Cost Of Target’s Holiday Season Data Breach: $300 Million
Target has just agreed to pay up to $39 million to banks and credit card companies to settle several class-action lawsuits. The settlement will resolve claims made by banks and credit card providers which hold Target responsible for the costs of reimbursing fraudulent charges as well as the replacement of credit and debit cards as a result of the company's data breach. During the 2013 holiday shopping season, Target stores across the United States experienced a data breach in their point-of-sale systems. The incident exposed the credit and debit card information of 40 million customers. An additional 70 million customer records containing names, addresses, phone numbers and email addresses were also exposed. The consequences for the retail chain were severe: the fourth quarter of 2013 saw a 46 percent decrease in profits compared to the year before and the financial consequences continue to accumulate.
Target management did use the incident to dictate significant security upgrades, being one of the first major retailers to upgrade every store’s payment terminals to accept chip and PIN enabled cards. As reported by Naked Security, “In total, the breach has cost Target $290m so far, of which insurance should cover $90m, the company said last week. However there are still shareholder lawsuits to come, as well as probes by the Federal Trade Commission and state attorneys general, which could well push the total costs of the incident to over $300m.”
The Target breach was the beginning of an upward trend in the cost of data security for retailers. According to the 2015 Global Cost of Data Breach Study from the Ponemon Institute, “While the cost of data breaches stayed relatively constant for most industries, the retail sector experienced a significant increase from $105 in 2014 to $165 in 2015. Media reporting of these events and consumers’ concerns about identity theft caused retail companies to spend more money to address the consequences of data breaches.”