The situation

In November-December 2013, hackers gained access to Target's point-of-sale systems through a compromised HVAC vendor connection. Credit and debit card data of 40M customers — plus personal information of 70M others — was stolen. The breach occurred during the holiday shopping season, the firm's peak revenue period. Target's security team had received warnings but failed to act on them in time.

What Target did

Target's public disclosure came on December 19, 2013 — weeks after the breach was first detected internally. The initial communication was vague about the scope. Subsequent disclosures (including the additional 70M personal records) extended the bad news for weeks. CEO Gregg Steinhafel was forced out in 2014 — the first US Fortune 500 CEO to lose his job over a cybersecurity incident. The firm invested over $200M in security infrastructure improvements and customer compensation, and accelerated the rollout of chip-and-PIN cards in the US.

The mechanics — step by step

  1. HVAC vendor breach used to access POS systems
  2. 40M card numbers + 70M personal records stolen
  3. Slow internal detection and external disclosure
  4. Multiple disclosure waves extended bad news
  5. CEO terminated
  6. $200M+ direct cost
  7. Accelerated chip-and-PIN adoption

Outcome and numbers

Target paid over $200M in legal settlements, security investments, and customer compensation. Same-store sales declined for several quarters as customers shifted away from the brand. The CEO firing was a precedent — cybersecurity is now an explicit board-level concern at every major retailer. The case is one of the most-cited cybersecurity crisis examples.

Why this case is on every syllabus

Target Data Breach is taught as a crisis-communication case, a cybersecurity governance case, and an example of how slow disclosure amplifies damage. It is also taught as a vendor-risk case (the breach came through a third-party vendor).

Use this in an essay

How to cite Target in a paper

Cite Target when discussing cybersecurity, crisis communication, vendor risk, or third-party security. Use the 40M card numbers and CEO firing as specific evidence.

Three takeaways students miss

  • Vendor security is your security
  • Slow disclosure compounds damage
  • Multiple disclosure waves extend bad news
  • Cybersecurity is now a board-level governance issue
  • Customer trust takes years to rebuild after data breaches
Editor's note Want a deeper walkthrough? Our editors recommend pairing this with Crisis Communication for a worked example you can adapt to your assignment.