Probably one of the most infamous payment data breach cases ever was the massive attack on Target stores in 2013 which led to the loss of 110 million payment card numbers and the personal information of over 70 million shoppers. However, Target’s “confident” customers’ accounts haven’t been compromised because the information was encrypted.
Key highlights of the Target data breach:
- A malware was installed in Target’s payments system that was premeditated to steal information from 1,797 of its US stores. All this happened days prior to Thanksgiving 2013.
- Target had installed a malware detection tool from FireEye—whose customers also include the CIA and the Pentagon—about six months prior to the attack. Target also had a team in Bangalore to monitor its computers.
- FireEye and the team in Bangalore had detected the attack and had informed Minnesota on November 30 and December 2.
- Federal investigators warned Target of a large-scale attack on December 12.
- Target confirmed the hack on December 13 also confirming that card numbers have been stolen.
- The FireEye system has an option to automatically delete malware as and when it’s detected, but Target’s security team turned that function off.
- According to Target’s latest SEC filing, the company has incurred a total of $191 million in expenses with regard to the breach, primarily legal fees.
Settlement with the customer:
Each victim of the data breach can get up to US $10,000. The total outlay for the data breach is US $10 million. However, the money lot is only available for customers who can demonstrate a loss, and the entire onus of proving the loss lies on the shoulder of the customer. It is estimated that only a few customers would manage to get $10,000, while many of the affected customers may get only $100.
Settlement with the issuers:
In early March 2015, MasterCard had offered a $19-million settlement for issuers as a compensation for the Target data breach. The $19 million was reimbursement for fraudulent charges and the cost that card issuers suffered in re-issuing cards that had been compromised during the breach. The settlement needed agreement from at least 90% of MasterCard issuing banks and credit unions.
The banks argued that the settlement represented only a fraction of their losses, which they estimated at more than $160 million (half towards issuing new cards and the other half to fraud). MasterCard’s offer did not get accepted as 90% of the banks and credit unions did not agree to it. Citigroup, Capital One and JPMorgan Chase who account for more than 40% of the branded cards did not approve the deal. The future of the MasterCard deal is unclear as banks are expecting a better compensation in courts. On the other side, Target is still in settlement negotiations with Visa.