Earlier this year I posted about the cyber attack in which Target allowed at least 40 million credit cards to be compromised, and watched as cyber criminals stole the personal information from about 110 million people. This breach occurred during the year’s biggest shopping season between Thanksgiving and Christmas in 2013.
Last month, Target agreed to a settlement: a maximum of $10 million, or $0.25 per compromised credit card. Individual victims may get up to $10,000 in damages.
This settlement requires final federal court approval, but is, in my view, a settlement favorable only to Target.
In order to claim any damages from Target, victims must prove:
- That unauthorized charges were made to their credit card.
- That they invested time in addressing the fraudulent charges.
- That they incurred actual costs from correcting their credit report, paying higher interest or fees because of the impact to their credit rating, paid fees to replace identification cards, or hired identity protection companies or lawyers.
- That the Target breach was responsible for their loss.
A friend had her purse stolen in a museum. She discovered the theft within a couple of minutes of its occurrence. By the time she got to a phone and called her debit card company, the thief had drained over $5,000 from her bank account, and that money was gone. That debit card was just one of the items in her purse. A maximum benefit of $10,000 may not cover an individual’s lost.
One reason that it took so long to get to this ridiculous settlement is that Target argued in court that consumers lacked standing to sue because they could not establish any injury.
If you have a problem, report it as soon as possible at the web site Target sent you.
Fortunately, this is not the only cost to Target. By the end of January, Target estimated that it had already accrued $252 million in expenses related to the breach, including this settlement. That will be partially offset by up to $90 million in insurance payments to Target. Target also faces claims from three of the four major credit card companies, and probably also from the fourth, as those companies try to recoup their loses due to this data breach. In addition, the Federal Trade Commission, the Securities and Exchange Commission, and several state attorneys general are also investigating and may impose fines.
Target was instrumental in this data breach. Target’s computer security systems alerted IT to suspicious activity after cybercriminals had infiltrated its networks, but Target decided to ignore the alert. The settlement also revealed that Target had no written information security program and no chief information security officer.
They also had a 46% drop in year-over-year profits for the quarter when the breach occurred.
Don’t let this happen to your company.
The last word:
How did the cybercriminals do? Pretty well, probably. Krebs on Security estimated that between one and three million credit cards stolen from Target were sold on the black market and successfully used for fraudulent purchases before the credit card companies managed to cancel the rest. That likely generated over $53 million of income to the cyber-criminals. That number is interestingly close to the $55 million that the ousted CEO Gregg Steinhafel will get in executive compensation and severance benefits from Target.
So the cybercriminals, lawyers, and the shamed CEO win. Meanwhile, Target as a company and millions of its customers lose.
Keep your sense of humor.