Target Reels From Customer Data Breach
Target has taken a beating from the customer data theft that occurred over the holidays. What's perhaps worse is the unpredictability going forward. Target is unable to forecast future costs related to the breach. Further, customer confidence has not rebounded. "It's quite possible that the opportunity that Target had to change minds is probably past," said Identity Finder's Aaron Titus.
Feb 26, 2014 11:55 AM PT
Target reported financial results for the quarter during which it suffered a high-profile data breach, revealing how badly the company was stung by the security lapses.
In the three months ending Feb. 1, net earnings dropped by 46 percent compared with the year-ago fourth quarter, from US$961 million to $520 million. Profit dropped by more than 40 percent from the same period a year earlier, while earnings per share were 81 cents, down from $1.47 last year.
Sales were higher than expected in the first half of the quarter. However, after Target's Dec. 19 confirmation of the data breach that affected millions of customers, "results softened meaningfully," noted Target CEO Gregg Steinhafel.
'Unprecedented' Economic Swing
"As far as I can tell, this kind of economic swing in response to a data breach is largely unprecedented," Brian Pascal, research fellow at UC Hastings College of the Law, told the E-Commerce Times.
"In the past, companies have suffered some financial hits following news of major data breaches, but not to this scale," he said. "I think one of the most difficult things about data breaches, both from the consumer side and from the business side, is their sheer unpredictability. Target's data breach arose from an email-based attack on one of their heating, air conditioning and refrigeration vendors."
The breach compromised the payment or personal information of as many as 110 million customers. Target initially revealed that 40 million customers who shopped in-store over a period of three weeks may have had their names, credit and debit card numbers, card expiration dates, and security codes accessed by hackers.
Later, the company acknowledged that hackers stole personal information including names, mailing addresses, phone numbers and email addresses for as many as 70 million people during the same breach, though there may have been some crossover between the affected customers.
When Target revealed the vulnerability of personal information, it issued updated financial guidance of earnings per share of $1.20 to $1.30 for the quarter. It expected sales would fall by around 2.5 percent, though quarterly sales actually fell by 3.8 percent.
Target also reported pretax expenses of $61 million relating to the data breach and said it expected to make $44 million in insurance payments, for a net cost of $17 million.
However, in providing earnings guidance for the current fiscal year, Target said that it could not estimate future costs from the breach, including those related to litigation, claims of fraud and investigations.
The company seems to have a long road back in regaining consumer trust.
"Unfortunately, there's no magic button a company can press to restore consumer confidence," Yasha Heidari, managing partner at Heidari Power Law Group, told the E-Commerce Times. "Consumer confidence is earned over time. The best thing Target can do is implement additional security measures and hope that no other breach happens again in the near future."
Time Heals Wounds
"It will probably just take some time for people to forget and go back to old habits and buy things again," Aaron Titus, chief privacy officer with Identity Finder, told the E-Commerce Times.
"It's quite possible that the opportunity that Target had to change minds is probably past. They had a brief window to reassure customers, and I don't think that went well. They just were not able to convey what they needed to," he observed.
"Trust is one of those things that is easier to keep than it is to regain," said Ken Westin, a security researcher for Tripwire.
"Target still has a long ways to go to in order to regain customer confidence, and in order to do so I believe they need to be more transparent regarding the breach and share that information with the information security industry, so that everyone learns from it," he told the E-Commerce Times.
"Then they need to take steps to ensure not only that this does not happen again, but that their entire security posture will mature as a result of this breach," said Westin.
"They actually have an opportunity here to become a leader in overhauling how retail stores secure their systems and networks in the U.S. and around the world," Westin continued. "If they do it right, it can be a PR win for them, but it needs to be a genuine effort and not just something to appease the board and shareholders."
Meanwhile, there are key lessons for other companies to learn from Target's data breach.
"If there's one thing that retailers have learned from Target's situation, it is that these sort of breaches have very tangible impacts on a company's profits and losses," Heidari Power Law Group's Heidari said. "Nothing will motivate a retailer better to make sure it does not suffer the same fate."