Skip to main content

Target Could Be Liable for $3.6 Billion from Security Breach

Target said on Friday (opens in new tab) that it is actively partnering with the United States Secret Service and the Department of Justice on the ongoing investigation into the malware that affected Target’s point-of-sale system in U.S. stores. The company can’t say anything further, as the Secret Service wants the details of the forensics and investigation under wraps.

"We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests. We’re in this together," said CEO Gregg Steinhafel (opens in new tab) days ago. "We recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores."

According to SuperMoney, Target may be facing a fine of $90 for each cardholder’s compromised data, equaling a hefty if not scary $3.6 billion USD liability. That’s in addition to civil litigations, fines from banks and credit card institutions, the cost of re-fortifying its network and related security evaluations, and more.

TechCrunch explains that the $90 fine stems from the PCI Council, which was formed in 2006 by Visa, American Express, JCB, Discover and MasterCard. This group oversees the new Payment Card Industry Data Security Standard, or PCI SDD. This standard defines how organizations manage cardholder information. If retailers are found violating the standard, they’re fined $50 to $90 per cardholder data compromised.

On Thursday Target confirmed that hackers managed to access its computers and stole the credit and debit information of around 40 million customers who shopped at Target, which has nearly 1,800 stores nationwide, between November 27 and December 15. The thieves retrieved customer names, credit card numbers and expiration dates.

As of Friday, two separate class action lawsuits were filed in U.S. District Court in Minnesota, filed on behalf of three Target customers who claim they’re suing for all affected customers. They are accusing the company of negligence, and claim that the company failed to notify customers as soon as it learned of the theft.

"In one of the largest-ever commercial breaches of private information, Target failed to secure the payment information of its customers over the busy holiday shopping season,” reads one of the suits, filed by Minneapolis attorney E. Michelle Drake. "As a consequence of Target's conduct, Plaintiffs and the classes are exposed to fraudulent charges, identity theft, and damage to their credit scores."

If the whole hacking ordeal wasn’t bad enough, KrebsOnSecurity reports that the stolen credit card information is being sold in the underground black markets for between $20 and $200. Even more, one security team was able to purchase a portion of the numbers before Target admitted to the data breach. That seemingly backs up the lawsuit claiming that Target didn’t acknowledge the problem in a timely manner.

That said, the fines Target will likely face with the PCI Council will merely be the proverbial tip of the iceberg.

  • CaedenV
    Can't wait to hear more details about this, it isn't every day that such a monumental tech failure happens. Did it go out with a firmware update on the POS systems? On the card readers themselves? Did a disgruntled employee let them in? Or was it a group that was actually competent at pulling a stunt off (unlike certain other nameless organizations that claim they can take down the entire internet).

    Funny thing is that I was in a Target during that time to do some holiday shopping, but as their prices were too high, and I couldn't find exactly what I was looking for I happened to go elsewhere. But $15 less and I would be in the thick of this along with 39,999,999 other people.
  • Martell1977
    The lawyers are really the only ones that benefit from class action suits. Target should make a deal with lifelock and offer it to everyone affected free for a year. Hope they catch the perps fast.
  • junkieXL
    I concur with @Martell1977, this seems to be over the top. Not trying to protect the negligent corporation here, but first of all, Target provides services to its customers that represents a true value, and they are not the ones who stole the information. Granted, they failed to protect it in the face of an attack, yet that is not unlike burglars breaking into a house and swiping all the credit cards they find. One could always argue inadequate property protection and claim that a better alarm system etc. could have thwarted the intrusion, but both sanity and common sense dictate that the house owner is the victim, while the perpetrator must be held liable for the crime. The owner may have been negligent, but this must be proven beyond doubt and it's the lesser of the two evils here. Second, the vulturous scapegoatry that typically surrounds such class action lawsuits is pretty disgusting.
  • jasonelmore
    This will probably be the end of Target. mark my words
    $3.6 billion? Ouch. Looks like someone really hit their "target" dead-on.
  • Stevemeister
    A security breach is one thing but if the perpetrators when caught were publicly executed then it may discourage similar behaviour from other criminals but if caught they will probably get an 18 month sentence in a low security prison. Instead of pushing for more severe sentences for the criminal element we have a bunch of lawyers licking their lips at the money they can get from this debacle. Lets catch and punish the offenders so severely they won't want to do it again.
  • antdes45
    Never saw the cash registers at Target, but if they're like I think they're embedded PCs imaged through pxe running Windows XP with full internet access updated over Active Directory. Sounds easy enough to inject some malware in there.
  • bigpinkdragon286
    In all of what has been said about this, the glaring omission seems to be any lack of encryption, or safeguarding of the data, should it fall afoul of it's intended use. I suspect either Target royally overlooked security, or the data was cleverly captured before being obfuscated.
  • typicalGeek
    re: Otacon's comment.
    How is the government to blame?

    The BANKS are the ones that have been resisting the switch to more secure chip embedded credit cards. While Target may shoulder some of the blame for this attack (very hard to determine due to lack of details thus far) the banks are the ones that have to this point determined that having easy to clone cards is better than paying for more secure cards.

    That's rather like deciding it's time to start locking the vault only after you've been robbed a few times.
  • hakesterman
    I highly doubt this is the end of Target, and i also doubt very much that Target will pay any significant fine or anything related to this. This could of happened to any store and this is probably just the beginning for these guys who are sending viruses and malware. Seems like somebody gets hit at least once or twice a year these days. Sony got hit not too long ago, and i think Sears got hit last year amongst others.