Target’s new year is off to a rocky start.
The retailing giant said Wednesday that a December data breach that enabled the theft of millions of customers’ payment information had helped drag its fourth-quarter profit down 46 percent, to $520 million. The massive cyberattack has already cost the retailer $17 million. The final tally will be bigger, Target said, though it’s unclear by how much.
The results didn’t surprise analysts but signal the onset of a rough year for one of the nation’s biggest retailers at a time when the industry is already grappling with a tough economic environment. Extreme winter weather, weak holiday sales, a sluggish labor market and low consumer confidence have hit many retailers’ profits.
Target had the added burden of dealing with the breach in the midst of the critical holiday season. Sales nose-dived once news of the attack broke a week before Christmas.
Target tried to pacify customers and salvage its sales by offering an extra 10 percent discount. This, however, was not enough, and the company reported that its sales fell 6.6 percent for the fourth quarter and 34 percent for the year.
While the quarterly decline looks like a blip next to the big-box retailer’s $73 billion in annual sales, analysts say Target has a long way to go before it can move beyond this incident.
Even after the immediate fallout from a data breach subsides, companies face costs that eat into their earnings for years, according to industry observers. When the scale of the attack is as large as the one that hit Target — up to 110 million customers’ records were stolen — the price tag is higher.
More important, analysts said, will be rebuilding shoppers’ faith.
On a recent snowy afternoon in the Target at Prince George’s Plaza in Hyattsville, Mayelin and Jatnna Jimenez said they’d changed the way they shopped. Mayelin said she hadn’t bought anything at the store since the holidays, while her sister said she used cash to pay for her purchase that afternoon.
Both had been issued new credit cards after their information was swept up by hackers in the breach, they said.
“We love Target, but we are disappointed,” Mayelin Jimenez said.
Freda Miller was more optimistic. Miller said she was also affected by the data breach and is concerned about the security of Target’s payment systems. Nevertheless, she continued using her debit card to shop at the store, she said. “I trust Target will stand by its customers,” she said.
The recent cyberattacks against Target, Neiman Marcus and other retailers have triggered debates in Washington about data security practices, the country’s outdated payment technology and breach-notification laws.
For Target, the incident has also unleashed a litany of costs that include legal fees, software updates, customer reimbursement and damage control. The figure is difficult to pinpoint, security experts say, but it won’t be small.
So far, the company has spent $61 million to cover costs associated with the breach, including the cost of providing credit monitoring services to its customers. Target said it expects $44 million of that to be covered by insurance.
The retailer said it couldn’t provide an estimate of how much the breach would ultimately cost because of an ongoing government investigation.
“Regardless of the ultimate dollar amounts, we have the financial strength to move beyond these near-term impacts,” John Mulligan, Target’s chief financial officer, said in a call with investors Wednesday.
If the government’s probe finds Target at fault for not complying with industry-specific security standards, the company faces fines in the range of $400 million to $1.1 billion, according to an estimate by Jefferies, an equity research company. That figure did not include lost sales or customer goodwill, the firm said.
Banks foot the bill for issuing customers new cards, although Target could end up paying part of that share depending on its agreement with financial institutions, experts say.
“They can’t get out of this for less than $100 million,” said John Kindervag, vice president and principal analyst at Forrester Research.
To understand how much the retailer stands to lose, analysts point to the 2007 attack that hit TJX, the parent company of T.J. Maxx and Marshall’s. Hackers stole the payment data of more than 45 million customers by exploiting an unsecured wireless network.
TJX’s initial estimates put the damage at about $25 million, but once the dust settled, the company ended up paying more than $250 million. That probably means Target’s troubles are just beginning.
“I doubt that we’ll ever really know the full costs,” said Kindervag.