Target: First Profit Gain Post-Breach

For the first time since its data breach in December 2013, Target has reported an increase in its quarterly net earnings. Profits for its third quarter, which ended Nov. 1, were up about 3 percent compared with the same period a year ago.

See Also: Deception-Based Threat Detection: Shifting Power to the Defenders

The retailer posted $352 million in net earnings for the quarter, up from $341 million in 2013, Target confirmed in its latest earnings report. Sales for the quarter were $17.7 billion, up 2.8 percent from the same period last year.

Target had seen its profits decline in each of the three previous quarters since the breach, which exposed 40 million payment card numbers and the personal details of 70 million customers (see: Target Breach: By The Numbers).

Target's positive earnings report came a day after Home Depot, which acknowledged a breach Sept. 18 that affected 56 million payment cards and 53 million e-mail addresses, reported its third quarter profits grew 13.8 percent (see: Despite Breach, Home Depot's Profits Grow).

Breach Response Costs

In the third quarter of 2014, Target incurred net breach-related expenses of $12 million. Since the data breach in the fourth quarter of 2013, the retailer has incurred total net breach-related expenses of $158 million.

Gross expenses for the breach, so far, total $248 million, with insurance offsetting $90 million of that cost, the retailer reports.

Target's third-quarter net breach expenses are the lowest since the retailer announced the breach last December. In Q2, the company had $111 million in net breach-related expenses; for Q1, the total was $18 million; and in Q4 of 2013, the retailer had $17 million in net breach expenses.

Over the course of the year, Target has made several moves to restructure its executive team after the breach. Most recently, Target named Jacqueline Hourigan Rice as senior vice president and chief risk and compliance officer. In August, Brian Cornell joined the retailer as the new chairman and CEO, having replaced Gregg Steinhafel who resigned in May. Brad Maiorino became the company's first chief information security officer in June. And in April, Bob DeRodes was appointed the new CIO, replacing Beth Jacob who resigned in March.

Security Efforts Paying Off

After a few weeks of denial and finger pointing following the breach, Target realized it had to get serious about revamping its entire approach to data security, says Shirley Inscoe, an analyst at the consultancy Aite Group. "That's when they fired the former CEO and hired a new CISO," she says.

"Since there have been no further breaches involving Target, consumers are obviously starting to forgive their lapse in data security," Inscoe says. "Hopefully, other firms have learned from Target's bloodbath, and are revamping data security programs and processes proactively."

Target has also had to satisfy both Wall Street and its customers that it has improved its security strategy, says John Buzzard of FICO's Card Alert Service. "Everyone wants to see a leader emerge during a time of crisis," he says. "If you are being viewed as a culprit or as a victim in the matter, the one thing that counts more than anything is being out front and being the agent of positive change."

The Target breach will undoubtedly become a textbook case study in training courses for information security professionals, says Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "Target's experience has been a learning experience not only for the company, but for the industry in general," he says. "We'll have to see [though] how the company's security program stands the test of time against practically guaranteed future cyber-attacks."