Target's Breach Costs Continue to Mount

Running Tally Hits $146 Million in Net Expenses
Target's Breach Costs Continue to Mount

Target Corp.'s net breach expenses not covered by insurance will likely total $146 million for its most recent three quarters following the company's massive December 2013 data breach that compromised payment card information. Gross breach expenses will total $236 million for the nine-month period, says Eric Hausman, a spokesperson for the retailer.

See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience

Target Corp., in an Aug. 5 announcement, projects that it will incur $148 million in gross breach-related expenses just in the second quarter of fiscal 2014, which ended Aug. 2. But that cost will be partially offset by about $38 million worth of insurance coverage.

The Q2 breach expenses include an increase to the "accrual for estimated probable losses for what the company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks," Target says in its Aug. 5 statement.

But the total costs for the Target breach may not be known for some time, says researcher Larry Ponemon, because there are many difficult-to-measure factors, such as long-term loss of customers, to consider.

Breach Expenses

"Since the data breach last December, we have been focused on providing clarity on the company's estimated financial exposure to breach-related claims," says John Mulligan, Target's CFO, who's serving as interim president and CEO. "With the benefit of additional information, we believe that today is an appropriate time to provide greater clarity on this topic."

Target says its estimate of the expenses tied to the data breach was based on currently available information, historical precedents and an assessment of the validity of certain claims.

The retailer recently announced the appointment of Brian Cornell, a PepsiCo executive, as its new chairman and CEO (see: Target Names New CEO Following Breach).

Along with the breach-related costs, Target also paid in the second quarter $1 billion to retire $725 million in long-term debt. As a result, the company now expects its second quarter 2014 adjusted earnings per share to be around $0.78, compared to prior guidance of $0.85 to $1.00 per share.

The latest news follows reports for the first quarter of fiscal 2014 showing that profits dropped for the second consecutive quarter in the wake of the breach (see: Post-Breach, Target Profits Decline Again).

Analyzing Target's Costs

It's difficult to establish what the total cost of the massive Target breach is likely to be because breaches of that size are so rare, says Larry Ponemon, chairman of the Ponemon Institute. "We built our model around significant data breach events, but not mega breaches," he says, referring to the organization's "Cost of Data Breach" study.

The Target breach compromised an estimated 40 million credit and debit card accounts, as well as personal information for 70 million customers (see: Senate Report Analyzes Target Breach).

Ponemon also points out that companies tend to under-report breach expenses. And the indirect costs associated with a breach, in particular, are difficult to measure. "There are costs like diminishment of reputation, which are very hard to measure, and aren't normally included in a balance sheet or income statement, but they are costs to organizations over the long haul," Ponemon says.

One way to calculate reputational impact is to measure customer churn, which is when customers decide to no longer do business with a company that had a data breach because trust has been broken, Ponemon says. "Some are saying that in the long term, Target has created bad will," he says. "More people have, in fact, decided to churn. It's hard to measure, but if you [did], it might be a very significant cost because you lose a lifetime value of a customer, and that can be a big deal for a retailer."

Another factor to consider is the potential costs of the breach-related lawsuits filed against Target (see: Target Request to Halt Discovery Denied). "That could be costly for an organization like Target in defending itself," Ponemon says.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network