It is unknown what the real damages are going to be from the Target Corp. (NYSE: TGT) data theft around the holidays of 2013. Target refers to this as a breach, but by getting credit and debit card data, encrypted data, names, and email addresses, let’s just be honest and start referring to this openly as a theft. A fresh survey report from the Credit Union National Association (CUNA) is showing that the costs of the breach are spreading to credit unions.
The survey shows that credit unions have already had to absorb $25 million to $30 million in costs due to Target’s data security breach. CUNA’s survey also show that this breach has cost credit unions about $5.10 per card, on average, affected by the breach. CUNA is also warning that the actual costs could exceed this estimate, as great fraud losses come up or if additional costs are reported.
It turns out that Target and other retailers are not paying for the cost of financial institutions in this incident, according to CUNA’s survey report. The breach resulted in the theft of 40 million debit and credit cards, and encrypted PIN data, and the names, mail and email addresses, and phone numbers of up to 70 million individuals.
Where the Target breach gets interesting is that the data theft was broad enough that this allows data thieves to potentially breach banks, tax data, and other personal information. That may sound harsh, but many people have the same pin-numbers or personal security codes from card to card. With up to 70 million accounts, you can use your imagination about how wide the costs could spread around the banking community.
CUNA President and CEO Bill Cheney said, “Contrary to what some may think, these expenses will not be reimbursed to credit unions and their members by Target or other retailers. Rather, credit unions must solely cover these costs of card program administration, including in these circumstances of reacting to a merchant data breach. And, because of credit unions’ cooperative structure, the costs of such breaches are ultimately borne entirely by credit union members.”
Target said on the coverage for the public, “Guests will have zero liability for the cost of any fraudulent charges arising from the breach. To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores.”
Target has said that it may (should say “will”) have charges related to the data breach. The company said recently that it was not able as of yet to estimate the costs from the breach. It did suggest that liabilities to card networks could be included in charges. Target said,
“Costs may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities.”
Unfortunately, this is a situation that is not just limited to Target any longer. Even if Target’s “guests” are not at direct risk, that doesn’t mean that outside financial institutions are not going to have to pay for secondary or tertiary breaches that could be directly tied back to the Target incident.