Cost of Target Data Breach: $148 Million Plus Loss of Trust
The now infamous Target data breach is still costing the company -- and its shareholders -- plenty. In fact, the retailing giant forecast the December 2013 incident cost shareholders $148 million. The company also lowered its full-year earnings forecast in the wake of the breach and its stock took a hit.
The Target data theft was the largest affecting a retailer since data on 45.7 million shoppers was taken in 2005 at retailing giant TJX, which operated several chains, including T.J. Maxx and Marshalls. Both Target’s CEO and CIO resigned over the massive data breach, which led to the theft of information on what was believed to have been 40 million credit and debit card accounts in transactions that occurred from Nov. 27 to Dec. 15.
In January, the company said the theft may also have exposed identifying information like names, addresses and e-mail addresses for as many as 70 million customers. In February, Krebs on Security broke the news that at the heart of the costly breach were credentials stolen from a third-party vendor.
“In second quarter 2014, the company incurred gross breach-related expenses of $148 million, partially offset by the recognition of a $38 million insurance receivable,” Target said in its earnings report. “Expenses for the quarter include an increase to the accrual for estimated probable losses for what the company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks.”
Poster Child of Mega Retail Breaches
We caught up with Ken Westin, a security analyst at security firm TripWire, to get his take on the cost of the data breach. He told us the true cost is difficult to quantify.
“The preliminary cost may be $148 million, which include immediate costs such as security response and forensics, credit monitoring, fines and initial damages, that cost may pale in comparison to the true cost of the breach to Target and their brand,” Westin said.
Westin called Target the “poster child of mega retail breaches.” Although Target is no longer alone in the mega retail breach club, he said it was the founder member.
“The impact that this has had on Target’s brand is profound and will be difficult to measure,” Westin said. “It’s safe to assume that it has had, and continues to have, a serious impact on consumer trust and confidence.”
Hindsight is 20/20
For his part, Tyler Reguly, manager of security research at Tripwire, told us a lot of businesses still fail to see the big picture when it comes to data breaches.
“They say that hindsight is 20/20, but with this topic everyone should have the foresight to predict what happens: Data breaches are expensive and tend to damage your reputation,” Reguly said. “It may be hard to see the ROI on ‘it won't happen to me’ but it's pretty easy to see the ROI on preventing, or at least minimizing, a loss of $148 million.”
Finally, Dwayne Melancon, chief technology officer at Tripwire, said these staggering costs figures should be an eye-opener for businesses who thinks that investing in security is too expensive.
“For many organizations, retailers included, information security is not seen as a core part of the business,” Melancon said. “I believe the impact of this breach will shift those perceptions drastically, and we will see retailers begin to embrace cybersecurity as a core competency that must be mastered for the success if their businesses.”