estimated that the cyber attack put payment card information at risk for nearly 56 million unique payment debit and credit cards. Hill, (2014) finds that that the malware is believed to have been present from April to September 2014. Besides, Home Depot statement established that it had completed a security upgrade that would deter any further breach of its system in its retail stores in United States and would roll out updated and enhanced encryption of the stores in Canada. According to Home Depot Security Breach (2014), the terminals identified with the malware were taken out of service and eliminated from the systems of the company. Today, the Canadian debit and credit cards have chip technology that protects the customers. Home Depot subsequently assured the customers that there is no evidence the cyber criminals gained access to the customers PINs.

Target Data Breach

major credit card data breach between November 27 and December 25, 2013. The released statement confirmed a previous report of the December 18 data breach. A report by In Hardy, (2014) indicates that Target engaged both the federal law enforcement including private incident response firm and U.S Secret Service to investigate the nature and scale of the data breach. However, on December 23, Target suggested that malware installed on point of sale (POS) terminals provided an edge for the breach, a fact that the statement release of the company confirmed in early January 2014. However, Target representatives have released little narrative and technical detail on the attacks, which is often typical for institutions that have suffered cyber crime incidences.

According to reports from the media, financial institutions responded to the Target Breach by issuing new credit and debit cards of their cardholders while others decided to depend on antifraud monitoring approach. More specifically, Wells Fargo, JPMorgan Chase, and

Citibank replaced their debit cards, rather than credit cards, U.S Bank and Bank of Africa depending on the detection of the fraud (Geneiatakis, Scheer & European Commission, 2013). Most currently, Target reported that the data breaches costs 248 million dollar. However, independent sources made back to back envelope and estimated that it ranges from 240 million dollars to 2.2 billion dollars in fraudulent charges alone. Yet this is exclusive of the additional potential costs to consumers concerned about personal information or credit histories; penalties or fines to Target and financial institutions (Weiss & Miller, 2015). The data breach of Target was alongside that of Home Depot was one of the numerous cyber crimes in the history of United States. The concerns of consumers over the Target data breached fueled further congressional attention on its data security. Therefore, the Congress held seven hearings on six various committees related to these topics to examine the events surrounding Target breach. The

hearings, according to Weiss and Miller (2015), was predominantly held to ensure improvement of the data security standards, notifying consumers when their data have been compromised and protecting consumers’ personal information data.

Case Studies

Target Corporation

credit cards account numbers and details were stolen. Furthermore, in the month of January 10, 2014 the company announced that personal information, including addresses email addresses, names, and phone numbers of nearly 70 million customers were also stolen during the cyber crime act. Owing to the testimony of Target vice president and financial executive to the Senate, a report was released by the committee of Senate that concluded that Target missed opportunities to prevent the data breach crime. According to Kassner (2015), the November-December

incident involved cyber criminals that successfully collected, staged and eventually exfiltrated data related to credit and debit payment cards. Notably, a number of finer details remain unclear; however, quite a few have emerged. Speculations streamed from various reliable sources

maintaining that the security products of Target Corporation never had in place that was necessary to stop the breach.

Target Corporation involved both the federal law enforcement including the US Secret Service, and private incident response firm that aided in the investigation of scale and nature of the data breach. Besides, Target suggested that the malware installed on the POS terminals was the significant component of the breach as confirmed by the company in January 2014. Target representatives, however, released little technical detail on the attacks that indicate a downturn in obtaining verifiable details about the cyber crime (Janczewski & Colarik, 2008). Widespread speculations have emerged on how the cyber criminals successfully executed the large-scale attack that went undetected for approximately three weeks. Despite assertions that payment card companies obligates any enterprise accepting payment card to adhere to the PCI rules

highlighting security of their payment card processing, Target testified that its systems were reviewed in September 2013 and certified as compliant (Janczewski & Colarik, 2008).

not encrypted. However, media reports indicate that a malware known as a “memory scraper” captured information from the payment cards of the customer by reading the memory of the POS system before it got encrypted (Munson, 2014). In a nutshell, the reports from both the media and the company provides that an intruder obtained the credentials of a vendor that enabled the access to the Target vendor billing and invoicing system that escalated the intrusion in the POS system of target. This allowed the introduction of the malware into target’s POS system, and the initial warnings about the malware got ignored by the security professionals of the company. As such, the software of Target was used to spread the malware to virtually all of Targets POS devices. Besides, the credit and debit cards data were stored in innocuously named files that was sent to servers outside the system of Target and then on the other servers. Surprisingly, the warnings about communicating the data were overlooked.

The company estimates that the 40 million payment and 70 million PII data breaches had at least 12 million people in common, translating to a figure of 98 million as the number of the affected customers, according to Retail Association (2014). Additionally, the Fazio Mechanical Services that provided ventilation, heating, and air conditioning (HVAC) services for the

company indicated that it was used to breach the payment system of Target. Accordingly, reports indicates that a Fazio computer authorized to submit project management and contract billing to the company reportedly was compromised by the intruders, the report reads. Besides, media reports provided that Fazio became a victim of phishing email containing the malware that was used to install other malware on the network of target, including Target’s POS system that records card transactions and all payments (Retail Association, 2014).

Target Breach Timeline

data breaches due to cyber crimes rarely publish their detailed timelines. However, Target

became an exception to this rule, perhaps because the company senior management was made to testify before the Congress. Senate committee on the Judiciary (2014), reports that according to testimony of Target executive vice president and chief financial officer, John J. Mulligan, the documented significant dates of the crimes are as follows.

The testimony indicates that on November 12, 2013 Cyber criminals or intruders breached the computer system of Target Company. It is anticipated that the intrusion was detected by the company security systems, yet the security professionals of Target failed to take any action until the time the law enforcement of the breach provided a notification (Senate committee on the Judiciary, 2014). In December 12, 2013, the Senate records, the Department of Justice (DOJ) provided a notification to Target that there was an apprehensive activity involving the debit, credit and ATM cards that had been used in the company. On December 13, 2013, senior officials from Target met with the Department of Justice and the United States Secret Service for further information on the suspicion. On December 14, 2013, the company hired external professionals to offer a robust forensic investigation into the matter. On December 15, 2013, Target released a statement confirming that malware had been installed and that most of the malware had been eliminated.

As time goes by, on December 16 and 17 of 2013, the company provided a notification to the payment processors and card networks that the breach had indeed occurred (Senate

committee on the Judiciary, 2014). December 18, 2013 the company removed the remaining malware and in the 19th of December 2013, the company released an official public

9, 2014, Target discovered the theft of PII and on January 10, 2014 the company confirmed through a public announcement that PII had been stolen (Senate committee on the Judiciary, 2014).

Home Depot Case Study

Home Depot is a retail business with 2,266 stores and 79 billion dollars in annual revenue. Previously, before the hackers intruded into the payment accounts of Home Depot, the stores in Canada and US, it had suffered to smaller hacks. However, the company confirmed the major hack on September 8, 2014 nearly one week after credit card data that was linked to its customers went up for sale on a black-market website, according to (Laasby, 2014). The hack put 56 million cards of the company at risk and more than 40 million Target, breach victims. Internal documents of Home Depot, according to Laasby, (2014), indicated that the Atlanta-based retailer had chosen to keep extra measures on security deactivated despite being designed to detect intrusion of any malicious software in the system. The reports provided in a statement from Home Depot indicated that the cyber criminals used custom-made software to evade detection, thus relying on tools that had never been used in account hacking.

Home Depot Customer update on data breach reports that a massive batch of debit and credit cards belonging to Home Depot went on sale on a criminal internet site that lined the hackers to Target and P.F. Chang’s. The credit card information got offered on sale a day after the underground site that had stolen financial information. According to the reports, the breach could have begun in late April 2014, according to Krebs security reports. Besides, Home Depot

confirming that a breach occurred, and that effort were being made for instant notify the

customers (Reingold, 2014). However, Home Depot press never released any specifics related to the duration the malware was in its systems, the points of sale compromised, and how the

hackers gained access to its networks, according to Reingold (2014). However, rumors leaked that there may be an insider connection that allowed the hackers to gain access to Window XPe terminals of Home Depot.

While limited details were provided to the public about Home Depot data breach, sources familiar with the investigation referenced that the hack never hit the registers of the store. A press statement later released by Home Depot that outlined the findings of the inquiry of the data breach confirmed that the criminals used a third-party vender’s username and password to access the perimeter of the company network. The stolen credentials alone; however, never provided direct access to the point of sale devices of Home Depot (Egan & Anderson, 2015). Thereafter, the hackers acquired elevated rights that made them to navigate portions of network of Home Depot and to deploy unique, custom-built malware on its self-checkout systems in Canada and U.S. Additionally, the previously disclosed payment card data, the statement reads, separated the files containing nearly 53 million email addresses that were also stolen during the breach. However, the statement confirmed that the files never contained passwords and payment card information or other sensitive personal information.

Home Depot Timeline of Data Breach

suggesting that the cyber criminals were stealing from card data from Home Depot, marking five full days after the data breach news first broke. Moreover, Home Depot acknowledged that on Monday, September 8, 2014, that it had suffered a breach of debit and credit card involving its members in Canada and U.S. stores dating back to April 2014 (Egan & Anderson, 2015). Despite the retail acting swiftly to assure its customers and the financial institutions that there was no debit card PIN was compromised, reports came that multiple financial institutions have experienced a steep increase over the previous day in fraudulent ATM withdrawals on the customer accounts (Home Depot Press Release, 2014).

On September 9, 2014, Home Depot confirmed that a network intrusion has led to the compromise of its customer credit and debit payment card data for potentially the customers in the entire unit that shopped at the retailer dating back to April 2014 (Home Depot Press Release, 2014). On that very day, the details started after a well-known security blogger reported that a large quantity of the stolen cards for the customers started to appear in underground markets. Home Depot, therefore, on September, 13, 2014 rolled out the encryption project in its U.S. and Canada stores that was then estimated to be complete early in 2015.

Home Depot Respond

established the parameters of the breach to disclose other details finally. Frequently, the company released statements aimed at updating the customers on the investigation into the breach in the payment data system (Morran, 2014). Finally, the company confirmed that hackers stole separate files containing credentials of the clients, and every effort was made to notify individual

customers that became a victim of the breach. Constantly, the company assured the customers that they were not liable for the fraudulent charges to their accounts and offered a free identity protection services such as credit monitoring to the customers that used payment cards at home Depot from April 2014.

Despite responding a week later, the company provided an initial press release denying the breach justifying that they had no facts on the breach. However, the company later provided a detailed report on the data breach, though the company never specified what information was stolen by the hackers. Also, reports indicated that payment cards had gone up for sale on an online black market that indicated that they contained adequate data to create a fake card. Home Depot also failed to provide the timeline of the data breach, however, insisted that the

Home Depot acknowledged that the size of the hack made it more likely for the company to face steep costs. The finance security professionals led by Bill Guard estimated the potential cost f the fraud to cost as high as 3 billion dollars for the company. Therefore, Home Depot hastened to assure the investors that it was on the track to meet its target sales in the third quarter. According to Morran, (2014), the September 18, 2014 news release from the company provided an estimation of the growth of sales indicating that it would grow by 4.8 percent besides raising its approximation of third-quarter per share profit to 4.54 billion dollars from 4.52 billion dollars. The profit estimates, according to Home Depot Press Release, considered the cost of

investigating the data breach, providing credit monitoring services to the customers and as professional and legal services. Therefore, the company made a pledge that no customer would be on the hook for any fraudulent charges. However, the company never factored in the losses related to the breach such as liability on debit and credit cards of the customers as well as from any civil litigation. Yet, the undocumented costs had material adverse effects on the financial results of the company in the fourth quarter or future periods.

Target Corporation Respond

the first time. Also, the communication with the consumers was inadequate including the banner informing the customers of the breach that was too small to see. In essence, there was a

communication breakdown in the response strategy used by Target Corporation and the angry customers flooded the social media.

Later, when the company released an official report admitting the data breach, the company first apologized to the customers for the incident and stated that the breach had shaken the confidence of their guests. Target took responsibility of the guests seriously and indicated that they had learned from the incident and hopes to make the company more secure for the customers in the future. Also, the press release of Target documented the timeline and the events of the breach based on the investigations. Munson, (2014) writes that Target assured the

customers that they were working closely with the U.S. Secret Service and the U.S. Department of Justice on the investigations to assist in bringing the criminals to book.

protection and credit monitoring to the customers that ever shopped at the U.S. Target stores. The protection, as explained, included free daily credit monitoring, credit report, unlimited access to personalized assistance from professionals of fraud resolution agent and identity theft insurance.

Furthermore, target informed the customers that they had zero liabilities for any

fraudulent charges accrued on their payment cards due to the data breach incident. According to the report, Target challenged the customers to consider monitoring their accounts and promptly alert their issuing financial institution or Target for any suspicious activity. Target’s response also included accelerating their investment in the chip-enabled technologies for their REDcards and stores’ POS terminals. The company assured the stakeholders the chip-enabled technologies would be critical to enhancing customer protection. Target also responded by initiating a creation of 5 million dollars investment in campaign with Better Business Bureau, the National Cyber Forensics, and Training Alliance, and the National Cyber Security Alliance to advance public awareness and education about cyber security and the dangers of consumer scams (Kassner, 2015).

relations counterattack based on daily news briefing and flurry of statements and photos designed to show the company was aggressively responding to the data breach crisis.

Data Breaches against Expert Recommendations

If a company experiences a huge crisis, there is no shortcut: the companies will definitely suffer and without elaborate strategies the company might never be the same again. The point of debate holds that instead of responding to a crisis as a defeat, the company should recognize the fact that it is another opportunity window and find the best approach out of the crisis, essentially, with its brand image and reputation intact. Therefore, numerous public relations experts have echoed their recommendations to companies that become victims of the crisis.

In his book, “Public Relations Strategies and Tactics” Wileox suggests various

appearing before the Senate to testify on the crisis. While both companies responded late to the crises, they relied on investigations and later provided daily news updates, Afterhours phone number. Target, for instance, remained accessible to the media and even responded to interview when they were requested to do so. For example, Target had an interview with Bulls Eye press that also tackled the questions that were asked by the public.

Wileox further reinstates that companies in crisis should monitor news coverage and telephone inquiries including establishing the media reports on the crisis and compare with the organization’s view. Also, the organization should be familiar with the needs and deadlines of the media and provide timely information to meet both the print and broadcast deadlines. Wileox, (1988) recommends that the organization should communicate with the key public, employees, government agencies, the investment community, officials and focus on their relations with the media. Primarily, some of these principles did not go well with the companies. Firstly, they both responded late a week after the events. Target, for instance, responded a week late making the media rely on rumors to report to the public. Besides, the company never responded to the media allegations positively insisting that there was no such breach until one week after the event. Reports even circulated in the media indicating that there were Target credit cards being sold in online credit market that could be used for fraudulent transactions.

Commission in their investigations (Janczewski & Colarik, 2008). Lastly, both companies provided frequent updates to the customers and the public over the findings of the investigations.

Wileox, (1988) further mentions that organizations should take responsibility for solving the problem though must not admit or deny guilt. Also, they should set up an information center for information updates, and provide a constant flow of information. Wileox writes that an organization in crisis can only build credibility by addressing bad news quickly, and when the information is withheld, the cover-up becomes the story. With reference to Target, the

organization stated explicitly that there is no customer that would be liable for the charges resulting from the fraudulent transactions. The organization offered to take full responsibility and went ahead to provide free security monitoring and credit and debit cards for any customer that demanded. Similarly, Home Depot took full responsibility and provided all the customers that had been shopping in their retails from April with new credit and debit cards.

Also, Home Depot reinstated that no customer would be liable for the charges resulting from the fraudulent use of their payment cards (Janczewski & Colarik, 2008). Based on a

constant flow of information, both the organizations reacted slowly to the crisis providing formal press release a nearly a week after the crisis. Despite justifying their late response by not relying on rumors, after the initial investigations, both companies provided continuous update for the customers over the investigation validations. However, Home Depot and Target failed to

the data breach, though it is not clear whether the companies identified specific individuals with the information, they both indicated that their security systems detected unusual activity in their software. Also, organizations should be accessible and monitor the media. Similar to the

recommendations outlined by Wileox (1988), Home Depot, and Target remained available and even attended to interview questions from the media. While the literature remains mixed, Eric Weiss and Mille (2015), argues that the companies became accessible and denied the reports of data breaches until investigations were conducted. The fact that there is information that they refused to comment deeply on the matter immediately and to choose to rely on the studies indicates that they were accessible, however, did not react swiftly to the crisis. According to Howard, being available to the reporters is necessary for providing the media with facts.

Therefore, the media initially relied on news from outside sources due to what can be described as physical accessibility rather than informational accessibility of the companies.

communication with employees provides the best line of defense or offense. As such, top management should provide frequent updates to help keep the employees from speculation and spreading the rumors. Home Depot reportedly blamed the employees by indicating that they relied on the outdated Systematic antivirus software from 2007 and failed to monitor the network for unusual behavior. Such allegations may not go well with the employees, according to Howard as it increases media speculation. However, Target involved the employees actively in the crisis update and mitigation. Target even went further a step to provide employee education and to inform them of the policies and procedures for protecting sensitive data on corporate and personal devices.

Furthermore, Howard inscribes that organizations should recognize that incomplete and at times incomplete media coverage is inevitable during the crisis. As such, Howard advises that organizations can realistically get facts right and portray the reputation through the media by being concerned and actively involved in fixing what went wrong. This recommendation was well applied by both the companies. Target, for instance, provided continuous press release, took responsibility and offered additional services such as public awareness of education to

cybercrime risks and prevention. Home Depot also is on record providing measures showing their concern. They released an official press release acknowledging that indeed there was a breach, accepted the customers from charges resulting from the deceitful transactions and engaged in high-tech development of security of customers alongside convincing investigations.

organization should assist the media keeping the basic facts right by constantly updating the website. Referring to the scenarios, Home Depot, and Target failed to assist the media initially making the media depend on rumors. However, immediate measures were taken to remove the malware that the intruders used to hack their system. There were extra security measures taken by both the companies concerning website safety including installing launching a retail industry Cybersecurity alongside Data Privacy Initiative as in the case of Target Corporation.

Lukaszewski, (2013) also echoed his concerns over crisis communication by emphasizing on the details the organization CEO is obligated to comprehend about reputation risk and crisis management. First, Lukaszewski advises the organization CEO to remain calm because crisis communication requires a high level of professionalism from the spokesperson. Essentially, the organization’s spokesperson should reassure customers and demonstrate confidence and

competence and focus on resolving the issues. Denoting to Target, the company moved swiftly to apologize to the customers and stated that the business was determined to work very hard to earn the confidence of the guests back (Janczewski & Colarik, 2008). Furthermore, the company responded by supporting the customers and strengthening the security. Besides, Target spokeswoman Molly Synder observed that the company had moved quickly to inform the

customers based on the facts discovered by the complex investigation. Home Depot through their CEO Frank Blake in the company of spokeswoman Paula Drake insisted on communicating the facts as the company did not have investigated updates on the situation. However, after the investigation, the company assured the customers that they had patched any holes, and the system was safe for the customers to shop.

the companies widely used the press media to release the news as most of the customers learned from the crisis via the media. The companies both insisted on reports from investigations and stated clearly that they would wait for the complex investigation reports to provide accurate information. Target, however, hinted the scope of the breach and later revised, something that angered the customers and created confusion. The fact that the customers of both the companies learned the data breach over the media, it shows that there was inadequate information

coordination from the comments from various parties. Munson, (2014) writes that all shoppers at Target learned in December, largely from the media sources and it took one week for Home Depot to respond hinting that the company never established coordination of the crisis comments.

given, and the companies offered to provide new credit and debit cards as well as relieving the victims from charges resulting from the duplicitous transactions.

Moreover, Lukaszewski (2013) writes that the organization in crisis should provide the media with useful information. Target made initial disclosures on the scope of the breach and later revised them in a series of updates that resulted in confusion while Home Depot, though later released useful information, failed to provide any valuable information immediately the public learnt of the data breaches. Rather, the spokespersons from both Home Depot and Target reinstated that the matter was under investigation and would wait until it is over to be able to offer any substantial information. While this provides legal benefits for the companies, it was harmful to them as it forced the media to report on unofficial information that later got confirmed to be true by the respective companies. Lukaszewski also writes that organizations in crisis should avoid “I don't know." Far too often, and if that’s the answer, it is better to use a declarative approach. Notably, the companies took a good step of basing their reports on the investigation, which is rather important than providing unconfirmed details to the media.

Lastly, an organization stuck in a crisis should devote a specific website to the

controversies experienced. According to him, the web site should reside a growing repository useful, helpful and current information, including laws, rules, studies, regulations, correction, questions and answers, and clarification information. The literature of both Home Depot and Target does not specify the establishment of an independent crisis management website.

Therefore, while there is no literature validating the validation of a particular website, the

companies provided frequent updates to the customers and the public through the media and their respective websites.

Future Recommendations

Despite the fact that data breach is a cyber criminal offense chargeable in the judicial system, they act as some of the few circumstances that serves to test the reputation of the

company and their competency to solve a crisis. Whether the impact is sustained or immediate, a crisis affects stakeholders within and outside the company. Based on the Home Depot and Target Corporation case studies, some aspects of crisis mitigation were adequately adhered to,

according to the three above experts analyzed. Therefore, the recommendations are based on the areas where both the companies expressed weaknesses.

1. Home Depot and Target should be accessible to the media and provide continuous updates to the media. This includes responding professionally to the media through the respective public relations or communication office. Also, in the future, the companies should provide available information to the media so that the media cannot depend on the rumors from outsiders. This would ensure only facts are reported and keep the customers updated with first-hand information.

3. In the future, Home Depot and Target Corporation should establish the source of

information through the crisis management department. As such, the department should respond to any security firm reports with seriousness and never take any information for granted. Any information received based on security matters should be investigated accordingly.

4. Home Depot and Target should move fast to react immediately the crisis hits. The company management should ensure the respective public relations office moves with swift to ensure rumors does not spread to the media and the customers. However, if the matter is under legal investigations assure the customers of their security, safety and demonstrate confidence and calm. It is also important to avoid providing unconfirmed information to the media, later to change after the investigations are complete. In case the real crisis is not known, maintain accessibility and appeal to the customers to be calm.

5. The companies should also tell the truth to the public and disclose all necessary

information such as the type of breach, timeline, affected customers and financial losses the company has suffered. This should be followed by a public apology and assure the customers that all measures have been taken to ensure such a crisis cannot occur again in the future. This requires providing information on the measures taken to ensure security of the customer details and payment cards.

key contacts media and oversight functions are identified and the existing communication plans inspected and reviewed for relevance.

7. The companies should ensure a complete communication audit and develop manual issues. The communication document developed should contain the history and context of the company involvement and the position of the company. The visibility levels should be described and adversaries and allies identified.

Conclusion

Crisis management is a significant role of pubic relations in a given company. The failure in crisis management can cause a serious harm to company stakeholders and even the very existence of the organization. Cyber crime is a serious threat to the financial loss of the company that can lead to collapse of the organization. Public relations practitioners form a critical part of the crisis management teams. Therefore, a set of best practices and lessons learned from

individual crisis management goals would be instrumental for the public relations professionals. However, most companies often ignore their public relations office and rush to technological advances. While technology will ensure future security, public relations would serve a bigger purpose of maintaining the reputation of the company. Based on the two case studies, it would be fair to conclude that there was average adherence to crisis communication strategies as

References

Burg, N. (2014). Five lessons for every business from target's data breach. Forbes. Retrieved from: http://www.forbes.com/sites/sungardas/2014/01/17/five-lessons-for-every-business-from-targe...

Egan, J., & Anderson, T. (January 01, 2015). Considerations for a Model of Public-Private Sector Collaboration in the Provision of Disaster Relief.

Eric Weiss, N., & Miller, R. (2015). The Target and Other Financial Data Breaches: Frequently Asked Questions. Congressional Research Service, 7-5700. Retrieved from

https://fas.org/sgp/crs/misc/R43496.pdf ).

Geneiatakis, D., Scheer, S., & European Commission. (2013). Personal data breaches: A feasibility study on a cyber exercise. Luxembourg: Publications Office.

Greising, D. & Lisa V. (2014). In wake of Target, Home Depot tight with info in breach response.

Reuters

Hill. C. (2014). DOJ Indicts 3 Men Accused Of 'Largest Data Breach In History. The Two-way news from NPR

Home Depot Press Release: The Home Depot Reports Findings in Payment Data Breach Investigation Retrieved from:

https://corporate.homedepot.com/MediaCenter/Documents/Press%2520Release.pdf

Home Depot Security Breach: Lessons learnt. bsi retrieved from:

Home Depot. Customer update on data breach. Retrieved from:

https://corporate.homedepot.com/mediacenter/pages/statement1.aspx

In Hardy, M. (2014). Target store data breaches: Examination and insight.

Janczewski, L., & Colarik, A. M. (2008). Cyber warfare and cyber terrorism. Hershey: Information Science Reference.

Joseph, A. (n.d.). Cybercrime definition. Retrieved January 27, 2015, from http://www.crime-research.org/articles/joseph06/

Journal, March 26, 2014, at

http://blogs.wsj.com/cio/2014/03/26/retail-association-card-security-costs-outweighbenefits for many/.

Kassner, M. (2015). Anatomy of the Target data breach: Missed opportunities and lessons

learned. Security and privacy: New challenge.

Laasby, G. (2014). 53 million email addresses stolen in Home Depot data breach. Journal

Sentinel.

Morran, C. (September 18, 2014).Home Depot Confirms Data Breach; Started As Far Back

As April. Consumerist

Munson, L. (2014). Target data breach: Why UK business needs to pay attention, Computerweekly.com

Retail Association: Card Security Costs Outweigh Benefits for Many,” Wall Street Journal: CIO

Senate committee on the Judiciary. (2014). Written testimony. Hearing on privacy in the digital age: preventing data breaches and combating cyber crimes. Testimony of John Mulligan executive vice president and chief financial officer of Target.