Target has now rung the cybercrime bell loud and clear for Luddite corporate bosses. The U.S. retailer’s tab relating to the theft of up to 110 million customer records could surpass $1 billion. For any company, it’s a meaningful sum that cannot be ignored.
Comparable sales at the 1,900-store chain fell 2.5 percent in the quarter ended Feb. 1. They had been expected to be in line with the previous year, before the weeks-long breach was revealed amid the important Christmas shopping season. Apply the shortfall to the company’s roughly $20 billion of quarterly sales, and that’s about $500 million in lost business.
Assume unkindly that this all drops to Target’s bottom line, but further assume generously that revenue bounces back in future quarters. Throw in the small net expense the company reported relating to the data crime and apply the period’s 37 percent tax rate, and the mess provides one way to explain almost all the 46 percent decline in quarterly profit from the same time a year ago.
There are future costs to consider, too, particularly those relating to claims from the payment card networks dealing with the fallout. Target says it can’t yet estimate these reliably, but analysts at Jefferies have pegged the company’s share at a possible $400 million to $1.1 billion.
On the eve of testifying about the episode in the Senate earlier this month, Target Chief Financial Officer John Mulligan wrote in The Hill that his company was accelerating its $100 million investment in chip-enabled card technology. Add the burden of appeasing and responding to affected customers – not to mention 80 civil lawsuits plus state and federal investigations – and the total cost should easily exceed 10 figures. That’s more than Target’s full fiscal year 2013 pre-tax loss for its effort to break into Canada.
Target seems to have done a solid job responding to its cyber-crisis, and investors reacted positively to Wednesday’s earnings report. Chief Executive Gregg Steinhafel will surely take additional steps to improve network defenses and the company’s ability to detect suspicious activity. More importantly, though, Target’s experience should rouse boardrooms everywhere. In future, top executives who preside over a big cyber-attack may not get the same chance to lead the cleanup.