Target was the victim of one of the most highly criticized data breaches in 2013; hackers accessed more than 40 million credit card numbers and 70 million addresses, phone numbers and other personal information. On August 5, 2014, Target disclosed that the final costs of its data breach amounted to $148 million, a significant increase over the $61 million estimated after the first 4 months. The expense estimate includes an increase for the probable losses associated with breach-related claims, including claims submitted by payment card providers. About 25% of these costs will be covered by insurance.
Following the breach, Target saw sales drop 46% during the holiday season, as consumer confidence was clearly shaken. Estimates for the first quarter 2014 sales are also under the predictions, though this may not be related to the data breach. While the data breach expenses only amounted to 0.2% of Target’s 2013 revenue, the impact to consumer confidence and sales is harder to measure.
Providing some context to this data breach, the Bracewell & Giuliani law firm wrote and article / podcast on the impact of Target’s data breach and how organizations can avoid being a data breach “target.”
Since the data breach went public, Target has acknowledged that it failed to respond to multiple intrusion warnings from its software. In Target’s case, the fault was not entirely with a lack of security, but a lack of process to appropriately respond to the systems they had in place. As the law firm notes, if cybercriminals are determined, there’s very little you can do to prevent them from getting into protected systems, but organizations can control how they respond to a data breach. And this can mean everything for reducing post-breach costs.
Bracewell & Giuliani say that following a data breach, an organization must do these three things:
Knowing these three items are key, organizations can brace for the impact of a data breach by being prepared.
Every single corporation that has access to personal information must have a crisis response team and a crisis response plan. The team is a collection of key individuals who understand technology, communications, and the core business; the crisis response plan sets forth the steps that must be taken in the event of a data breach. The plan must be rehearsed until it is second nature and it must be continuously updated. Practice does make perfect.
Some great thoughts on how to avoid being a Target can be found here.