Target faces bigger challenges in breach


Published: Wednesday, March 5, 2014 at 1:29 p.m.
Last Modified: Wednesday, March 5, 2014 at 1:29 p.m.

History doesn't always repeat itself.

The hit to TJX Cos. was minimal after it disclosed in 2007 a massive data breach of customer information at its T.J. Maxx, Marshalls and HomeGoods stores.

But Target Corp. isn't faring as well: More than two months after it revealed that hackers stole credit card numbers and personal data of millions of its customers, Target's sales, profit and stock prices have dropped.

What's worse, the nation's second largest discounter faces the prospect that some shaken shoppers may not return to its stores for a long time. In fact, Target recently said it expects business to be muted for some time, though it said sales are recovering since the breach was disclosed in mid-December.

Although the data breaches at the two retailers each affected millions of shoppers, analysts say a combination of factors makes Target's challenge bigger. Those include the timing of each company's disclosure and Americans' heightened sensitivity toward privacy concerns now versus before the TJX breach.

The retailers' fates are playing out differently so far. TJX's stock slid 12 percent in the weeks after the breach disclosure to as low as $13. But by the end of 2007, the shares rebounded and today, they're trading at about $58.

Sales also weren't derailed in the breach's aftermath: Revenue at stores opened at least a year, an important retail measurement, were up a better-than-expected 4 percent for the year following the breach.

Target's stock had fallen 11 percent since it disclosed the breach in mid-December.

Too much information?

Analysts say one reason Target is suffering more than TJX did may have something to do with the timing of their disclosures.

Target disclosed on Dec. 19 the data breach compromised 40 million credit and debit card accounts between Nov. 27 and Dec. 15. Target said it disclosed its breach within days of finding out about it, shortly after the news was leaking online. But the news came at the worst time for a retailer: During the final days before Christmas, the busiest shopping period of the year.

Then, Target revealed the theft was wider than originally believed a month later. On Jan. 10, it said hackers also stole personal information — including names, phone numbers as well as email and mailing addresses — from as many as 70 million customers.

Target has said there is some overlap between the two batches of data stolen. When the final tally is in, Target's breach may eclipse the theft at TJX, which is the largest incident for a retailer on record.

Conversely, TJX found out about its breach in mid-December 2006, but didn't make it public until the following month. TJX's theft compromised more than 90 million records over an 18-month period starting in mid-2005.

Struggles elsewhere

The fallout from Target's breach also comes as the company is struggling with other problems whereas TJX's business was doing well at the time of its disclosure.

Target was already experiencing sluggish sales in the U.S. as it's faced increased competition from online retailers and other rivals. Abroad, it's facing disappointing results from its first international expansion into Canada.

"This is hitting (Target) when they already have rough challenges," said Amy Koo, an analyst at Kantar Retail, a consulting group.

On the other hand, the breach at TJX happened as its formula of offering big discounts on major fashion and home brands was resonating even more.

Costs, costs, costs

Target also may pay a heftier price financially than TJX because it's breach could cause more damage.

Target said it can't yet estimate how much the data breach will cost it in total. But Avivah Litan, a security analyst at technology research firm Gartner Inc., a technology research firm, puts the costs of the Target breach at between $400 million and $450 million, including bills associated with fines from credit card companies and services for its customers like free credit report monitoring.

But TJX's costs, which Litan estimated at about $275 million, pale in comparison.

Litan said Target faces more costs because there was more damage from the breach. In the case of TJX, about three-quarters of the cards compromised had either expired by the time of the theft or had masked data in the magnetic strip, meaning the information was stored as asterisks rather than numbers.

"It took the criminals much longer to get them to the black market and then turned into counterfeit cards," Litan said of the TJX breach. "This time, the criminals moved with lightning speed to cash out."

Reader comments posted to this article may be published in our print edition. All rights reserved. This copyrighted material may not be re-published without permission. Links are encouraged.

▲ Return to Top