The Target data breach, one year later

Shoppers arrive at a Target store in Los Angeles.
Damian Dovarganes / AP 2013

After Thanksgiving last year, Cheryl Brungardt, 60, of suburban Denver went shopping for a TV. She'd spotted a good deal in a Target ad, went to the store and paid for the new flat screen with her debit card.

Just after Christmas Brungardt got a call from her credit union. Someone in Wisconsin tried to book a hotel room using her debit card number. When she checked her statement online, Brungardt found charges that were stranger still.

"Somebody from a prison in Texas and one in Alabama had used my number," she said. "They bought prison phone minutes."

Brungardt got caught up in the now-infamous Target data breach, which the public found out about a year ago. Thieves hacked into the company's cash register terminals and made off with 40 million debit and credit card numbers plus the personal information of 70 million customers. In the past year a string of big breaches has forced corporate CEOs to take security more seriously.

Grow the Future of Public Media

MPR News is Member supported public media. Show your support today, donate, and ensure access to local news and in-depth conversations for everyone.

The bum charges on Brungardt's cards were less than $100, and she had little trouble getting her money back. But then her husband's credit cards were compromised in an even larger data breach this year at Home Depot.

Consumer fears about fraudulent charges like those hurt Target's sales after the breach. A main revenue figure fell almost 3 percent in the key holiday quarter.

The Target breach was the first in a series that one cyber security report called "a rampage of attacks on U.S retailers," and made data security a top-of-mind issue for many. The PwC Information Security Survey says protecting data is no longer an issue that concerns only IT professionals; the impact has extended to the boardroom.

Gregg Steinhafel
Gregg Steinhafel, Target CEO, checks out Black Friday sale items after Target opens its doors on Thursday, Nov. 22, 2012 in Bloomington, Minn.
Janet Hostetter / AP

Target has put the total cost of its data breach at around $235 million, with insurance covering about 40 percent of that. Company officials declined to comment for this story, but are rolling out new card readers and payment cards that are more secure.

Target has also hired a new chief information officer and a new chief information security officer. New CEO Brian Cornell told CBS News last month that keeping a tight lid on customer information is a top priority.

"We focus every day — every single day, not just during the holidays, but 52 weeks a year — on data security," he said. "Making sure we've got the right team in place to monitor, detect, contain all the bad guys that we know that are out there."

There's no such thing as perfect security in any data system, says Bruce Schneier, chief technology officer at Co3, a computer security firm. But retailers need to do a better job of dealing with intrusions once they're detected, he says.

"What we see lacking in a lot of companies' security postures is response," Schneier said. "When something bad happens, how do you respond quickly to contain the damage, make sure it's small, and be able to recover to recover quickly without affecting millions of your customers?"

Schneier says corporate secrecy makes it impossible to know the specific steps companies are taking to thwart data theft. He says that makes it difficult to judge how well a system works.

But if CEOs and boards are devoting more attention to data security, consumers appear to be doing the opposite. Home Depot's data breach seemed a non-event to customers because a key sales figure rose a solid five percent. In November Target reported a 3.2 percent rise in its third-quarter profit, beating analysts' expectations.

Kari Simonson, a Target customer from Minneapolis, says she was not affected by last year's breach. And while she checks her credit card statements every month for unusual activity, Simonson says it's important to put the risk into perspective.

"It's like identity theft," she said. "You know it's happening. You hope it doesn't happen to you. But at a certain point you feel like if it's going to happen to you there's really not a ton of stuff you can do to prevent it."

As for Cheryl Brungardt, she's now more careful when she reaches for the plastic.

"I think, 'Do I need this before I put it on my card, or can I pay cash for it?' And I check my bank statement every day," she said.