News is just beginning to emerge that Target (NYSE:TGT) has suffered a massive information-security breach. It's feared that its customers' card data, including both credit and debit cards, has been accessed by unidentified hackers over a period spanning more than two weeks from Nov. 27, 2013 to Dec. 15, 2013. As many as 40 million credit and debit card accounts are feared to have been compromised by the heist.
The situation is eerily reminiscent of the massive security breach that occurred at the TJX Companies, T.J. Maxx's (NYSE:TJX) parent company, in 2007. In TJX's case, hackers stole data from 90 million card accounts. The security breach had far-reaching financial implications for TJX Companies. The company incurred a large legal tab which involved a settlement with aggrieved victims, as well as hefty expenses to fix its information-security system. The estimated cost of the breach was a 'manageable' $265 million in the year after the breach, but a staggering $1.6 billion over the lifetime of the case.
What strikes an outsider as rather odd is the fact that even though Target's hack happened over a two-week period, the TJX breach affected about twice as many accounts. TJX's security breach happened over a much longer period of 18 months. The methods employed by hackers to steal customer data from Target were most likely more sophisticated than those used by the TJX hackers.
TJX lost crucial customer information in what would qualify as simple negligence. The company used to store customers' personal data in its servers in an unencrypted format, thus allowing hackers to simply hang around its stores and steal the data by exploiting poor Wi-Fi network security. The hackers used open access points to track back to TJX's central database and retrieve customers' personal data.
Assisting affected customers costs an arm and a leg
The biggest cost element associated with the TJX breach involved contacting and assisting affected customers. TJX estimates that it cost approximately $5 to service each customer record. As many as 20% of the affected victims requested credit watch, resulting in a huge $1.24 billion bill. Other significant costs involved internal investigations, public relations, and regulatory fines.
Customers do not scare easily
The cost of the breach shaved off $0.25 per share from the company's profit in the quarter when it occurred, and roughly $1.51 per share over the lifetime of the case. The data stolen in the hack was used to make fake credit cards that were mainly used to purchase expensive electronics worth millions of dollars, mainly from Wal-Mart.
Far worse than the charge that TJX took from the breach would have been the damage to its public image, and the consequent loss of customer trust. Such scandals tend to have negative repercussions that continue to reverberate in the future, or for a few years at least.
Curiously enough, customers just shrugged off the incident as a minor annoyance, and continued flocking to the company's stores undeterred. Sales at TJX were hardly affected during the quarter, and even went ahead to grow 9% to $4.3 billion in the following quarter. The shares took quite a hit, trading at $27.58 three months after the breach was made public.
The apparent lack of disruption of normal business for TJX will perhaps be the biggest consolation for Target customers who will be digging into historical archives seeking to know what to expect in the aftermath of the breach. $1.6 billion is hardly pocket change even for a large retailer like TJX. Luckily, TJX amortized this amount over several quarters, and it's quite likely that investors hardly felt it since the company's sales continued growing at a healthy pace.
Evidence from past data-security breaches shows that a company usually incurs about 30% of the cost of the breach in the first year, and the rest is spread out several years down the line. TJX certainly received more than a slap on its wrist, but was nonetheless none the worse for it.
Costs of breach likely to be much lower than TJX's
If Target's case plays out like TJX's, then investors are looking at substantial legal expenses and other related costs in the coming quarters. It's, however, noteworthy that only half as many Target accounts were affected as in the TJX breach. This will no doubt significantly reduce the amount of money spent to contact and assist victims of the breach. As we had noted earlier, this cost element accounted for close to 80% of the total costs linked to the security breach.
Target's latest annus horribilis is just beginning to unfold. If past security breaches are anything to go by, investors should not get too spooked by the event, since an event like this can happen to even the best companies. Global Payments (NYSE:GPN), a payment processing company, suffered a security breach similar to what happened to Target in 2012. Information security breaches are a big no-no in the world of payment processing. The company's shares took a big hit in the first few months after news of the scandal hit news feeds, but they have recovered strongly to hit new all-time highs. The firm currently enjoys double-digit bottom-line growth, and it is expected to grow its EPS in excess of 10% over the next five years.
The biggest risk for Target right now is that customers might decide to jump ship, and shift to other stores. Here again, good old human behavior that tends to stubbornly resist change will likely come to Target's rescue. These large retailers have grown to their sizes by building huge bases of loyal customers, and it normally takes a really bad fiasco to scare these customers away.
Hopefully, Target's investors will not overreact and panic over the unfortunate incident, but will keep their faith in the company.
Fool contributor Joseph Gacinga has no position in any stocks mentioned. The Motley Fool has no position in any of the stocks mentioned. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.