The Hacker’s Gift That Just Keeps on Giving


The massive breach of customer data at retail giant Target during last year’s holiday shopping season is a gift of bad news that just keeps on giving. The malware that was introduced to Target’s POS system between November and December 2013 affected more than 70 million customers and is forecasted to cost the retail giant more than $148 million. But the costs associated with the historic breach are about to increase if a ruling by Judge Paul A. Magnuson of the Minnesota District Court survives appeal.  The judge ruled that Target was negligent in the massive 2013 holiday shopping season data breach and clears the way for banks and other financial institutions to pursue compensation via class-action lawsuits. The Minnesota court decision clears the legal pathway for pending lawsuits by banks and credit unions looking to recover billions of dollars it incurred for replacing customer credit cards.

The decision is a breakthrough for credit and debit card issuers, which traditionally bear the brunt of costs arising from hacker attacks on retailers, because issuers have to replace cards and respond to customers’ concerns. Industry analyst have previously predicted that Target and other retailers will eventually find themselves liable for stolen identities and bank fraud stemming from the high-profile point-of-sale (POS) breaches.

Credit Union National Association president and CEO Jim Nussle says, “As we have documented in two surveys this year, data breaches at retailers have cost credit unions and their members a minimum of $90 million—and those are the costs only for breaches at Target, for $30 million, and Home Depot, at nearly $60 million.”

There has been a considerable increase of retail security breaches in 2014 and this decision opens the possibility that other retailers such as; Kmart, Dairy Queen, Home Depot and Neiman Marcus could now experience similar claims of liability. Financial damage from security breaches has increased 12 to14 percent over last year with 94 percent of companies reporting a cyber-security issue in 2014.

The attack at Target is some-what unique and was made possible by their poor network sequestration and the big-box giants failure to respond to an early-warning system that was in place to protect the system from just such an attack. “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Magnuson wrote in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”

The implication of the ruling for both large and smaller retailers is obvious for those businesses that fail to take the collection of sensitive information, such as credit cards or social security numbers, seriously.  It is imperative that retailers implement the strictest security standards and heed warning signs of possible intrusions when they occur in order to avoid possible liability and financial devastating. The lump of coal delivered by hackers to Target last Christmas is likely to continue to burn holes in their profits for years to come.

Image courtesy of Stuart Miles at