The Target data breach disrupted the 2013 holiday shopping season, shook the retail industry, and shocked many who assumed that a nationwide retailer would have the security controls in place to prevent such an attack. The breach exposed credit card data of 40 million individuals and personal data of approximately 70 million consumers. A quarter billion dollars and a slew of lawsuits later, lessons have emerged and questions remain.
How it happened
Reports indicate the initial intrusion traced back to network credentials stolen in an email malware attack on one of Target’s third-party vendors, Fazio Mechanical Services, Inc., a Pennsylvania HVAC company. Fazio Mechanical’s data connection with Target was the retailer’s supplier portal for vendor electronic billing, contract submission, and project management.
If true, then Target was the victim of a phishing expedition into Fazio that turned into a nightmare for the retailer because Target’s vendor portal was not sufficiently segmented from its payment network. Experts theorize that once the hackers gained entry to the portal, they found a back way into the retailer’s payment systems, installed malware on the company’s Point of Sale (POS) systems, and began exfiltrating consumer data.
Litigation fallout
Numerous class action lawsuits were filed against Target in the wake of the breach, and the litigation was consolidated in Minnesota federal court with three groups of claimants: (1) shareholders, (2) consumers, and (3) banking institutions.
Investors brought derivate actions against Target’s officers and directors, alleging that the board of directors and top executives harmed the company financially by failing to take adequate steps to prevent the data breach and by not providing customers with complete information about the extent of the theft. The consolidated derivative lawsuits remain pending.
Claimants in the consolidated consumer class action lawsuit overcame a large hurdle in December 2014 by establishing standing to bring the suit (it is notoriously difficult to prove legally cognizable injury resulting from data breaches without actual fraud losses). In March 2015, a Minnesota federal judge granted preliminary approval for a $10 million settlement to consumers affected by the breach. Under the proposed settlement, consumers who can document their losses will be eligible for up to $10,000 each, and claimants without documentation will be entitled to a share of the remaining settlement fund. Target must also implement more robust security measures, such as appointing a chief information security officer, maintaining a written security program, and periodically reviewing and updating safeguards as needed.
Financial institutions sued claiming that Target should be liable for the replacement costs for millions of customer payment cards, estimated at over $200 million. A judge denied Target’s motion to the dismiss most of the claims, ruling that the financial institutions successfully established that Target had a “special relationship” with them and, consequently, that Target had a duty to ensure that customer credit and debit card information was adequately protected.
Recently, Target announced that it has reached a $19 million settlement with MasterCard International Inc. to reimburse MasterCard issuers for costs incurred due to the data breach. The agreement is conditioned upon at least 90 percent of eligible MasterCard accounts accepting reimbursements, either directly or through their sponsoring issuers. Similar negotiations with Visa Inc. are reportedly pending.
Data breach costs
Though the full price tag of the Target data breach is not yet known, the numbers to date are no bargain. Target reported that the company incurred breach-related net expenses of $145 million for 2014 and $17 million for 2013 (the numbers reflect gross expenses of $252 million partially offset by $90 million in insurance receivables). Accordingly, through 2014, Target’s total net expenses, before tax, are at least $162 million. And additional litigation and settlement costs are still forthcoming.
Beyond the hard costs of the data breach, Target suffered intangible costs, such as the loss of consumer goodwill. For example, Target experienced a 46 percent drop in profits in the fourth quarter of 2013 immediately after the breach. Target also had to offer promotions and underwrite new advertising campaigns to entice consumers back into stores. Recently, the retailer announced that it was terminating about 1,700 workers.
Lessons learned so far
Major takeaways to date from the Target breach include:
- Do not underestimate the importance of third-party vendor security. Companies often work with numerous vendors, and hackers will find the weakest point of entry to gain access to a company’s sensitive information.
- Target apparently did not require vendors with no direct access to sensitive information, like Fazio, to use two-factor authentication. While it cannot be said for sure that such additional security would have prevented the breach, multi-factor authentication would have made the intrusion more challenging for the hackers.
- Target apparently did not sufficiently segment its vendor portals from its payment network, thereby allowing a conduit for the hackers into the company’s Point of Sale system. More robust network segmentation would have made the attack more difficult.
What’s next?
As the remaining lawsuits work their way through court, here are some unanswered questions:
- Did Target violate Payment Card Industry standards, and what amount of PCI fines will result?
- Has the bar been lowered for standing in data breach suits generally, after the court’s ruling in the consolidated Target consumer class action?
- Will the Target investor lawsuits accelerate the trend of data breach shareholder derivative litigation, with more investors seeking to hold board members and executives directly responsible for security failures?