December 19th will mark the two-year anniversary of the Target data breach announcement. Target – and other breached companies – continue to pay out claims and settlements, raising the monetary losses of these retailers into the hundreds of millions. There are now countless articles and opinion pieces on how to handle a hack after it occurs. But what isn’t yet well understood – or reported – is that gray area….the long-term monetary effect of the breach on the hacked company. And when the bleeding actually stops.
We have all seen the reports of big retailer data breaches, or heard about the small business that quietly closed its doors after being hacked. And we’ve watched as cyber criminals have chosen new targets in government (the White House, the CIA Director’s personal email account) and in healthcare, broadening their reach beyond mere retail.
“Data breach” became a global discussion topic immediately in December 2013, thanks to the Target breach. More than 40 million credit cards were compromised, and perhaps as many as 110 million customers had some type of personal information stolen from Target’s point of sale systems in their stores. The immediate damage was almost incomprehensible, never mind trying to grasp the long-term ramifications.
How Much Would This Breach Cost Target?
Early reports showed that the total expenses incurred from Target’s data breach in 2013 and 2014 reached approximately $162 million. In early 2015, Target was hoping they could put the breach behind them and move on.
“A year ago, we were in the recovery mode, working to repair guest relationships following the data breach while we undertook an assessment of the long-term prospects for our Canadian business,” Target CEO Brian Cornell said in the call with analysts. “Fast forward to today and we’ve ended the year with the data breach fully behind us.”
However, that was not to be. On December 1st, it was reported that Target agreed to pay $39.4 million to resolve claims by banks and credit unions that said they lost money because of the 2013 data breach.
And there are still other probes outstanding, meaning potentially more costs for the company. In an article on Privacy and Security Matters, Kevin M. McGinty Member of Mintz Levin Cohen Ferris Glovsky and Popeo PC writes:
“Those expense figures will continue to mount over the course of 2015 as Target continues to deal with ongoing litigation and regulatory fallout from the 2013 data breach. The enormous costs that Target has already incurred should serve as a stark warning of the financial consequences of a data breach.
While we have repeatedly observed in this space that private litigants have had scant success proving or recovering damages in data breach cases, civil money damages are but one potential cost that may arise from a data breach. Other costs include investigating the breach, repairing compromised systems, compliance with breach notification requirements, providing credit monitoring services for affected customers, and legal fees associated with responding to lawsuits and regulatory actions arising from the breach. Not quantified as expenses, but also harmful to financial returns are potential reputational harm to the business and resulting lost sales that could dampen the company’s top line.”
The Home Depot’s data breach in 2014 also set that company back. Early this year, the Home Depot reported an estimated $33 million in data breach costs. Home Depot CFO Carol Tome confirmed the damages, but recognized the possibility of further expenses.
“For the year, our gross data breach expenses were approximately $63 million, and after expected insurance recovery our net data breach expenses were approximately $33 million,” she said, later noting that the 2015 guidance for the company did not include any “expenses that we may incur in the future for data breach-related claims.”
But on December 3rd, it was reported that the Home Depot had incurred $252 million of expenses related to the breach. With an offset of $100 million of insurance proceeds, the net expenses were $152 million.
While we know that a data breach can devastate a business and its reputation, what we don’t know is when (or if) the devastation ends. The ramifications from the breaches at Target and Home Depot continue – in fact, December 19th will mark the 2 year anniversary that Target notified the public that it had been breached.
Anatomy of a Breach
Sources close to the Target breach investigation said that hackers fist broke into the retailer’s network on November 15th, 2013, using stolen network credentials.
Between the 15th and the 28th (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software (malware) to a small number of cash registers within Target stores.
By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions.
In subsequent data breaches, including at the Home Depot, thieves also penetrate the retailer’s network to install malware that would silently steal credit and debit card information. This type of theft is so lucrative that an average of 12 new strains of malware are being created every minute. And there was a 64.8% increase in new malware strains for the first half of 2015 compared to the first six months of 2014.
The Breaches Won’t Go Away
Fraudsters don’t discriminate – they don’t care if they hack Joe’s Hot Dog Stand or your local DMV, as long as they can get credit card numbers.
The only way to fully ensure that the thieves don’t get this information is to encrypt it and render it completely useless. That is where products like PCI-validated Point-to-Point Encryption (P2PE) come in. Bluefin was the first company in North America to received PCI validation for a P2PE solution in March 2014 and today we offer our solutions through our payment platform, as a gateway only solution and as a partner solution – for mobile, retail, call center and unattended payments.
We’ll be doing our 2015 technology wrapup blog and will be looking at trends for 2016. Now with EMV come and gone, we hope the attention will turn to technologies like P2PE that protect your data.