Target's November-December data breach, at least the second largest debit and credit card compromise in history, is likely to haunt Target for a long time to come. Although some of the details are still hard to determine, we estimate losses in excess of $2.5B.
From least to most expensive, here are our estimates of Target losses:
Expense Category | Cost |
Christmas Discount | $36M |
Cyber Security | $50M |
Lost Sales | $75M |
Regulatory Fines | $150M |
Reissue Cards | $280M |
ID Theft Monitoring | $400M |
Stock Losses | $500M |
Class Action Lawsuits | $1B |
Total | $2.5B |
Based on what we know of Target's volumes, the 10% discount they offered to all consumers on Dec 21nd to 22nd amounts to $36M.
Target announced on Jan 13th that it will contribute $5M to a new cyber security coalition. Given that security consultation run $200-$300/hr, Target's own ongoing investigation, as well as the help of the the Mandiant security firm and Verizon's forensics team, must have been very expensive, indeed. Further, Target is busy hardening their infrastructure and eagerly looking for additional security systems. We estimate this has run into the $50M range or higher. Target losses in this area may run higher as a result of the dictates of regulatory agencies.
Target claims it's Q4 sales were down 2.5% because of the breach. Feb 2013 net earnings were $3B. Assuming roughly the same gives $75M in Target losses. Presumably additional expenses accrue due to inappropriately large inventories, possibly increasing losses even more.
The Department of Justice, the Secret Service, the Dept of Justice and several states have launched investigations into the Target breach. These will no doubt result in fines issued to Target. Heartland Payment Systems suffered $140M in fines and settlements, though it recovered tens of millions in insurance. Given governmental reaction, we expect $150M.
Credit Card issuers generally value the cost of reissuing a credit card at $15-$25 each (though occasionally much higher), due to physical costs ($5 per card) and lost revenue while the card holder uses other cards. This only applies to the original 40M cards where the magnetic stripe data was harvested, not the additional 70M accounts where personal information was harvested. Further, Target's Red Card is one of these issuers, though they would still need to suffer this same loss for their own cards. Assuming issuers recover $7/card, this will amount to $280M, though it could break $1B in Target losses. Further legal fees will accrue to this process as well. In the TJ Maxx compromise, banks and issuers reached a $256M settlement.
Target offered almost every US credit card holder in the US free credit and identity theft monitoring software through Experian. This normally retails for $180/year. Even if only 10% of all eligible participants apply and Target was able to negotiate a volume deal at $30/person/year, this might amount to $400M. This is a very rough number: it could be lower if they struck an extremely favorable deal with Experian. On the other hand, it could run to more than $1B if not.
Stock losses from Dec 20th to Jan 28th amounted to $3.5B, though some of that value will return. We predict shareholders will seek damages to compensate for losses. Estimating this outcome is particularly difficult. However, Toyota, JPMorgan, and Fannie/Fredie shareholders sued over lost share price or dividends. If litigants recover even 20% of this value, Target losses could exceed $500M in settlements and legal fees.
As of this writing, 68 lawsuits are pending in state and federal courts. Presumably this number will grow. Although the outcome of these suits is difficult to estimate, a 2011 study stated that the average cost for legal defense in such cases was $500K. The average settlement was $1M. Given many more suits, some dismissals, consolidations, we estimate Target losses here to be more than $1B in losses to legal action and defense. To put this in perspective, Sony suffered $2B in legal costs (with little shouldered by insurance) for breach of 77M accounts.
Summing this up comes to $2.6B in Target losses. There is considerable uncertainty, but this estimate might well be a lower bound. Target has generally acted in good faith during this disaster, voluntarily assuming costs to protect the consumer and to apologize, but this is still one of the greatest data breaches in history.
Are we right? A 2010 Ponemon study on the cost of data breaches estimated an average cost of $214 per compromised record. Assuming there is a lot of overlap between the 40M compromised cards and the 70M customer records, this will amount to $14B. Large breaches tend to cost less per record, but this makes our $2.6B estimate of Target losses seem fairly credible, or even a little optimistic.
Discover how much card issuers are losing to fraud annually in our newest white paper, State of Card Fraud: 2016.