The situation
In November-December 2013, hackers gained access to Target's point-of-sale systems through a compromised HVAC vendor connection. Credit and debit card data of 40M customers — plus personal information of 70M others — was stolen. The breach occurred during the holiday shopping season, the firm's peak revenue period. Target's security team had received warnings but failed to act on them in time.
What Target did
Target's public disclosure came on December 19, 2013 — weeks after the breach was first detected internally. The initial communication was vague about the scope. Subsequent disclosures (including the additional 70M personal records) extended the bad news for weeks. CEO Gregg Steinhafel was forced out in 2014 — the first US Fortune 500 CEO to lose his job over a cybersecurity incident. The firm invested over $200M in security infrastructure improvements and customer compensation, and accelerated the rollout of chip-and-PIN cards in the US.
The mechanics — step by step
- HVAC vendor breach used to access POS systems
- 40M card numbers + 70M personal records stolen
- Slow internal detection and external disclosure
- Multiple disclosure waves extended bad news
- CEO terminated
- $200M+ direct cost
- Accelerated chip-and-PIN adoption
Outcome and numbers
Target paid over $200M in legal settlements, security investments, and customer compensation. Same-store sales declined for several quarters as customers shifted away from the brand. The CEO firing was a precedent — cybersecurity is now an explicit board-level concern at every major retailer. The case is one of the most-cited cybersecurity crisis examples.
Why this case is on every syllabus
Target Data Breach is taught as a crisis-communication case, a cybersecurity governance case, and an example of how slow disclosure amplifies damage. It is also taught as a vendor-risk case (the breach came through a third-party vendor).
How to cite Target in a paper
Cite Target when discussing cybersecurity, crisis communication, vendor risk, or third-party security. Use the 40M card numbers and CEO firing as specific evidence.
Three takeaways students miss
- Vendor security is your security
- Slow disclosure compounds damage
- Multiple disclosure waves extend bad news
- Cybersecurity is now a board-level governance issue
- Customer trust takes years to rebuild after data breaches