If there's a case study every employer should review about cyber and reputational risks, it's the one still unfolding about the massive data breach that exposed personal financial information of millions of Target Corp. customers last month during the busiest stretch of the holiday shopping season.
The nation's third-largest retailer announced on Dec. 18 that 40 million of its credit and debit card accounts were compromised in the breach, which occurred from Nov. 27 until Dec. 15. The data pilfered by cyber thieves included customer names, card numbers, expiration dates and three-digit security codes embedded in the magnetic stripes of the charge cards. The breach is believed to be the second-largest in U.S. history and it's the most widely publicized in the retail sector since the data theft that beset TJX Cos. in 2007.
The fallout from this breach inflicted Target with a big black eye at the worst time of the year. The holiday shopping season traditionally is that two-month stretch at the end of the year when consumers' frantic spending on Christmas gifts pushes retailers into the profitable category for the year. After news broke of the breach, many shoppers said they were wary of using their plastic cards at the Minneapolis-based retailer.
Certain angry Target customers have filed lawsuits, and likely more will follow.
A cyber breach of this magnitude would test any company's risk management program. How deftly, or not, Target handles this test of crisis management will have a direct effect on its bottom line — and on its corporate reputation for a long time. Thus far, the retailer's public response has been mediocre at best. Initially, it denied news reports that customers' debit card PIN data was stolen in the breach. Then a few days later, Target said indeed PIN data encrypted in the cards were exposed.
As data breaches mount, many businesses are beginning to understand the need for cyber insurance. However, the takeup rate doesn't match the sharp increase in cyber theft since 2010.
As this troubling Target saga continues, we hope companies large and small already see two lessons: assess their organizations' cyber risks and determine how to minimize them, and consider whether a cyber insurance policy would be a good investment.