The retail giant is facing judgment day for its massive December 2013 data breach. Target estimated that the breach cost company shareholders $148 million, but you can add another $10 million to the tally in the wake of a proposed settlement in a class-action suit.
According a Reuters report, Target will, upon federal court approval, deposit the settlement amount into an interest-bearing escrow account. Individual victims in the suit will receive as much as $10,000 each.
“We are pleased to see the process moving forward and look forward to its resolution," Target spokeswoman Molly Snyder told Reuters. Target is also promising to adopt and implement new data-security measures as part of the settlement, including hiring a chief information security officer.
Taking a Step Back
The Target data theft was the largest affecting a retailer since 2005, when data on 45.7 million shoppers was taken at retailing giant TJX, which operated several chains, including T.J. Maxx and Marshall’s. Both Target’s CEO and CIO resigned over the massive data breach, which led to the theft of information on what was believed to have been 40 million credit and debit card accounts in transactions that occurred from Nov. 27 to Dec. 15.
About a month after the breach, the company said the theft also may have exposed identifying information like names, addresses and e-mail addresses for as many as 70 million customers. In February, Krebs on Security broke the news that at the heart of the costly breach were network credentials stolen from a third-party vendor.
Industry watchers said this was yet another example of the need for security professionals to take a step back and look at the overall ecosystem of devices and how they are connected. Attackers will find and exploit the weakest link in an interconnected network every time. In Target’s case, it was especially costly.
Setting a Precedent
We caught up with Lane Thames, security researcher for advanced threat protection firm Tripwire, to get his thoughts on the Target settlement. He told us the lawsuit is no big surprise -- and no big deal in the scheme of things.
“It sounds like a lot of money, and it is for most of us. But not for Target,” Thames said. “Most large retailers have a dedicated line item in the budget for fraud-based issues.”
One would hope that the lawsuit would induce, via negative reinforcement, a change in business practices, Thames said. In any case, he is certain it will set some type of precedent and expects to see similar results for Home Depot and Anthem related to their recent data breaches.
“However, at the end of the day it boils down to profit. Security and controls are not profit makers,” Thames said. “As such, security and controls will remain lower on the totem pole of priorities for big retailers for quite some time, and we will continue to see large breaches for the foreseeable future."