Between November 27 and December 15, Target was the victim of a massive data leak. Hackers broke into Target's sales records and stole credit and debit card information for almost 40 million accounts.
How big was this data breach? Imagine taking New York, Los Angeles, and the other largest 25 cities in the United States and combining their populations. That's what 40 million people look like.
Given that the Ponemon Institute found that the average cost of a data breach in 2012 was $188 per record, Target could be looking at a bill for $7.5 billion to recover. Ouch.
What Happens After a Data Breach?
While the breach was bad news for Target and its customers, it can be a useful tool for IT security experts who want to look behind the scenes of a data breach. Here's a look at how events might unfold in a typical (or unusually large) data breach.
- Black Friday. Hackers obviously picked the busiest shopping season in order to maximize the number of stolen credit card accounts they could get. Research shows that the holiday season is actually the year’s busiest for data breaches.
- Rumors of a breach. Data security journalists picked up the story before Target confirmed it. If one of your clients is hacked, they may try to limit the damage by releasing carefully worded statements and preparing their customers for the bad news. However, many data breaches are first reported by journalists before a company's P.R. specialists have a chance to perform damage control.
- 3.Stolen data appears online. Hackers and identity thieves make money by selling stolen information online. These black-market websites, sometimes called "card shops," sell card information for between $20 and $50 dollars a card. The massive influx of stolen data on these sites alerted security firms that there had been a major information breach.
- Customer backlash. A day before Target's CEO acknowledged the attack, a customer in California was already filing a lawsuit against the company. In these situations, individual customer lawsuits are often joined together into a class action lawsuit, which can be more expensive for the defendant.
- Target acknowledges the attack. Target officially confirmed the cyber attack and promised to protect its customers from fraud by offering free credit monitoring. Target’s call centers were overwhelmed with customers seeking help and more information. In an effort to restore their reputation, Target offered a 10% discount for shoppers on December 21st and 22nd.
- Onslaught of bad press. With its stock price falling and almost every newspaper in the country running stories of about the breach, Target is looking to survive the damage done to its reputation.
- More bad news. Initially, Target thought that hackers were unable to steal debit card information and PINs. However, on Christmas day, reports showed that thieves were able to steal encrypted PIN data.
What will happen next is a long, slow process of preventing identity theft. Many banks don't want to send new credit / debit cards to customers after a breach like this because it costs them a few dollars to make each card. Multiply that cost over millions of accounts, and you can see why they're hesitant. Instead, banks and security firms watch customer accounts for signs of fraud.
In other words, a data breach response is about putting out the thousand small fires that follow, stopping each individual case of fraud or identity theft as it occurs.
What IT Consultants Can Learn from Target's Data Breach
Target's breach was the second largest data breach in U.S. history. Even though it was historically big, much of what happened can be instructive to smaller IT firms.
Here are four takeaways that will help you prepare your own data breach plan:
- Data breaches involve many people. In the Target data breach, many people are involved in the cleanup: banks, security firms, insurance companies, credit monitoring companies, and of course, the millions of customers affected.
- Data breaches have many expenses. Between P.R. campaigns, customer discounts, bank fees, credit-monitoring costs, and more a data breach leads to numerous expenses. And that doesn't include the cost of the lawsuits that often follow.
- A data breach response is never-ending. The announcement of the breach and launch of P.R. campaigns are just the beginning. Target will be paying to monitor its customers' credit while banks look to nip any identity theft in the bud.
- Software and IT companies can be sued. Because the breach occurred on Target's point-of-sale systems (the networks of linked credit card terminals and cash-registers), you can be sure that Target is considering suing the company that made these products.
While you might not have any clients with 40 million customers, these basic lessons still apply to your business. The complicated, expensive, and never-ending nature of a data breach can lead to a lawsuit in which a client seeks to recover damages from your business.
After a data breach, companies can sue their IT consultants for damage to their reputation, lost profits, and expenses related to the cleanup. Fortunately for IT businesses, Errors and Omissions Insurance covers data breach lawsuits as well as other tech liabilities.
