Dec 19 The theft of credit and debit card data
from 40 million Target Corp customers could end up
costing hundreds of millions of dollars, but it is unclear who
will bear the expense, lawyers and industry sources said.
Target said on Thursday hackers had stolen the data of
shoppers who visited its stores during the first three weeks of
the holiday season. Americas's third-largest retailer said it
was working with federal law enforcement and outside experts to
prevent similar attacks in the future. It did not disclose how
its systems were compromised.
For big data breaches, the total cost typically amounts to
about $17 per account, said Larry Ponemon, whose Ponemon
Institute researches data breaches. The fee includes litigation,
notifying customers, replacing cards, sorting bad charges from
legitimate charges, and making good on bad charges, he added.
For the Target breach, that would bring the total cost of
the incident to somewhere around $680 million.
The figure is an estimate, and a number of other factors
could increase or decrease the value. For example, because these
data breaches took place during the holiday season, when
consumers are often spending more, banks might be slower to
discover fraudulent charges, which could result in the cost
It is unclear who will have to bear the cost because
investigations have not yet determined who was at fault. If the
breach happened at the retailer's systems, it will likely be on
the hook for the amount, lawyers said.
Target spokeswoman Molly Snyder declined to comment on
whether it might bear costs of the breach, or the $680 million
The expenses could instead fall on the bank or banks
processing the retailer's transactions, or on third parties that
the bank or banks subcontracted to, said David Robertson,
publisher of The Nilson Report, a credit and debit card industry
newsletter. It was not immediately clear which bank or banks
held these roles.
Once it is clear who to blame for the breach, Target, the
card-issuing banks and the card networks, including Visa and
MasterCard, will hash out all of the costs that the responsible
parties will bear, said an executive at one bank.
One of the biggest expenses to the company responsible will
probably be reimbursing card holders. The average fraud is
usually around $100 to $200 before it is caught, said Avivah
Litan, an analyst at Gartner Research focusing on cybersecurity
and fraud. But not all accounts that are compromised end up with
fraudulent charges, she added.
There may also be fines from regulators who claim the
responsible parties violated consumer protection laws.
TJX Cos, parent company of discount retailers
including T.J. Maxx and Marshalls, announced in January 2007
that it had suffered from a data breach. In 2009, the company
settled with 41 state attorneys general for $9.75 million. TJX's
total expenses from the breach ran into the hundreds of millions
Massachusetts Attorney General Martha Coakley, who headed a
multi-state probe into the breach at TJX, said in a statement
that her office was talking to Target about the breach and how
the company was addressing it. Her office also planned to work
with other Attorneys General to determine whether the company
had proper safeguards in place.
New York Attorney General Eric Schneiderman said in a public
statement that he had asked Target for more information as well.
Whoever is responsible will also likely face class action
lawsuits, but plaintiffs may struggle to win much, lawyers said.
Gerry Silver, a lawyer in New York who defends companies against
data breaches, said he would expect class actions to be filed
but that it was a tough road to win for customers.
"The biggest hurdle is whether there are actual damages," he
said. "Just because a consumer's credit card is exposed doesn't
mean there's damages. If they didn't suffer monetary harm,
chances are there's no viable claim."
Jason Weinstein, a partner at Steptoe & Johnson and a former
federal prosecutor, said that plaintiffs often have trouble
proving they have standing to sue in a case like this.
Consumers may temporarily lose trust in the store's ability
to protect their credit and debit card information, retail
strategist Carol Spieckerman said. But Gartner's Litan noted
that consumers tend to have short memories, and care more about
discounts than security.
Target's shares fell 2.2 percent to $62.15 on Thursday.