Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Target Breach Costs: $162 Million
Response Expenses Continue to Grow Following 2013 IncidentTarget's breach-related expenses not covered by insurance have totaled $162 million so far, its latest financial report shows. And experts says the breach could continue to have a financial impact for years to come.
See Also: Gartner Market Guide for DFIR Retainer Services
Gross expenses stemming from Target's data breach in December 2013 have totaled $252 million. But insurance has covered $90 million of that cost. The breach exposed 40 million payment cards and personal information on 70 million customers.
Target incurred $4 million in net breach-related expenses for the fourth quarter of 2014, ending Jan. 31, the company announced Feb. 25 in its latest earnings report. For the full fiscal year, Target had $145 million in net expenses related to the breach, which reflects $191 million of gross expenses offset by a $46 million in insurance coverage.
For 2013, Target had $17 million in net breach-related expenses, with $61 million of gross expenses offset by $44 million worth of insurance coverage.
For the fourth quarter, Target reported a net loss of $2.6 billion, compared to a $352 million profit in the third quarter, its first quarterly profit since the breach (see: Target: First Profit Gain Post-Breach).
While breach response costs are on a downward trend, Target will continue to feel the impact from the breach for years to come, says Rick Holland, principal analyst at Forrester Research. "Litigations like what we are seeing in federal court in Minnesota could drag this painful breach on for quite some time," he says. In late 2014, a federal judge ruled that class action lawsuits brought by several banking institutions and consumers impacted by the breach could move forward (see: Target Breach Consumer Lawsuit to Proceed).
The lingering expenses at Target should serve as a warning to CEOs of other companies who are reluctant to make overdue security investments that are needed in today's environment, says Shirley Inscoe, an analyst at the consultancy Aite Group.
In addition, organizations need to be mindful of the reputation damages. "[For Target], what's harder to measure is whether there are any lingering reputation damages due to consumers who still haven't returned to Target for their shopping needs," Inscoe says.
But Neal O'Farrell, executive director at the Identity Theft Council, argues that Target's breach-related expenses have been relatively low, given the company's size. "While it's tough to measure the long-term harm to their brand, if any, I think it's an unhealthy reminder to other companies that even the most massive and public of data breaches can pass quickly and have little long-term impact," he says.
It's difficult to determine how prepared Target is to prevent another incident, O'Farrell says. "I'm not confident that [we] won't witness a Target sequel in the future," he explains. "If it's truly the case that these breaches are now almost impossible to prevent, the focus should instead be on making stolen data as useless as possible. That's our only hope for minimizing the damage to consumer trust and confidence from these breaches."
Executive Changes
Target has made several moves to restructure its executive team after the breach. Most recently, it named Mike McNamara as its new CIO, replacing Bob DeRodes, who joined Target in May 2014 and is now retiring.
"I'm sure [Target's] new CIO is making every effort to get up to speed very quickly on all the measures that have been taken since the breach, as well as any gaps that have not been addressed and the timeline to address them," Inscoe says. "As long as Target can avoid another breach, they should have put this permanently behind them."
Jacqueline Hourigan Rice was named senior vice president and chief risk and compliance officer in November 2014. Last summer, Brian Cornell joined the retailer as the new chairman and CEO, replacing Gregg Steinhafel who resigned in May. Brad Maiorino became the company's first chief information security officer in June.