The Target Breach Eight Months On – Who were the Biggest Losers?

Target was one of the largest victims of recent security breaches until the recent Home Depot breach this past September. Before we look at the Home Depot’s perfect security storm (tune back next week!), let’s review Target’s timeline.

Timeline

Target, like several other retailers was hacked not by approaching the central, well-secured network, but by coming up from the roots. Hackers installed malware on the Point-of-Sale machines in 1,800 stores using a program called BlackPOS – one that would later feature in the successful attack on Home Depot.

Thieves gained entry to the system between late November through December of 2013 and were detected by Target’s systems, including their FireEye system (the same used by the Pentagon and CIA). FireEye alerted Target twice to the breach as it happened, but incredibly the red flag went unheeded.

It wasn’t until government agencies advised Target in mid-December that they were being hacked did the company take notice. By then, over 40 million credit and debit cards had been stolen.

But it was just beginning. Target revealed the credit and debit card number breach on December 19 but it wasn’t until December 27 that they admitted that PIN data was stolen. Worse was yet to come. On January 10, 2014, Target revealed the breach had also exposed the personal data of 70 million customers – including names and email addresses, tempting targets for identity theft.

The Cost So Far

What did the breach cost Target and its customers? What did the hackers gain for their three-week stay in Target’s POS machines?

Though he went before Congress on the issue and apologized in full-paper newspaper ads, CEO Gregg Steinhafel is out. Stock price fluctuated sharply in the wake of the breach, and as of August stands at 7.7% lower year-to-date. Target reported a 46% drop in profits for that 4th quarter and continue to be soft. Overall, to shareholders, the breach will cost $148 million, minus a $38 million insurance deductible.

Much might be made of the chip-and-pin machines that Target is installing, at a cost of $100 million, but as pointed out by Krebs, that was an industry-wide mandated effort, due by 2015, so that was money already spent, breach or not. Banks and credit unions absorbed $200 million, the cost to replace all the stolen cards.

Speaking of those cards, somewhere between 1 and 3 million stolen cards were sold, producing an estimated $50 million in hacker income before any fraudulent use of the cards is factored in – a tenth of the cost to Target, banks and customers.

This was the biggest breach until Home Depot’s breach in September. Will we see the same steady drip of revelations in Home Depot’s case as the months wear on?