Skip the navigation

Breach could prove very costly for Target

Past major breaches cost TJX $250 million and Heartland $140 million; Target can expect similar costs, experts say

December 19, 2013 01:58 PM ET

Computerworld - Though details of the massive data breach at Target are still emerging, it's already clear that, before the dust settles, the retailer will likely have to pay tens of millions of dollars in remediation and notification costs, fines, legal fees and settlements.

Target on Thursday confirmed a breach that let hackers access credit and debit card numbers, expiration dates and security codes of shoppers that bought merchandise in its stores between Nov. 27 and Dec. 15.

Target has not disclosed how many cards were impacted by the breach, though industry sources have reportedly pegged the number at 40 million. The total would make the breach the largest involving payment cards since a hack of payment processor Heartland in 2009 compromised upwards of 100 million cards.

Heartland has since paid some $140 million in costs related to the breach. Other victims of major breaches have spent similar sums settling with credit card companies, banks and customers.

Target has yet to disclose how the intrusion there occurred. Reports suggest that either hackers penetrated company's Point of Sale (POS) network or malware was somehow inserted into card swipe devices used by customers.

"It is possible that the track data was captured by some sort of network sniffer or other means farther up the payment chain that could have been outside of the store," said James Huguelet, an independent consultant who specializes in retail security. "Track data is often passed far beyond the POS, depending upon a company's specific payment processing architecture."

If the hackers did compromise the payment devices inside Target stores across the U.S., it would indicate the opening of a new front in the war on retailers, Huguelet said.

"It's entirely possible that the Target breach was not caused by a failure in the PINPads or POS systems in their stores. We'll need to get more information before we can really ascertain where in the payment chain the breach occurred," he said.

Avivah Litan, an analyst at Gartner, said it's possible that malware wasn't used to pull off the heist.

"The Heartland Payment Systems breach was not pulled off using malware," Litan said. One of the individuals convicted in that incident, a call center employee, was able to simply walk away with the data daily on a USB drive, he said.

"Target has spent a lot of money on payment card security so I doubt the criminals installed malware on their POS systems." If malware was used, "my guess is that [it] was on a corporate server communicating with the payment processors," Litan theorized.

In a statement, Target says it has identified and fixed the problem and is now working with a computer forensics firm to find the cause. The company said it hopes that the investigation finds new measures it can take to mitigate the risk of future breaches.

Our Commenting Policies