It's becoming quite common to wake up in the morning and see yesterday's hacking stories in our inboxes or on our favourite news-feeds. To us they seem to erupt in a flurry of reporting, there's impact to the businesses and then usually within days, occasionally weeks, the excitement dies away and it's over. So it seems for those who aren't directly affected but the ramifications roll on, reverberating like the aftershocks from an earthquake. Re-emerging in a multitude of ways over the coming months and, yes, years. Getting hacked isn't a point-in-time event, it can change your business permanently.
As we barrel into Christmas, hopefully this year with heightened awareness of the risks that come from so much fresh data being created from our shopping, I thought it worth reflecting on one of the high profile hacks of recent years that emerged right on Christmas' doorstep. One that is still rumbling on impacting the company and customers involved, that company is Target.
For most, the Target hack has been consigned to the waste bin. It happened in late 2013, 2 years ago, and at the time we all reeled at the initial impact it had. The reports of the details of as many as 40 million credit card being compromised, followed by the revelation that the personal details of up to 70 million customers had been exposed as well, led to customers avoiding Target in their droves. Turnover at the company tumbled a massive 46% as a result, in Q4 of 2013 they also spend a total of $61m in expenses relating to the breach (they did get $44m from insurance to offset that to only $17m in actual spend). By May 2014 the ongoing impact was profit around 16% down on expectations, all attributed to the hack. This is probably long past when most people had stopped being interested.
So, it would seem that the Target hack rumbled on for around six months with profits beginning to climb again. About mid-year however two of the C-suite were gone. The CEO resigned after just over six months in post, while this was almost certainly driven by the issues with the Canadian operation (which also contributed to the 46% slump in profit) the hack is seen as the catalysing event that forced him to take this action. The CIO, apparently strong in IT Security, was replaced.
During the early part of 2014, customers and banks were lining up to sue Target for losses relating to the credit card data being exposed. The customers to recover fraudulent charges and to cover the impact that had on them, the banks for the costs of the fraud and in reissuing the credit cards. The latter estimated at $10 per card... that's 40 million cards, or $400m hanging over their heads. By the time we get to March 2015 customers who brought a class-action lawsuit are awarded $10m with individual claims of up to $10,000 in damages. April saw them agreed $19m compensation with Mastercard, only to have that rejected days later as too low. Just over a week ago, (25-Nov-2015) that was resolved with $19.11m to Mastercard along with $20.25m to banks and credit unions for their losses over this breach. Target have also agreed to pay the legal costs (up to $20m) for the plaintiffs.
All in all Target are reporting $290m spent in dealing with this breach, it may not seem a lot when you look at their operating profit but percentage-wise for a smaller organization this could have been devastating. Even two years on, it's not over for Target. They still face lawsuits from shareholders as well as investigations from the Federal Trade Commission and various State Attorneys General as a result of the breach. $290m not only reflects the monetary cost, it's also $290m of effort that was directed somewhere other than core business. Staff turnover has been high and growth has undoubtedly not been what it could, or should, have been. This latest judgement caused a minor 1.2% drop in the share price. For Target, this is definitely not over and will continue for some time.
Just before I close this post I want you to look back to the start of this post and broaden your thought process. Read it again but this time think of the companies that supply Target (directly and indirectly), think of the staff who work there and the customers who were affected. Imagine hosw they have been impacted through this process. How many companies in the Target supply chain have been impacted, possibly to the point of no return? Think of the emotional impact to staff who are working under the pressure of a company staring down the barrel of nearly half a billion dollars losses. Of course we can't ignore the customers, many of whom saw fraudulent charges which, while they may eventually be reimbursed, are hell to deal with. Some customers were even the victims of identity theft, something that can be next to impossible to recover from. I'm sure you are now imagining the ripples spreading out and just like ripples on a pond they bounce and reverberate for a very long time.
As a company, if you want to provide your customers with the best possible products and services you need to include security of their data as one of those. I urge you to step back, get the basics right first: effective vulnerability management (go for the known exploitable vulnerabilities first), eliminate privileged user accounts (prevent lateral movement) and take control of access to shared privileged accounts. Do this and you'll have a simpler security model that will make your next security move many times more effective because you'll be doing on a solid foundation. At BeyondTrust we know we aren't going to be the only security vendor you work with but we do believe we should be one of the first.