Target Provides Update on Costs Related to Data Breach
Minneapolis-based Target Corporation announced on Tuesday that its second quarter financial results are expected to include gross expenses of $148 million, partially offset by a $38 million insurance receivable, related to the December 2013 massive data breach that rocked the retail giant.
According to the company, the expenses include an increase to the accrual for estimated probable losses for what the Company “believes to be the vast majority of actual and potential breach-related claims,” including claims by payment card networks.
“Since the data breach last December, we have been focused on providing clarity on the Company’s estimated financial exposure to breach-related claims,” said John Mulligan, Interim President and CEO, CFO of Target Corporation. “With the benefit of additional information, we believe that today is an appropriate time to provide greater clarity on this topic.”
Update on Expenses Related to the Data Breach
During fourth quarter 2013, Target experienced a data breach in which an intruder gained unauthorized access to its network and stole certain payment card and other guest information. In second quarter 2014, the Company expects to record gross breach-related expenses of $148 million, partially offset by the recognition of a $38 million insurance receivable.
Expenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks. Given the varying stages of claims and related proceedings, and the inherent uncertainty surrounding them, the Company’s estimates involve significant judgment and are based on currently available information, historical precedents and an assessment of the validity of certain claims.
These estimates may change as new information becomes available and, although the Company does not believe it is probable, it is reasonably possible that the Company may incur a material loss in excess of the amount accrued. The Company is unable to estimate the amount of such reasonably possible excess loss exposure at this time. The accrual does not reflect future breach-related legal, consulting or administrative fees, which are expensed as incurred and not expected to be material in any individual period.
On April 29, the company named Bob DeRodes as the CIO, who is tasked with guiding the company’s information technology transformation, and in June announced that it hired former GM CISO Brad Maiorino as senior vice president and chief information security officer (CISO).
In the months following the data breach, Target detailed significant steps it took to enhance its information security systems and processes while transforming its security and compliance structure and practices.
Examples include enhancing monitoring, segmentation, logging, and security of accounts and installation of application whitelisting on point-of-sale systems.
In February, Target announced a significant new initiative as part of the company’saccelerated $100 million plan to move its REDcard portfolio to chip-and-PIN-enabled technology and to install supporting software and next-generation payment devices in stores.
The retail giant said that beginning in early 2015, its entire REDcard portfolio, including all Target-branded credit and debit cards, would be enabled with MasterCard’s chip-and-PIN solution. Eventually, all of Target’s REDcard products will be chip-and-PIN secured, the company said. The new payment terminals are scheduled be in all 1,797 U.S. stores by this September, six months ahead of schedule.
Target also said that in March it joined the Financial Services Information Sharing & Analysis Center (FS-ISAC), an organization formed by the financial services industry to help facilitate the detection, prevention, and response to cyber attacks and fraud activity.