By Michelle Harven
5/5/2015
When most people think about security breaches, the one that often comes to mind is the 2013 breach at Target retail stores. Around 70 million records were stolen, costing what Target estimated at $148 million. The cost of a breach now had a dollar sign attached to it, or at least one estimate. Shares went down because of blows to the company’s reputation and spooked customers.
Then, the CEO was fired and other companies and the public really paid attention. (Don’t feel bad for former CEO Gregg Steinhafel though. He will receive around $55 million in executive compensation.)
Anne Tobin, an agency manager at Number One Insurance Company who deals with cyber insurance, was one of the customers affected by the Target data breach. She said she received a call from both Target and her credit card company about the breach. The credit card company shut down her account and mailed her a new card. They also offered free credit scoring for a year, and if they didn’t get to Tobin in time they said they would work with the credit company and stores to get bills handled and pay for damages.
Even after the response by Target and the credit card company, Tobin said she still can’t be sure if the data breach will affect her.
“I don’t exactly know all the information that was taken,” said Tobin, “and if they do get my name, my birthday, my Social Security number, they can now try to find my other accounts. So it’s not that it’s completely safe.”
Even after taking care of the people affected by the breach, two years later in March, Target paid $10 million in a class action lawsuit. The settlement requires Target to implement new security measures, like appointing a chief information security officer and adopting a written data security program.
Target had a separate class action lawsuit settled two years afterward in April of this year with MasterCard banks. The credit card company received $19 million from Target for the costs of the breach with cancelling cards, reissuing, and creating new accounts.
What it comes down to is Target got tangled into a mess because of this breach, something the company is still paying for two years later. It is still dealing with a reputation blunder that could rank as one of the worst in terms of media coverage.
It may have been bad news for Target, but it became the cybersecurity business’s favorite cautionary tale.
CHANGING THE GAME
“The Target breach is a great example for a lot of different reasons,” said Ted Julian, the vice president and co-founder of Resilient Systems in Cambridge. “Not only was it big and it got a lot of coverage in the news, it infected a lot of people and so that created a high level of awareness.”
Julian said the CEO losing his job was something he had never seen happen before and added to the level of seriousness. “We’re not just talking the head of security, we’re not even talking the head of all IT, the CIO, literally because of this breach the CEO of a major American corporation lost their job.”
For many security companies, the Target breach showed businesses what others like Julian already knew to be true about the harm breaches could cause.
“We always say at BitSight that Target changed the conversation around cybersecurity and information security enterprise,” said Matt Cherian, the product manager at BitSight Technologies, a cybersecurity startup in Cambridge.
Cherian said that before these highly publicized breaches, CEOs and upper management didn’t think investing in cybersecurity would produce any returns.
“Security was considered a cost center and they were reluctant to spend the money, but now it’s clear that breaches are real and the extent to which breaches can have an impact both in terms of the number of customers affected but also the cost involved,” said Cherian. “Now that security is really affecting the bottom line at companies, there is an increased focus.”
NOT THE ONLY ONE
Of course, Target isn’t the only company that has experienced a breach at this level. Home Depot had an even larger breach of credit card information stolen and didn’t receive half the amount of scrutiny or loss in share prices that Target experienced.
Then there was TJ Maxx, Neiman Marcus, the craft store Michael’s, and PF Changs restaurant chain. These companies all experienced data breaches in 2014. So how come Target experienced a dip in sales, public backlash, multiple class action lawsuits, and an ousted CEO and the others didn’t?
Graph indicates negative consumer perception or “buzz”:
(Source: YouGov)
“People have done a lot of academic research to chart the impact of security breaches on market capitalization, how it affected companies, and the jury’s out,” said Julian. “Sometimes they do get whacked, but not necessarily at all.”
Some people aren’t surprised by the amount of noise that came with the Target breach. Arthur W. Coviello Jr. has been in cybersecurity for two years and said the one thing that surprises him is that all these large breaches get 15 minutes of fame and then they are forgotten.
He said what’s more pressing is the threat of disruptive attacks like Sony’s data breach, where hackers leaked internal emails, unreleased films, and other company and employee information. And worse could be around the corner.
“What concerns me about Sony is information was destroyed,” said Coviello. “In the case of Target, credit cards were stolen, credit cards can be replaced,” he said, adding “Information that is destroyed can never be recovered. If systems are destroyed, if people’s lives are lost, what’s going to be our response then? That’s why this is such an important topic. That’s why we need to get ahead of it sooner as opposed to later.”
(Photo credit Kevin Dooley)