Three months have passed since the massive data breach at Target ( TGT 0.84% ) ended, and though the retailer continues to plug away, investors should be cautious treading here, because there's still a massive liability IED waiting to detonate -- and it could blow up anytime now.
As is all too well known now, for several weeks in November and December, hackers had free rein to access, steal, and sell sensitive customer data before being discovered and shut down. Some 40 million people -- and possibly as many as 110 million -- were potentially compromised (I should know -- I was one of them). What is only just coming to light, however, is the extent to which all of this was preventable. And because of that, Target's liability in this financial and public-relations disaster is as yet incalculable.
Stuff happens. Hackers will hack, and every level of defense erected will eventually be overcome. From Target to Wal-Mart and J.C. Penney to BJ's Wholesale Club, all their systems have been hacked at one time or another. Even AT&T had an incident years back, and though it's unpleasant and corporations need to implement industry best practices to protect their customers' data, we almost willfully acknowledge that at some point we may see our information compromised. Call it a hazard of doing business in the modern digital age.
What we don't sign onto, however, is a company cavalierly handling our data, or being more concerned about how its reputation will look instead of rectifying the problem. TJX ( TJX 0.63% ) was taken to task several years ago, when it suffered a data breach and waited a whole month before notifying customers, costing the retailer more than $100 million in investigation costs, security system upgrades, customer communications, and legal fees, as well as some $1.6 billion over the lifetime of the case.
If reports are true, the extent to which Target's hack attack was preventable means it could be paying an even bigger price tag, with estimates running into the billions of dollars. According to a Bloomberg Businessweek report last month, the retailer had installed a warning system to alert it for just such a breach, and the FireEye ( FEYE -1.41% ) system worked as designed: It signaled the presence of malware and which servers the hackers had infiltrated. Only problem was, Target ignored them. Time after time, FireEye alerted the retailer to what was happening, and again and again it turned a blind eye toward them.
What's more, it wasn't the sophisticated hack job Target and law enforcement officials originally indicated. Rather, Intel's ( INTC -0.51% ) McAfee subsidiary says it was really an unsophisticated "'off-the-shelf' exploit kit" that could be easily caught and protected against. Target admits its software logged the information, but ultimately the retailer "determined ... it did not warrant immediate follow-up." Yeah, not good.
In its annual filing with the SEC, Target admits its liability will be determined by how culpable it's found to be in these attacks and it expects the credit card companies will all be pointing their fingers at the retailer.
While that portion of our network was determined to be compliant by an independent third-party assessor in the fall of 2013, we expect the forensic investigator working on behalf of the payment card networks to claim that we were not in compliance.
Target is worried that the real fallout will be in the hit it takes to its reputation and on whether customers will trust using its REDcards Rewards loyalty program. Anecdotal evidence suggests customers remain wary, and as the program drives meaningful incremental revenues for the retailer, it says it's already witnessed a significant decline in sales after the attack, though it can't determine whether it will be a sustained drop or a long, drawn-out affair.
Because it's already spent $61 million as a result of the data breach, and with a potential total liability in the billions, Target's foot is poised just above a landmine. Shares in the retailer bounced 10% from the lows it hit on Feb. 1, but this data breach incident is not over yet, and it's a gamble to bet it won't explode on the hope that consumers have short memories.