NEW YORK (MainStreet) Happy holidays, Target customers! Thought you'd pay less shopping at the discount outlet this Yuletide season? Think again: the store's massive data breach is likely to cost you some $4 billion, according to Javelin Strategy & Research.
"The numbers are so big they defy belief," said Al Pascual, a senior analyst for security, risk and fraud at Javelin. "We've come to see that...breaches are really becoming the driver of fraud."
Target said Thursday that about 40 million credit and debit cards may have been compromised between November 27 and December 15. The data breach would be one of largest on record but is still likely smaller than one at TJX, owner of TJ Maxx and Marshalls, which came to light in 2007 after criminals accessed card numbers over four years.
Pascual estimates that the security failure will ultimately cost businesses and customers $18.9 billion. The majority of that loss will be borne by businesses, including financial institutions, credit card companies, merchants that lose money when the stolen card numbers are used fraudulently and Target itself. But consumers will also endure a heavy burden: they will likely pay about $4 billion directly for items purchased on their cards, and indirectly through lost wages and other costs associated with fighting the fraud.
Target spokeswoman Molly Snyder would not comment on Javelin's figures, saying only, "Right now we are focused on our guests and as we move forward we will address those questions."
The breach won't only hit consumers in their pocketbooks. It's likely to take up their time as well. Pascual estimates that Target customers will spend a combined 130 million hours resolving fraud.
The data theft was particularly harmful, because in addition to credit card numbers and expiration dates, Card Verification Value (CVV) codes, the three or four digit number on the back of credit and debit cards, were also stolen. This number is used to prove to online merchants that a cardholder has access to the physical card.
Storing the codes runs counter to compliance regulations, said Forrester Research analyst John Kindervag.
"By exposing CVV information Target has demonstrated a blatant disregard for...compliance regulations as well as card security best practices," he said. "This is a breach that should've never happened."
One of the reasons the Target theft is likely to be so costly is that data breaches are increasingly likely to result in fraud, said Pascual. In 2010, if a consumer's data was illegally accessed, they had about a one in 9 chance of having their card used fraudulently. By 2012, that had risen to an almost one in four chance, he said.
And, Pascual warns, while the size of Target's data breach is large, credit and debit card theft is hardly uncommon.
"I was surprised that Target suffered such a large breach, but in reality, it could have happened almost anywhere," said Pascual. "There is no perfect security."
--Written by Simone Baribeau for MainStreet