Target Projects Data Breach Costs Total $148 Million


Target Corp. told Wall Street to expect lower-than-expected second-quarter financial results and said the expenses associated with the response to its massive credit card breach are projected to reach $148 million, and warned that costs could continue to climb.

Cybercriminals struck the Minneapolis-based retailer in late November, stealing 40 million credit and debit card numbers and other sensitive information that impacted about 70 million customers. Target conducted an extensive digital forensics investigation, uncovering memory-scraping malware on its point-of-sale systems.

The company said the figure includes losses it expects for potential breach-related claims, including claims by payment card networks. Target's breach expenses also include mounting legal fees, customer outreach and additional security safeguards to reduce the risk of a future breach. The costs are offset by a $38 million insurance payout, which absorbed the early costs associated with the fallout, the company said in a statement issued today.

[Related: Data Breach Costs Study: Response, Containment Increase]

"These expenses include an increase to the accrual for estimated probable losses for what the company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks," the company said. "These estimates may change as new information becomes available and, although the company does not believe it is probable, it is reasonably possible that the company may incur a material loss in excess of the amount accrued."

Target said the $148 million figure does not reflect future breach-related legal, consulting or administrative fees, which are not expected to be material in any individual fiscal period.

Target named PepsiCo executive Brian Cornell as its new CEO and chairman last week. He fills a position left vacant since May when former Target CEO Gregg Steinhafel, a 35-year company veteran, resigned citing the breach as a factor. Cornell will oversee the adoption of a chip-and-pin payment system at Target. The credit card feature is widely adopted in other countries and is designed to reduce fraud associated with payment transactions made at brick-and-mortar retailers.

The retailer also added the position of chief information security officer in May, naming Brad Maiorino, an information security veteran, to the position. Maiorino ran security programs at General Motors and General Electric. He reports to the Target CIO Robert DeRodes.

A chief information security officer who proactively oversees an organization's security program and regularly tests incident response procedures helps reduce costs associated with security incidents, according to an annual study associated with data breach costs issued in May. The Ponemon Institute's Cost of Data Breach Study, which analyzed data breaches in 314 companies, found breach expenses rising significantly, up 15 percent in 2013 to $3.5 million.

"Target opened up a lot of eyes in the industry," said Andrew Sherman, the security practice lead at New York-based solution provider Eden Technologies. "Companies are looking closely at all the risks and getting concerned about the impact on the company officers and the magnitude of recovering from the negative fallout."

Solution providers predict senior level executives to be increasingly held accountable for security incidents, including costly retail credit card breaches and the exposure of customer information, including account credentials. Organizations need to focus on risk reduction measures, said Ben Goodman, CEO of Enterprise Risk Associates, a New York-based firm that specializes in cyberinsurance. Goodman said executives need to see risk reduction as a cost containment exercise.

"It's an enormous task," Goodman said in a recent interview. "There is almost no way to completely mitigate breach exposure."

PUBLISHED AUG. 5, 2014