Target’s Data Breach Cost It Customer Sales. The Surprise? No Other Breached Retailer Ever Suffered Losses

Written by Evan Schuman
January 13th, 2014
When Target on Friday (Jan. 10) gave its periodic data breach update, it said something stunning, something that sets it apart from every major retail data breach for the past nine years. Namely, Target said that it suffered a sharp drop in shopper purchases after—and presumably as a result of—the chain announcing its breach. Although that might sound perfectly reasonable, it's a very different experience that retailers have experienced at every major breach since TJX back in 2005.

(An aside on Target's announcement. In that data breach announcement, it chose to not only disclose the sales hit, not only to increase the number of impacted shoppers, but it chose to also casually mention that it was closing eight U.S. stores on May 3, 2014. Really, Target? You couldn't have waited a week to announce those May store closings? That was probably the most blatant "let's cram every bad piece of news we can think of and maybe the media will only focus on only one of them" statement I've seen in an impressively long time.)

Before we explore that revenue loss, another interesting tidbit in Target's Friday update was that, beyond payment card data, the names, mailing addresses, phone numbers and E-mail addresses of as many as 70 million shoppers was also taken. This prompted some news media, including The New York Times, to say that Target had increased its victim count from 40 million to 110 million. That is not necessarily the case, although it might be. Target indicated that an unknown number of those new shoppers may have already been included in the initial 40 million figure. If we assume the overlap was 100 percent—unlikely, but please stick with me for a moment—that increases the number of impacted shoppers to 70 million. If there's zero overlap—which is even less likely—the breach number hits 110 million.

Had Target run a de-dupe on the names—assuming it now has a full list, which is far from certain—it could have given a more precise number of victims. Oh well. Such is life in the breached retail world.

Back to the revenue hit. Here's what Target said, under the section called Update on Fourth Quarter Outlook: "Stronger-than-expected fourth quarter sales prior to the Company's December 19, 2013, announcement of a payment card data breach" coupled with "meaningfully weaker-than-expected sales since the announcement, which have shown improvement in the last several days." In other words, Target holiday sales were doing well—"stronger than expected"—when the announcement hit and everything plunged. In finance talk, "meaningfully weaker-than-expected" when following "stronger than expected" pretty much means deep and painful plunge.

The logical question is not so much "why did Target suffer a sales hit when the breach was announced?" as "Why didn't any of the other breached chains suffered revenue hits when they announced?" Good question.

First of all, the main reason why it's so surprising that breached chains never suffered sales losses until now—if indeed that is what has now happened—is that security vendors constantly list "loss of revenue" as one of the many costs of weak security, ignoring the fact that that is simply not what has happened to any major chain. Customers have sometimes abandoned extremely small breached retailers, with one or two locations, because that dry cleaner or car wash has no advertising budget to paint a happy smile. Also, with a very small chain, it's easier to blame the people in the store for the breach, rather than some nameless people back at corporate headquarters.

The reason most chains have not felt any customer abandonments after breaches is a domino effect of zero liability. If the stories detailed the financial disasters being felt by other consumers, those shoppers would run into the arms of any retail rival. The unintended consequence of zero liability is that it protects consumers from the pain of a breach, which in turn makes it more difficult to justify spending a huge amount on security.

Some of the explanation may simply be in the financial timing. When looking at a 3-month reporting period, any minimal impacts of a breach will quickly fade along with shopper's minimal memories. Target's problem is that they made this announcement on Dec. 19. As every retailer knows, the revenue from a Dec. 20 is worth many times more than the revenue from, let's say, March 18. The idea of holding off such announcements until January is a financially valid strategy. Even Target said that, after those disastrous initial holidays weeks, purchases "have shown improvement in the last several days." It's simply next-to-impossible for some good January days to overcome bad "last few days before Christmas" days.

Media attention is also a factor. The earlier breaches received much less Page One (homepage) treatment than did Target. Target was done in with the worst possible combo: Bad news on a slow news day.