With Latest Settlement, the Cost of the 2013 Target Data Breach Nears $300 Million
In 2013, a week before Christmas, Target suffered a now infamous data breach that resulted in 40 million credit and debit cards being compromised. The timing couldn’t have been worse. The 2013 Target data breach was a massive red flag for millions of US shoppers buying gifts and holiday supplies.
But within the security industry, we know that mishandling user data usually only comes with short term consequences.
Target’s sales and stock took a temporary dip – but before the year was over they recovered. So what did it cost them to lose 40 million credit cards?
This week Target paid a combined $18.5 million dollars to settle investigations led by 47 different state governments. New York Attorney General Eric Schneiderman said it represents the “largest multistate accord ever reached over a data breach.”
This is the latest lawsuit Target has settled related to the data breach and shows just how long it can take to move on from such a high profile incident.
Here is a list of settlements made as a result of the 2013 Target data breach:
- $10 million paid in a class action lawsuit to affected consumers in March 2015.
- $19 million paid to Mastercard in an April 2015 settlement.
- $67 million paid to Visa in August 2015.
- $39.4 million paid to banks and credit unions for losses and costs related to the breach, in a December 2015 settlement.
- And now $18.5 million in this weeks settlement.
All those settlements total $153.9 million dollars.
On top of that there are Target’s own legal fees, the cost of providing credit report monitoring to millions of customers, and other costs associated with the breach (which Target’s decided not to elaborate on in their financials).
In Target’s 2016 annual financial report they reported that the total cost of the breach was:
$292 million dollars.
A statement from Target said that the value of this week’s $18.5 million dollar settlement is “already reflected in the data breach liability reserves that Target has previously recognized and disclosed.”
In their 2013 annual report, Target wrote “we experienced weaker than expected U.S. Segment sales immediately following the announcement of the Data Breach, and we are currently facing more than 80 civil lawsuits.”
But in the next year’s report it was noted that “the [breach] will not have a long-term impact to our relationship with our guests,” and that it is an example of an incident that only affected their sales for a “period of time.”
While Target themselves said they incurred “significant expenses related to the data breach,” with annual profits of more than 3 billion, it’s hard to say if it truly had a lasting impact.
 Per year breakdown of the costs:
2013: $17 million
2014: $145 million
2015: $39 million.
Their 2016 report did not record any costs associated with the data breach, but did state total costs of $292 million, up one million dollars from the 2015 report.