2014 was the year of breaches for Target and Home Depot.Target’s breach costs, of course, were the result of a spillover from the attack that hit during the company’s 2013 fourth quarter. And the year of breaches only got worse when Home Depot got hit in September. Now, both companies have provided full-picture outlooks of just how much the breaches impacted the retailers as they reported on their Q4 earnings this week.Home Depot reported Tuesday (Feb. 24) and reported that the net expenses of the data breach cost the company roughly $33 million. Home Depot CFO Carol Tomé shared briefly in the call with analysts about how the breach costs break down.“In the fourth quarter, our gross data breach expenses were approximately $20 million. After estimating our insurance recovery, we recorded approximately $5 million of net data breach related expenses in the quarter. For the year, our gross data breach expenses were approximately $63 million, and after expected insurance recovery our net data breach expenses were approximately $33 million,” she said, later noting that the 2015 guidance for the company did not include any “expenses that we may incur in the future for data breach-related claims.”
As for Target, the company reported yesterday (Feb. 25) that the total breach expenses incurred from its massive data breach amounted to $162 million (2013 and 2014 figures combined). For Target’s fourth quarter, it incurred $4 million worth of breach-related expenses. Full-year net breach expenses were $145 million ($191 million offset by $46 million insurance receivable). As for fourth quarter in 2013, Target’s breach expenses hit $17 million ($61 million offset by $44 million insurance receivable).“A year ago, we were in the recovery mode, working to repair guest relationships following the data breach while we undertook an assessment of the long-term prospects for our Canadian business,” Target CEO Brian Cornell said in the call with analysts. “Fast forward to today and we’ve ended the year with the data breached fully behind us and that we’ve made tough decision to execute the Canadian business.”30, 2014CONTACT: Zan McKelway, CUNA Communications/ (202) 508-6701, zmckelway@cuna.coopHome Depot Data Breach Cost Credit Unions Nearly $60 MillionSurvey shows September violation affected 7.2 million cards;
‘Congress must act’The data security breach at Home Depot stores in September cost credit unions nearly $60 million to reissue cards, deal with fraud and cover other costs, according to the results of a new survey of credit unions, released today by the Credit Union National Association (CUNA).The CUNA survey, which asked credit unions to report the effects of the Home Depot breach (first announced Sept. 18), found that 7.2 million credit union debit and credit cards were affected by the breach. The results further show that the cost of the violation per card issued by credit unions was $8.02 (which included costs for reissuing new cards, fraud and all other costs – such as additional staffing, member notification, account monitoring and others).Conducted from Oct. 1 to Oct. 24, the CUNA survey is the second this year by the nation’s largest trade group for credit unions to gauge the impact of data breaches on credit unions. In January, CUNA conducted a similar survey in the wake of a data breach at Target stores in December.
That survey found that the Target breach cost credit unions nearly $30 million. The Home Depot breach costs – at $57.4 million nearly twice as much as the Target breach – affected more credit union debit and credit cards and the cost per affected card was considerably higher in the case of the Home Depot breach.Further, the most recent CUNA survey found that – to date -- credit unions have not been reimbursed for the costs they incurred as a result of the Target breach. “The cost to credit unions of data breaches – which seem to be occurring with increasing regularity – is rising, as the CUNA surveys clearly demonstrate,” said CUNA President and CEO Jim Nussle. “The bottom line is that credit union members end up paying the costs – despite the fact that the credit unions they own had nothing to do with causing the breach in the first place.”Nussle added that all participants in the payment process have a shared responsibility to protect consumer data. “However, the law and the incentive structure today allow merchants to abdicate that responsibility, making consumers vulnerable,” Nussle said.
“Congress has a role to play in addressing the issue of merchant data breaches by making sure all of the participants are playing by the same set of data security rules, and that merchants who hold consumer data and allow that data to be breached, are responsible for the costs incurred by others.“Congress must act to protect consumers by taking steps to enhance data security standards for merchants,” the credit union leader said.CUNA Chief Economist Bill Hampel, who conducted the survey, said the results show that more than four in every five (80.1%) of credit unions affected by the breach have reissued or will reissue all affected cards. Nearly one in five (18.5%) will reissue or have selectively reissued cards in response to member requests or other factors. The remainder – 1.4% -- do not plan to reissue any cards.“Card reissuance is an expensive proposition, representing about a quarter of the total costs to credit unions of these breaches,” Hampel said. “But our latest survey found that fraud is the most expensive component of costs, amounting to $4.89 for each card, or 60% of the total costs.”
Credit unions responding to the survey (835 total) have issued a total of 20.1 million cards outstanding (14.9 million debit cards and 5.2 million credit cards). The total represents 28.2% of the 53.0 million debit cards issued by credit unions, 32.5% of the 16 million credit cards outstanding, and 29.2% of the total of 69 million cards outstanding.For additional information, select the 'Results' tab.CUNA Home Depot Breach Survey ResultsOctober 29, 2014On October 1, CUNA posted an online questionnaire for member credit unions to report the effects of the Home Depot data breach first announced onAll league/CUNA affiliated credit unions offering either debit and/or credit cards received an email from CUNA CEO Jim Nussle requesting completion of the survey, and a reminder email two weeksThe survey was also publicized in CUNA’s online daily “NewsNow,” and has been prominently featured on CUNA’s home page. 24, a total of 835 credit unions had responded.
information on the number of cards outstanding, the number of affected cards, and estimates of the costs to date resulting from the breach. This report summarizes the results of the survey. responding credit unions, 68 reported that they had not been notified of any affected cards*, and another 223 credit unions either did not complete the survey, or did not provide estimates of the cost of theTherefore, data from 544 responding credit unions is usedThese responding credit unions collectively have issued 14.9 million debit cards and 5.2 million credit cards, for a total of 20.1 million cards outstanding. That represents 28.2% of the 53.0 million debit cards issued by credit unions, 32.5% of the 16 million credit cards outstanding, and 29.2% of the total of 69 millionSUMMARY RESULTS:91.8% of responding credit unions had been notified by their processor or network that some of their members’ cards had been affected by the Home Depot breach.
The number of affected debit cards at reporting credit unions amounts to 11.4% of outstanding debit cards at those credit unions. Projecting to the population, we estimate that 6.0 million credit union debit cards were affected.The number of affected credit cards at reporting credit unions amounts to approximately 7.0% of outstanding credit cards at thoseProjecting to the population, we estimate that 1.1 million credit union credit cards were affected.The total number of affected debit and credit cards at reporting credit unions amounts to 10.3% total cards outstanding at those creditProjecting to the population, we estimate that a total of 7.2 million credit union debit and credit cards were affected by the breach.Responding credit unions report the following actions or plans concerning card reissuance:80.1% will reissue or have reissued all affected cards.18.5% will reissue or have selectively reissued cards in response to member requests or other factors.1.4% do not plan to reissue any cards.
Credit unions report the following changes in call volume by members asking about the Home Depot breach, compared to normal for the time of year:Call volume about normal: 15.5% of respondents,Call volume up by less than 10%: 29.2%,Call volume up by 10% to 25%: 34.7%,Call volume up by 25% to 50%: 13.6%,Call volume up by 50% to 100%: 4.0%,Call volume up by more than 100%: 3.0%. 36.6% of credit unions report having to increase staffing (additional overtime, shifts, etc.) as a result of the Home Depot dataCredit unions were asked to report three cost items related to the Home Depot breach: card reissuance, fraud, and all other costs resulting from the breach (additional staffing, member notification,The amounts of reported costs across all responding credit unions per affected card at all responding credit union were:Card reissuance: $2.64 per affected card.**Fraud: $4.89 per affected card.All other costs: $0.50 per affected card.bining the estimate 7.2 million
cards affected and the $8.02 total cost per affected card, our estimate for the total cost to credit unions to date of the Home Depot breach isThis cost estimate is substantially higher than our similarly derived estimate of slightly more than $30 million from the Target breach of December 2013. This is because more credit union cards were affected by the Home Depot breach, and the cost per affected card was considerably higher in the case of the Home Depot breach. date, credit unions have not been reimbursed for the costs they incurred as a result of the target breach. Prepared by:Bill Hampel, Chief Economist and Chief Policy OfficerCredit Union National Association *An “affected” card is a debit or credit card about which the credit union’s processor or network has informed the credit union that the card has been or may have been compromised in the breach.**These are costs averaged across all affected cards, not just cards that have been reissued.