Data Breaches – What They Mean For Retailers, Consumers And Investors by Stephanie Schneider, ColumbiaManagement
- More than 1,000 retailers have been affected by the same malware that caused Target Corporation (NYSE:TGT) and The Home Depot, Inc. (NYSE:HD) data breaches.
- The number of data breaches will continue to increase and cost retailers millions in IT spending and damage control.
- The cost of a mandated transition to a more secure “chip and pin” payment method has already been included in capital expenditure guidance.
There have been data breaches at multiple retailers over the last year. While the media has focused on the largest breaches at Target and Home Depot, hackers also stole customer data from Niemen Marcus, White Lodging, SUPERVALU INC. (NYSE:SVU), Easton-Bell Sports, Harbor Freight Tools, Dairy Queen, Michael’s, Sally Beauty Holdings, Inc. (NYSE:SBH), United Parcel Service, Inc. (NYSE:UPS), Goodwill and P.F. Chang’s China Bistro (NASDAQ:PFCB).
How does a data breach happen and why does it take so long for it to be detected? Recent breaches at Target Corporation (NYSE:TGT) and Home Depot were Advanced Persistent Threats (APT) breaches. In order to perform these attacks hackers typically break in using a vendor’s system to access the targets internal network. For instance Target’s network was infiltrated via an access point with one of their air conditioning vendors. Once inside, the network malware is deployed that navigates its way to the point of sale (POS) without triggering security systems and software. Once in the POS network, the malware obtains stored customer card information from each magnetic credit card swipe. The information is then dumped in batches on servers through a remote access software connection (like a VPN). At this point the credit card data is sold on the black market to ill-intended users. Such users typically hit the credit card with a very small fraudulent charge (to see if it functions and if the fraud is detected) before proceeding to a larger fraudulent charge. Since the malware remains undetected by internal systems and security software, the data breach is only identified when the origin of a batch of stolen credit card information is identified. Often identification occurs by infiltrating hacker servers or connecting the dots on a multitude of fraudulent charges across millions of credit cards.
Exhibit 1: Total malware count
Total sample count broke through the 200 million level
Source: Piper Jaffrey, Mc McAfee Labs Threats Report, June 2014
The U.S. Department of Homeland Security and the Secret Service estimates that over 1,000 retailers have been affected by the recent Black POS and Backoff malware, including Target Corporation (NYSE:TGT) and The Home Depot, Inc. (NYSE:HD)*. According to McAfee, “The range of total global cybercrime falls between $300 billion and $1 trillion” a year**. It is clear that this is only the tip of the iceberg and more breaches will be uncovered. According to Symantec’s 2014 Internet Security Threat Report “there were 253 total breaches in 2013, resulting in 552 million identities exposed.” (Piper, p. 5)
For investors, it is important to understand and gauge the impact of fraud on business fundamentals as well as consumer’s shopping habits.
What it means for business fundamentals
The actual impact of the breach will cost the company millions of dollars in nonrecurring costs. For instance, the last data breach with Target Corporation (NYSE:TGT) had an original estimate of $1 billion in costs for 40 million customer cards and 70 million customer data. That estimate is now down to $148 million in costs, with $38 million covered by insurance. In addition, a retailer will need to increase customer communication and promotions in order to maintain their brand image, which will also require investment in a PR campaign.
Retailers will be forced to increase their IT spending on security and customer data protection while increasing investment in e-commerce. Going forward, investors should expect IT spending on security to increase in lockstep with a firm’s network complexity. The more complex the network, the more entry and exit points need to be monitored. A company can spend anywhere between 1%-5% of sales on IT and almost 50% of companies expect their network security budget to increase in 2014.
Exhibit 2: Network security leads the security tech spending budget
While investing in security systems can help prevent breaches, retailers are also likely to transition to chip and pin (a more secure technology) from magnetic strips. Most retailers have already included the cost of this overhaul in their capital expenditure budgets or have already updated their POS systems with terminals that include a chip and pin slot. In fact, The Home Depot, Inc. (NYSE:HD) was in the process of converting all of their stores during this breach. In addition, the EMV (Europay MasterCard Visa) deadline to replace every payment terminal to a chip and pin solution is October 2015.
What it means for consumers and investors
Although credit card fraud can negatively affect retailers and consumers, it may also provide an investment opportunity. Software, insurance and POS hardware companies can all benefit from retailers’ need for enhanced data protection. Retailers always strive to meet customer needs in store and online. With the recent launch of Apple Inc. (NASDAQ:AAPL)’s NFC (near field communication) mobile wallet and Merchant Customer Exchange’s CurrentC, it is clear that technology and retailers are joining forces to create a secure and reliable environment suitable for customers to shop with confidence in store, online and with their mobile devices. Retailers that successfully implement these changes are more likely to gain consumer loyalty and market share.
UPDATE: 9/17/2014 9:10PM EST – A prior version of this article incorrectly stated that Petsmart was a victim of a data breach. The current version of this text has removed Petsmart from the list of retailers hit by hackers.