CRS – The Target Data Breach: Frequently Asked Questions. N. Eric Weiss. Specialist in Financial Economics; Rena S. Miller, Specialist in Financial Economics. April 22, 2014.
“According to Target, in November and December of 2013, information on 40 million payment cards (credit, debit, and ATM cards) and personally identifiable information (PII) on 70 million customers was compromised. The Secret Service has announced that it is investigating the data breach, but has released no details. In congressional hearings, Target’s executive vice president testified that an intruder used a vendor’s access to Target’s to place malware on the point-of-sale (POS) registers. The malware captured credit and debit card information before it was encrypted, which would render it more difficult (or impossible) to read. In addition, the intruder captured some strongly encrypted personal identification numbers (PIN). It is very unlikely that all 40 million payment cards compromised at Target will be used in fraudulent transactions. Some cards will be canceled before they are used, some attempts to use valid cards will be denied by the issuing financial institutions, and there will be no attempt to make fraudulent use of some. According to media reports, some financial institutions have issued new cards to all of their cardholders, and others have decided to depend on antifraud monitoring. Initially, Wells Fargo, Citibank, and JPMorgan Chase replaced debit cards, but not credit cards, while Bank of America and U.S. Bank are depending on fraud detection. Target has reported that in its fourth quarter of its 2013 fiscal year, which ended February 1, 2014, it had $61 million in pretax expenses due to the data breach, and expected to recover $44 million from insurance, resulting in a net cost of $17 million before tax, or $11 million after tax. This $11 million is $1.53 per card before insurance and tax deductions or $0.28 per card after insurance and taxes.”