How to Calculate the Cost of a Target Breach At Your Company

3 min read

• Information Technology
• Information Governance

Experts are now saying that the Target data breach could end up costing $1 billion. Do you know how much a data breach could cost your company?

To recap, Target discovered that the records of some 110 million of its customers, including the information on up to 40 million credit cards, had been compromised. It ended up costing the IT director and the CEO their jobs, and the company’s net income dropped 46 percent in the fourth quarter of 2013. Thus far the breach has cost the company $61 million—only $44 million of which was covered by insurance, leaving Target out of pocket to the tune of $17 million.

What does that $61 million consist of? “That includes paying the card networks to cover losses and expenses related to reissuing cards, lawsuits, government investigations and enforcement proceedings,” writes USA Today. Gartner security analyst Avivah Litan estimates that the total cost of the breach will be between $400 and $450 million, the article continues, while John Kindervag, vice president and principal analyst at Forrester Research, told the Washington Post it wouldn’t be less than $100 million.

The eventual cost could be as much as $1 billion. This includes items such as $100 million to upgrade all of Target’s cash registers to accept chip-and-PIN credit cards, which are less likely to be stolen. In addition, dozens of lawsuits have already been filed by banks seeking to be reimbursed for their costs.

And there are other costs as well, that are not even borne by Target. Community banks, for example, paid up to $240 million to reissue 21.8 million credit cards—money they may not be able to get back from Target.

Moreover, as many as 10 to 15 percent of the stolen credit cards (4.8 to 7.2 million of them) have been used fraudulently—which means that Target may not only have to reimburse those charges, but also be subject to fines. “If the government’s probe finds Target at fault for not complying with industry-specific security standards, the company faces fines in the range of $400 million to $1.1 billion, according to an estimate by Jefferies, an equity research company,” writes the Washington Post. “That figure did not include lost sales or customer goodwill.”

The Post went on to say that a similar breach at T.J. Maxx in 2007, which affected 45 million customers, was originally expected to cost $25 million, but eventually cost nearly ten times that much.

Data breaches have hit other companies besides Target. The Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis, which it releases annually, reported that the average cost to a company was $3.5 million—15 percent more than what it cost in last year’s report. (This year’s report covers primarily data breaches that occurred in 2013.)

Moving from company estimates to the aggregate, the picture doesn’t get any better—some estimates say ongoing cybercrime against top U.S.-based companies costs our economy more than $300 billion each year, reports CIO Today. And companies aren’t the only ones being targeted. Symantec surveyed 13,000 adults in 24 countries and estimated the global consumer cybercrime problem cost $110 billion in 2012, while in 2009, McAfee estimated cybercrime to cost $1 trillion. Estimates are all over the map due to a lack of reliable data and different ways of estimating costs, The Economist writes.

According to the 2014 Ponemon study, respondents said the ideal amount to invest over the next 12 months to execute their organizations’ security strategy averages $14 million. However, in the next 12-month period, companies anticipate spending an average of only half that amount, or $7 million, the report continued. “This may be a tough sell in many companies,” the report admits.

If you’ve had trouble persuading your bosses to let you invest in improved security, it might help to know just how much a data breach could cost your company. Several calculators out there could provide a useful first pass at such an estimate.

• CyberTab, developed by Booz Allen Hamilton and The Economist Intelligence Unit, will calculate the costs of a specific cyber attack—based on your estimates of incident-response and business expenses, in addition to lost sales and customers—and estimate your “return on prevention” for instituting protections. It works with both planning and calculating the effect of actual attacks.
• Symantec and the Ponemon Institute have also developed a data breach calculator. The calculator figures out your risk for a data breach, your average cost per compromised record, and your average cost per breach. It then compares your company with companies in your industry, companies in other industries, companies with and without a CISO, companies with the same number of employees, and companies with operations in either one country or multiple countries.
• HUB International, a group of insurance brokers and consultants, also has a data breach cost calculator. It figures out the estimated costs for an incident investigation, customer notification/crisis management, regulatory and industry sanctions, and a class action lawsuit.

As they say, an ounce of prevention is worth a pound of cure.