The Target Breach, By the Numbers
News that Target’s CEO Gregg Steinhafle is stepping down has prompted a flurry of reports from media outlets trying to recap events since the company announced a data breach on Dec. 19, 2013. Sprinkled throughout those reports were lots of numbers, which got me to thinking about synthesizing them with some of the less-reported numbers associated with this epic breach.
40 million – The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.
70 million – The number of records stolen that included the name, address, email address and phone number of Target shoppers.
46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.
200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.
100 million – The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.
0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).
0 - The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP).
18.00 – 35.70 - The median price range (in dollars) per card stolen from Target and resold on the black market (range covers median card price on Feb. 19, 2014 vs. Dec. 19, 2013, respectively).
1 million – 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest (based on interviews with three different banks, which found that between 3-7 percent of all cards they were told by Visa/MasterCard were compromised actually ended up experiencing fraud).
53.7 million – The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70).
55 million – The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure as Target’s chief executive.
Update, May 7, 10:00 a.m. ET: The Guardian yesterday ran an op-ed that I wrote about the departure of Target’s CEO and the need for greater focus on security from the top-down across the retail industry.
Source: https://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/