Target Corp. widened the list of risks it faces from the holiday-season cyberattack by saying Friday it expects to be accused by payment-card companies of running a substandard data network.
Target is facing more than 80 lawsuits and investigations as a result of the data breach that exposed the financial and personal information of tens of millions of its customers to hackers. In a filing sent to federal securities regulators, the Minneapolis-based retailer said its financial liability depends in part on whether courts and juries find that its payment card system at the time of the attack complied with industry standards.
“While that portion of our network was determined to be compliant by an independent third-party assessor in the fall of 2013, we expect the forensic investigator working on behalf of the payment card networks to claim that we were not in compliance,” Target said.
The statement came in a government filing known as a 10-K that all publicly traded companies write once a year and that typically forms the legal foundation of a corporate annual report.
Such documents routinely contain a section of “risk factors” that use sweeping terms to signal to investors that many things can affect a business and its stock. As in previous years, Target’s new discussion of risk factors included macroeconomic conditions, weather, potential interruptions in transportation, labor unrest, changes in tax rates and other circumstances it can’t control.
But the company this year added several sections related to the effects of the data breach, in which hackers in late November accessed Target’s computer systems via stolen credentials of a heating and refrigeration contractor. Once inside, they planted a so-called malware program that scraped payment card data for more than two weeks before the company cut off their access after being notified of the breach by federal investigators.
Target estimates the thieves acquired personal or payment information for as many as 110 million Target shoppers, one of the country’s largest consumer data breaches.
Much of the discussion in Friday’s document echoed earlier statements made publicly by Target executives and in a separate filing to securities regulators last month. For instance, it repeated previous statements that Target’s own investigation may identify more stolen data, a prospect that “could materially worsen the losses and reputational damage we have experienced.”
But the discussion of the expected conflict with payment card companies was new and was cited by Target as one reason it can’t estimate how much the cyberattack will ultimately cost.
Target said financial and payment card companies have, in other instances of data breaches, accused retailers of having data networks that didn’t meet standards. “As a result, we believe it is probable that the payment card networks will make claims against us,” the company said in its filing.
Target added that it eventually expects to reach legal settlements with such firms. A Target spokeswoman declined to comment on the new material in the 10-K.
Michelle Leder, editor of Footnoted.com, a website that tracks corporate filings, said the 10-K and its filing last month are a signal to investors that the costs of the breach are going to effect the company for the foreseeable future. “They’re probably going to be dealing with this for several years,” she said.
The system for ensuring payment card security in the United States is a closely guarded arrangement among the credit card networks who set it up, the banks who process payments for merchants, and retailers like Target. However, no regulator ensures that companies meet minimum requirements for protecting data. Banks and credit card companies determine fault on a case-by-case basis through private contracts with retailers. Fines and the reasons for them remain sealed.
Target said Thursday that the company had detected “a small amount of … activity” by the cyber thieves in late November, responding to a media report that it failed to act on the early warning. The retailer said it is evaluating whether someone missed an opportunity to recognize the scope of what eventually became the prolonged access to its systems.
In addition to the legal issues raised on Friday, the company also acknowledged that the breach continues to dampen sales.
“We believe that the greatest risk to our business arising out of the data breach is the negative impact on our reputation and loss of confidence of our guests,” it said.
Staff writers Patrick Kennedy and Neal St. Anthony contributed to this report.