Though details of the massive data breach at Target are still emerging, it's already clear that, before the dust settles, the retailer will likely have to pay tens of millions of dollars in remediation and notification costs, fines, legal fees and settlements.
Target on Thursday confirmed a breach that let hackers access credit and debit card numbers, expiration dates and security codes of shoppers that bought merchandise in its stores between Nov. 27 and Dec. 15.
Target has not disclosed how many cards were impacted by the breach, though industry sources have reportedly pegged the number at 40 million. The total would make the breach the largest involving payment cards since a hack of payment processor Heartland in 2009 compromised upwards of 100 million cards.
Heartland has since paid some $140 million in costs related to the breach. Other victims of major breaches have spent similar sums settling with credit card companies, banks and customers.
Target has yet to disclose how the intrusion there occurred. Reports suggest that either hackers penetrated company's Point of Sale (POS) network or malware was somehow inserted into card swipe devices used by customers.
"It is possible that the track data was captured by some sort of network sniffer or other means farther up the payment chain that could have been outside of the store," said James Huguelet, an independent consultant who specializes in retail security. "Track data is often passed far beyond the POS, depending upon a company's specific payment processing architecture."
If the hackers did compromise the payment devices inside Target stores across the U.S., it would indicate the opening of a new front in the war on retailers, Huguelet said.
"It's entirely possible that the Target breach was not caused by a failure in the PINPads or POS systems in their stores. We'll need to get more information before we can really ascertain where in the payment chain the breach occurred," he said.
Avivah Litan, an analyst at Gartner, said it's possible that malware wasn't used to pull off the heist.
"The Heartland Payment Systems breach was not pulled off using malware," Litan said. One of the individuals convicted in that incident, a call center employee, was able to simply walk away with the data daily on a USB drive, he said.
"Target has spent a lot of money on payment card security so I doubt the criminals installed malware on their POS systems." If malware was used, "my guess is that [it] was on a corporate server communicating with the payment processors," Litan theorized.
In a statement, Target says it has identified and fixed the problem and is now working with a computer forensics firm to find the cause. The company said it hopes that the investigation finds new measures it can take to mitigate the risk of future breaches.
Even though Target was likely compliant with Payment Card Industry Data Security Standard (PCI DSS) standards at the time of the breach, it could still face stiff fines from card associations like Visa and MasterCard, Litan said today in a blog post.
The company must also compensate card-issuing banks that cancel and reissue cards due to the breach, Litan said.
Meanwhile Target will likely have to pay higher merchant fees to Visa, MasterCard, American Express and other payment firms for the foreseeable future. It also faces potential class action lawsuits from customers whose data was breached, Litan said.
Heartland's $140 million in breach-related costs include more than $26 million in legal fees and settlements of $60 million with Visa and $3.5 million with American Express. Heartland also set aside $42.8 million to be used in connection with multiple lawsuits related to the breach.
In the 12 months following a major 2006 systems breach at TJX Companies Inc., the company spent a staggering $250 million in remediation expenses, settlements of bank claims, credit monitoring services for victims, legal fees and fines. That breach exposed data on some 45 million credit and debit cards.
At least one breached retailer is claiming its fine was excessive.
Genesco, a specialty retailer of footwear and sports apparel, sued Visa USA earlier this year contending that fines assessed by the credit card firm were unjustified and unenforceable under the law.
The company is the first to challenge card companies over fines stemming from data breaches.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.