Target takes profit hit following data breach

US retailer Target said this week that sales and profit were "meaningfully softer" in the fourth quarter of 2013 due to the major in-store data breach experienced by the company in December, which saw the payment details of millions of its customers compromised.

Like-for-like sales decreased 2.5% in the fourth quarter, compared to the same period in 2012. A statement from the retailer said that it experienced positive comparable sales prior to the 19 December data breach announcement, followed by a noticeable downturn in the weeks afterwards.

Net income for the three-month period was $520 million, which was down 46% year on year. Although the company has put a number of processes in place to help concerned customers, as well as this week's statement indicating a recent improvement in sales, it is clear the payments problems in December have had a significant impact on the business.

Target is not able to estimate future expenses related to the data breach, with possible costs relating to potential claims by the payment card networks for alleged counterfeit fraud losses and those associated with civil litigation and governmental investigations.

"During the first half of the fourth quarter, our guest-focused holiday merchandising and marketing plans drove better-than-expected sales," explained the retailer's CEO Gregg Steinhafel.

"However, results softened meaningfully following our December announcement of a data breach. As we plan for the new fiscal year, we will continue to work tirelessly to win back the confidence of our guests and deliver irresistible merchandise and offers, and we are encouraged that sales trends have improved in recent weeks."

Prime target

In technology solutions provider Verizon's 2014 PCI Compliance Report, which was published earlier this month, it was stated that payment card transactions remain a prime target for attackers, with the rate at which data breaches are occurring apparently increasing.

Target is not alone in terms of suffering data attacks, it would seem, with The Nilson Report estimating that global credit card fraud exceeded $11 billion in 2012 alone. 

According to the study, in most cases, payment card data breaches are not a failure of security technology or of compliance with the Payment Card Industry Data Security Standard, but rather a failure to implement appropriate compliance and security measures, as intended.

Verizon argues that the areas where businesses struggle the most in achieving initial compliance are, security testing, security monitoring and the ability to effectively detect and respond to compromised data.

Rodolphe Simonetti, managing director, PCI practice, Verizon Enterprise Solutions, said: "Anything less than 100% compliance is an issue for businesses today.

"We have seen time and time again that noncompliance leaves an organisation open to credit card theft, which can potentially cost hundreds of millions of dollars when you factor in all the damages, not to mention lost consumer trust and the impact on brand reputation. Organisations need to rethink how they factor in maintaining a PCI-compliant environment, whether it’s devoting more resources or working with a managed security services provider."

Regaining trust

Target is now working on improving its brand image and payment security systems and has already made a number of moves to show it is taking December's problems seriously and working to regain customer trust.

In January, the business announced it will invest $5 million in a cybersecurity campaign run by consumer protection groups to educate people about e-crime and the dangers of phishing scams.

Chief financial officer at Target, John Mulligan, also announced in February that the company is accelerating its implementation of smart card technology, which is designed to reduce the threat of credit and debit card fraud in-store.

Mulligan said the retailer will equip its proprietary REDcards and all of its store card readers in the US with chip-enabled smart card technology by the first quarter of 2015 – sooner than originally planned.

"Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response," he explained.

"On behalf of Target, I am committing that we will be an active part of that solution."