More than a year after a breach affected millions of customers who shopped at Target, the company is still feeling the financial impact, racking up £124 million (US $191 million) in expenses related to the breach, both its Q4 and 2014 earnings reports showed.
Of this sum, £30 million (US$ 46 million) was covered by insurance, figures that are in line with the projections Target made in August.
The company had already spent £40 million (US$61 million) in Q4 2013 for the breach, which occurred in November and December of that year, with insurance picking up the tab for £29 million (US$ 44 million) of that.
The retailer didn't breakdown the expenditures though they have put £3 million (US$5 million) into a cyber-security coalition and are beefing up the security of their payment system by switching to chip and PIN-enabled Red cards for a reported investment of £65 million (US$ 100 million).
Commenting to SCMagazineUK.com on the consequences of the breach, Bob Tarzey, analyst and director at Quocirca Ltd said, "When you look at the scale of the costs, the investments in security that could have prevented the breach look modest."
And these costs may even understate the final bill. Eric Chiu, president & co-founder of cloud control company HyTrust in an email to SC added: “The major breaches such as Target, Sony and Anthem damage brand reputation and consumer trust, but they also have a real impact on the bottom line. The (millions) spent so far by Target is just a drop in the bucket given the class action lawsuits by consumers as well as the recent court ruling that banks can go after Target to recoup their losses. When all is said and done, the cost of the breach could reach over £650 million (US$1 billion). That should serve as strong evidence that companies need to make security a top priority -- especially around insider threats, which is how most breaches are happening today.”
Tarzey notes: "Areas of IT investment that could have helped in this case are stronger authentication for all users including outsiders, network access control – scanning devices for known malware before they come on the your network and scanning the network for anomalous activity that should have been able to detect data being egressed at an earlier stage. None of this would have added up to anything like US $191 million!
Steve Hultquist, chief evangelist at security analytics company RedSeal agrees, commenting to SC via email: “Consider the ROI for even a very significant investment in proactive security analytics and process improvements that could have blocked the beach before it even started. The lesson for other organisations is clear: you are under attack. Making strategic investments now is a wise preventative measure to keep your organisation and your customers safe.”
And as for the impact of cyber-insurance, Tarzey comments: "Clearly what target had in place did not cover its costs, it would be interesting to know what has happened to its premiums since making the claim. However, much it pays out, what insurance cannot fix is reputational damage. Better security can, but better to prevent the breach in the first place."