U.S. banks have spent more than $153 million so far replacing 15.3 million debit and credit cards after the huge data heist from Target Corp., and the numbers are only growing.
The Consumer Bankers Association announced the numbers Tuesday, saying that as more retailers announce breaches, the price tag for banks could grow to “hundreds of millions of dollars, and possibly billions.”
It’s time for Target to step up to the plate and pay some of the costs for one of the largest data thefts recorded in the United States, the industry group said.
“I cannot think of another breach where one out of three Americans were affected,” said Richard Hunt, head of the Consumer Bankers Association. “They’ve been silent since their first and only response to this. They’ve been hiding behind the retail trade associations.”
The association’s members include many of the country’s largest banks, and Hunt’s punch reflects long-standing tensions between the banking industry and retailers over who is responsible for the growing cost of card fraud.
Target spokeswoman Molly Snyder said she can’t address the reimbursement process “as that is between Target and the banks.” She reiterated that shoppers have zero liability for any fraudulent charges resulting from the breach.
The theft affected as many as many as 110 million people and remains under investigation, as lawsuits accusing Target of failing to adequately protect sensitive customer information pile up in courts across the country.
The Minneapolis-based retailer has at least $100 million of cyber insurance and $65 million of directors and officers liability coverage, according to Business Insurance magazine, citing unnamed industry sources.
TJX Companies Inc., parent of T.J. Maxx and Marshalls stores, suffered a similar-size data theft in 2007. It paid out at least $64 million to settle litigation, including a $9.8 million settlement with a multistate group of attorneys general and a $40 million payment to Visa Inc. and Fifth Third Bank, according to the Open Security Foundation, which tracks data thefts. The company’s total bill for the breach, including fixing its computer systems, is reported to be in the neighborhood of $250 million.
Banks have been scrambling to address the fallout from the Target breach with their customers. Some are replacing cards only when customers make the request or there is evidence of fraudulent charges.
Others, including Wayzata-based TCF Financial Corp. and U.S. Bancorp in Minneapolis, have taken the “replace them all” approach to cards that shoppers used in Target stores during the 19-day breach from Nov. 27 to Dec. 15.
Wells Fargo & Co. is the latest bank to shift gears and start proactively replacing cards. The company won’t say how many, Wells Fargo spokeswoman Natalie Brown said.
“Impacted customers will be contacted by Wells Fargo, and will receive a replacement card by mail,” Brown said.
The Consumer Bankers Association estimates that it costs an average of $10 for banks to replace a card, which is higher than the $4 to $5 figure often cited.
The 15.3 million cards replaced to date is a relatively small number given that U.S. shoppers carry 1.5 billion credit and debit cards, noted David Robertson, publisher of the Nilson Report.
But the customer service required for banks to help anxious customers, particularly with debit cards, is sizable. “That’s what adds up,” Robertson said.
The unanticipated spike in orders for new cards has sent card manufacturers into overtime. There’s been talk of some processing delays and scattered shortages of card stock. Card manufacturers say they’re coping well.
Giesecke & Devrient, one of the world’s largest card manufacturers, said it’s been adding shifts and hours to get the orders processed, as well as shifting jobs to facilities around the globe to balance the load.
Past breaches have caused similar issues, said Giesecke & Devrient spokeswoman Heather Klein, “but not to the magnitude of this all at once.
“It certainly has hit a lot of people all at once,” Klein said.