Security experts say the data breach at US retailer Target in late 2013 could cost way more than the $162m cost declared in the company in the company’s annual financial report.
Target said $191m of gross expense in 2014 was partially offset by the recognition of a $46m insurance receivable, while the 2013 net expense related to the data breach was $17m.
However, more expenses could be on their way after a judge gave financial institutions the go-ahead in December 2014 to proceed with their lawsuit against Target over losses associated with the attack.
A class action lawsuit alleging Target customers were harmed by the breach that made their personal information vulnerable was reportedly also given the go-ahead in January 2015.
Up to 70 million Target customers may have been affected by the data breach that was followed by the resignation of the retailer’s CIO and CEO in quick succession.
The attackers are believed to have stolen records that included the name, address, email address and phone number of customers and the details of 40 million credit and debit cards.
Up to three million of the payment card details are believed to have been sold on the black market and used for fraud before issuing banks cancelled the rest.
“Considering the pending legal action, the cost of the breach could reach over $1bn,” said president and co-founder of cloud control firm HyTrust, Eric Chiu.
“That should serve as strong evidence that companies need to make security a top priority – especially around insider threats, which is how most breaches are happening today.”
Spear phishing attacks were recently identified as the key initial step in what has been described in the most daring cyber heist to date, believed to have netted up to $1bn.
Steve Hultquist, chief evangelist at security firm RedSeal, said even a significant investment in proactive security analytics and process improvements would have given a good return on investment for Target.
“Invest now or pay later – this is the message from the Target breach. Making strategic investments now is a wise preventative measure to keep your organisation and your customers safe,” he said.
In a financial results forecast for the fourth quarter of 2014, Sony said it expected the investigation and remediation costs of the devastating November 2014 cyber attack on its movie subsidiary to be $15m.
But like the Target figure, commentators have said the final cost is likely to be a lot higher, without taking into account fines, legal costs and damage to the company’s reputation.
Home Depot, another US retailer recently hit by hackers, has announced that it incurred a pre-tax net expense of $33m in 2014.
However, the company said other than the breach-related costs contained in Home Depot’s fiscal 2014 earnings, it is not yet able to estimate the costs, or a range of costs, related to the breach.