In the wake of late 2013’s massive Target breach, it stands to reason that cybersecurity providers and enterprises alike would be on high alert and their security standards higher than ever. Unfortunately, as 2014 and 2015’s string of breaches—from Home Depot to JPMorgan Chase, from large organizations to small—shows, the enterprise has a long way to go before it can consider itself protected from the consequences of the all-but-inevitable breach. Here’s a reminder of some of those consequences, drawn from Target’s 2013 and 2014 nightmare.
Target breach by the numbers
70 Million: The number of customer details compromised. That’s 70 million customers who suffered direct damage—whether to their actual credit reports or simply to their sense of security and trust in the retail giant—as a result of the breach. Of course, 70 million isn’t the number of customers whose trust for the brand diminished following the breach. That number is most likely much, much higher.
40 Million: Credit and debit card numbers compromised as a result of the breach. Here’s where the true value for cybercriminals, and the true damage for consumers, lies. Few pieces of data are more valuable on the cybercriminal black market, where consumer financial data that can be used to perpetrate identity theft is bought and sold and families’ financial status is endangered. But again, 40 million isn’t the number of consumers that lost their sense of security when shopping at Target: they are no doubt much more numerous.
$148 Million: Target’s monetary losses incurred by the breach. The company’s profits fell 46% within the first three months following the breach. By the time the dust settled, the cost of the breach—including “losses incurred from claims placed by payment card networks alleging fraudulent charges” as well as by damage control measures like offering free credit monitoring to Target customers, had mounted to a whopping $148 million in less than a year. Lawsuits were filed, over 140 of them when counting consumer, bank/credit union, and shareholder cases. And two top executives, Target’s former CEO Gregg Steinhafel and Target’s former CIO Beth Jacobs, resigned less than half a year after the breach came to light.
The positives of the Target data breach nightmare
With the loss of its former CEO and CIO, however, Target was able to move forward, taking on its first CISO, Brad Majorino, in June of 2014 and perhaps setting a better example for enterprise cybersecurity leadership in future.
As we look at the aftermath of the Target breach, two things should become clear to the security conscious enterprise. The first is that breaches can happen to even the largest and most well-funded corporations. In today’s threat landscape, attempting to prevent any breach at all is a losing proposition. The wiser course of action is to secure enterprise data such that the risks incurred by a breach are mitigated, using measures like encryption and tokenization so that even when cybercriminals exfiltrate sensitive data, they are unable to make any use of it or even to read it all. And the second is that in today’s environment, strong security leadership is a must at the executive table.
Ready to learn more about how security leadership should tackle today’s top cloud security concerns? Check out our on-demand webinar, “Shadow IT: The CISO Perspective on Regaining Control,” today.