Target (TGT) stock tumbles; data breach will cost $148 million (+video)
Target (TGT) lowered its second-quarter forecast Tuesday, saying it expects expenses tied to a massive data breach this past winter to come to $148 million. Target has been reeling since it announced in December that hackers stole millions of customers' credit- and debit-card records.
New York — Target (TGT) has lowered its second-quarter forecast citing the promotional discounts it had to use to attract shoppers.
The Minneapolis-based retailer also said Tuesday it expects gross expenses tied to a massive data breach this past winter to come to $148 million in the period, which will be offset by $38 million in insurance. It also paid $1 billion to retire $725 million in debt.
Target Corp. has been reeling since it announced in December that hackers stole millions of customers' credit- and debit-card records. The theft hurt the chain's reputation and profits and spawned dozens of legal actions. Target is facing troubles on a number of other fronts as well, including the perceptions that its prices are higher than those at Wal-Mart Stores Inc.
The company's expansion into Canada, its first foray outside the U.S., has also been a disappointment. Analysts have said that Target botched its Canadian expansion by moving too aggressively.
In hopes of turning a new page, the company last week named PepsiCo executive Brian Cornell as its CEO. Cornell will be the first outsider to serve in the top spot at the company when he starts Aug. 12.
For its second quarter, Target said it expects sales to be flat at established locations in the U.S., as "guests continue to spend cautiously and focus on value" and that promotional discounts are expected to hurt profit margins. Sales are expected to be "somewhat softer" at its stores in Canada as well.
Its shares fell more than 3 percent to $58.39 premarket trading.
The company now expects to earn around 78 cents per share for the quarter, excluding one-time items, down from the 85 cents to $1 per share it previously forecast. When factoring in the costs related to the data breach and the debt repayment, reported earnings per share are expected to be about 41 cent lower than that adjusted figure.
The Monitor reported on the response of Target and federal officials in the wake of the data breach in February:
The story is now well known: In the thick of this past holiday shopping season, data thieves hacked into retailer Target's computer system and stole sensitive financial information, including the credit-card numbers, personal identification numbers, and e-mail addresses of as many as 110 million customers.
Soon after, luxury department store chain Neiman Marcus revealed it had suffered a similar breach, affecting as many as 350,000 shoppers, and rumors are swirling that more retailers may soon reveal they have been the victim of cyberattacks, too. The issue has become such a big concern that Washington is getting involved. In a video address Monday, Attorney General Eric Holder urged Congress to introduce legislation to create "a strong national standard" requiring retailers to quickly alert consumers and law enforcement when shopper data is compromised.
The new laws should “enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe,” Holder said in his weekly address.
The rash of security breaches is a problem with the potential to get much worse, experts say. Mathematically, chances are you've already been a victim of identity theft, even if you've never shopped at Target or Neiman Marcus. "Seven-hundred million pieces of electronic personal data have been stolen over the last 36 months, which means everyone in the United States has had some part of their identity stolen," says Haywood Talcove, chief executive officer for LexisNexis Government, a subsidiary of the national database company based in Washington, D.C. "The question is whether or not it's been used."
How bad is it?
The Target and Neiman Marcus breaches are just the latest (and largest) examples of a type of crime that has exploded into a full-scale industry. Credit-card data theft surged 50 percent between 2005 and 2010 (the latest years for which figures are available, according to the US Justice Department). Millions of credit-card numbers are on sale at any given time on black market websites, and hackers have realized that they can maximize profits by breaking into systems of major companies, such as Target, and stealing millions of pieces of data in one fell swoop. Visa and MasterCard had similar breaches in 2012.
Pulling off these crimes is cheap: The malware used to break into Target's system was recently traced back to a high-school-age Russian programmer, who sold it for $2,000. Aside from the obvious financial impact on customers, retailers, and financial firms, the effects of such crimes can reach into the government sector.
"There's a big opportunity for tax ID fraud," says Mr. Talcove. His department at LexisNexis holds contracts with state governments in Georgia, Louisiana, and Indiana to use big data and analytics to identify sketchy tax returns. Fraudsters use personal information gained from data breaches to file fake tax returns in different states to collect refunds, he says, and it's harder to spot than credit-card fraud because "it never shows up on a credit report."
The Target debacle, and others like it, could urge US retailers to invest in more consumer data protection. Part of the solution cited by many experts is for merchants and banks to phase out magnetic-stripe credit cards and convert to computer chip-based card technology (also known as EMV), already in wide use in Europe and other parts of the world. "When you use a mag-stripe card, you swipe it, and data is read by a reader, and it's the same every time the card is swiped," says Martin Ferenczi, North American president of Oberthur Technologies, a global digital security firm. "EMV allows it to be dynamic, so every transaction has a different set of data. If the same set of data is reused, the chip recognizes that and stops the transaction."
Chip-enabled cards have helped reduce fraud in Britain and Canada. Mr. Ferenczi argues that the US remains particularly vulnerable to hacks because of its delay in adopting the technology.
"EMV is not completely foolproof," warns Cynthia James, an author on cybersecurity and the director of business development at Kaspersky Lab, an anti-malware company based in Russia, via e-mail. "Those cards can be duped, too, it just costs so much that it's prohibitive [to the criminals]."
The high-profile nature of the Target and Neiman Marcus breaches may speed along the conversion process. Visa and MasterCard recently pledged to completely convert to an EMV system in the US by 2015, and Target is investing $100 million to adopt the technology.
On the legislative end, 46 states already have data breach notification laws in place, but there is no national standard for letting consumers know about security breaches. Several data security proposals are being batted around the House and the Senate, including one co-sponsored by Al Franken (D-Minn.) and Amy Klochubar (D-Minn.) that would mean harsher criminal charges for data thieves and require businesses to adhere to data safeguards laid out by the Federal Trade Commission (FTC).
In the meantime, experts like Ms. James and Talcove advise consumers to be extra vigilant. "Sign up for credit monitoring, cancel any cards that are suspect, and check statements every month for all cards," James says. "It will also be easier if you reduce the number of cards you have."
"File your tax return early, so fraudsters don't beat you to it," Talcove adds.