Tag Archives: Target

Target Board Dodges One Bullet

The Target Board can breathe a little easier today – although they are not out of the woods yet – in that the shareholders who filed a series of derivative actions have agreed that the cases can be dismissed as long as they can come back for legal fees.

The lawsuits claim that Target’s directors and officers breached their fiduciary duties and committed gross mismanagement, waste of corporate assets and abuse of control.

After the breach, Target formed a Special Litigation Committe (SLC) to investigate shareholder claims.  I assume the objective of the shareholders is to obtain a verdict in their favor and use the $60+ million in D&O insurance to help make the company more whole.

The committee worked for 21 months, interviewed 70 witnesses and looked over thousands of documents.  In the end, they produced a nearly 100 page report and recommended against suing their own directors.

The case reinforces the challenge of holding directors liable for breaches, but the fact that we are continuing to see derivative suits and that companies have to spend millions defending them should cause companies to pause.  Target used up all of their cyber insurance long ago.  The defense of this case may be covered by their D&O policy or possibly by the general liability policy.

From a financial perspective, this is a bit of a disaster.  According to JD Supra, Target had a $100 million cyber policy with a $10 million deductible and a $50 million sub-limit for settlements with the payment card networks.  So far, Target has settled with Visa for $67 million, with Mastercard for $19 million and has spent $291 million on breach related expenses.  Target has not said exactly which pocket or pockets they plan to pay which expenses out of.

While Target has settled many of the more than 100 lawsuits, there are many left, including shareholder class actions, separate lawsuits filed in Canada, investigations by various State Attorney’s General and a look-see by the U.S. Federal Trade Commission.

Some industry sources say that the total losses – including lost profits – will reach $1 billion.

One should assume that, like with Anthem, when Target’s D&O and cyber policies come up for renewal, the current carriers will either decline to renew them or jack up the premiums.  Anthem had to accept a $25 million deductible to get cyber insurance after their breach and then put together a consortium in order to get the coverage that they wanted.

Target joins Wyndham in beating shareholder derivative  claims.  There are still outstanding shareholder lawsuits against Home Depot.

 

Information for this post came from JD Supra and another JD Supra article.

Why The First Call After A Breach Should Be To Cyber Counsel

If you are responsible for your cyber incident response team and you discover that you may have been breached – like the Trump Hotels this week – who should you call, and how should you contact them?

I will answer the and how part first because it is easier.

Walking down the hall is best.  Failing that, the phone is ok as long as it is not connected to your company network (like a VoIP phone).  What you don’t want to do is use company email or messaging systems.

There are two reasons for this.  The first is that you do not know if those systems have been compromised and if, as a result of using them, you are telling the attacker that you are on to him and how much your know.

You are also leaving bread crumbs that can be discovered as part of the legal process after the breach and used against you.

So now that the and how part is handled, lets move on to the the who part.

The answer is not your boss or the CEO.  That will just ruin their day and if you tell them 5 minutes later, it won’t make any difference.

That first call should be to your outside cyber incident response law firm.  The one you should have on retainer.  The one that you have already brought up to speed on your business and processes.  The last thing you want to do at this point is be dealing with contracts and explaining to them what you do.

The firm also has to be experienced in cyber incident response – otherwise, they might make mistakes.

The one thing that Target did right during their breach – and it was not to decide to wait until after Christmas to remove the malware – was to contact their cyber incident response outside attorney.

That firm directed the response in order to provide the company legal advice and prepare for lawsuits.  That cover allowed them to protect what they did under attorney client privilege.  It turns out that the fact that they were outside counsel instead of corporate legal makes a difference in the story.  After all, you were preparing for litigation – you don’t pay outside law firms hundreds of dollars an hour unless you are expecting something bad to happen – more cover.

And it worked.  When the banks who were suing Target attempted to get Target to produce documents during discovery, Target’s law firm said that those documents belonged to the law firm (since the law firm engaged all the consultants and experts, not Target) and were protected by privilege.

Except for a few business emails between the CEO and the Board which were considered business records and not protectable, the judge struck down requests for every other document.

So in your incident response plan should be, at the top, a note to self:  CALL ATTORNEY FIRST.  Then call your boss.

If you have questions, remember that I am not a lawyer and do not play one on the Internet – contact that cyber incident response attorney that you already have a relationship with.

 

Information for this post came from the National Law Review.

Target Settles Yet Another Breach Claim

Target has agreed to pay $39+ million to banks and credit unions who had to reissue cards as a result of the breach of 40 million cards in late 2013.   This still has to be approved by the judge in the case.  An earlier settlement for a lower amount was dismissed by the judge as too low.  Target also agreed to pay plaintiff’s legal fees of not more than $20 million.  The banks have said that they spent more than $200 million for losses and reissuing cards.

Target has already agreed to pay Visa $67 million and shoppers another $10 million.

There are still several class action lawsuits not settled including shareholder lawsuits, an FTC investigation and probes by state Attorneys General.

Last week Target said that it has spent $290 million on costs related to the breach.  It is not clear if this new $39+ million plus $20 million in legal fees is included in that number.  The $290 million is offset by $90 million in insurance payments, meaning that the breach only cost them $200 million out of pocket.  They get to count that as a loss against income, so assuming they have a 33% tax burden (just a guess),  that brings the total down to a piddly $135 million.  Plus, possibly, yesterday’s announcement and whatever it costs them to settle the remaining lawsuits plus lost business plus the distraction for executives over the last two years – so far.

Occasionally I hear people say that they are not worried about a breach because they have cyber liability insurance.  While the SCALE of the costs is likely different for other companies, the ratio is likely the same.  For Target, SO FAR, insurance will likely cover less than ONE HALF of their net costs, and likely significantly less depending on how much the remaining lawsuits cost them.

While Target’s stock price is actually  up from pre-breach values, their balance sheet has not recovered.

Their sales are basically flat over 2013 and 2014 at around $73 billion, but their net income is off a little bit.  Their operating profit was down between 2013 and 2015 by over a billion dollars and  their net income for the year ending Jan 31, 2015 was negative $1.6 billion vs. a positive $2.99 billion for the year ending Feb 2, 2013.

And of course, this is far from over.

Information for this post came from Yahoo Finance and Reuters.

The Target Breach Story – How Did They Let This Out?

Krebs On Security has extensive reporting of an investigation by Verizon conducted starting a few days after the Target breach was announced.

Target has refused to confirm or deny the report .

One thing to consider.  We do not know how Brian (Krebs) got the report, so all we can do is speculate.

This report, in my opinion, is a wonderful tool for the banks and consumers who are suing Target.  It shows all the things that Target was not doing or was doing wrong.  This report makes it so much easier to show Target was not treating cyber security consistent with even reasonable industry practices, never mind best industry practices.

What Target should have done is have their outside counsel manage the engagement of Verizon so that this report could have been shielded by attorney-client privilege.

It is certainly possible that they did that, but then, how did the report get out to a reporter?  Part of engaging the attorneys to manage this is to control the distribution of the final work product.

Any way you look at it, in my opinion, letting this report out of their control is yet another FAIL! by Target.  

While Target spokesperson Molly Snyder said that Target believes that sharing information will make everyone stronger – thereby basically validating that the report is real – it doesn’t make sense to release this kind of detail while there are so many lawsuits pending.

You can go to Brian’s web site (see link below) for the long gory details, but here is the short version:

  • Once the Verizon hacking team was inside Target’s core network, there was nothing stopping them from communicating directly with the cash registers – violating every principal of segmentation known to IT.  They should never have been able to do that.
  • Target had guessable passwords on Microsoft SQL servers and weak passwords for system accounts.
  • Target had a password policy, but it was not being followed. Verizon found clear text password files for system accounts on several servers.
  • Verizon was able to create domain administrator accounts and dump all of the password hashes.
  • Within one week, the consultants were able to crack 472,000 (86%) of the passwords.
  • Patches to systems and services were not applied consistently.
  • Verizon said that Target, who was using Tenable’s vulnerability scanning system, had a comprehensive scanning program in place but was not acting on the vulnerabilities discovered.

There is more in the report, but you get the idea.

If you are a security person, the report is a fascinating indictment of Target and a roadmap of what not to do.

If you are a CEO, the leak of a report like this falls into the worst nightmare category.

Information for this post came from KrebsOnSecurity.

The Downside Of Being Breached

Target announced that they were breached in December of 2013 – about 22 months ago.

This week a federal judge certified a class action against Target by a number of banks.  Target says they are “disappointed” by the decision.

This comes a month after Target agreed to pay Visa up to $67 million to settle some of the banks claims, but banks could opt out of the agreement if they wanted to.  Many did opt out.

A proposed agreement with Mastercard fell through several months ago.

None of this has anything to do with the consumer class actions still pending.

This means that unless Target comes to some agreement with the banks, this class action will go to trial.  Likely in a couple of years from now.  After discovery.  Which may reveal the possibly sad state of cyber security in the company at the time.

You may remember that Target was alerted about the malware in their system by FireEye but decided to wait until after Christmas for fear of breaking something.

Regardless of whether insurance covers all these costs (and in Target’s case, they maxed out their insurance coverage long ago, so these costs are coming out of their pockets), this is a huge distraction that has already gone on for almost two years and shows no sign of ending anytime soon.

THIS IS THE DOWNSIDE OF BEING BREACHED!  And why many companies with less resources than Target go out of business after being breached.

Banks Vote Down Target-Mastercard Settlement

Mastercard and Target concocted an agreement where Target would pay a fine of $19 million to settle all of the bank’s claims against Target as a result of the 2013-14 breach.  This would be separate from an agreement with Visa.  Mastercard was not able to get enough banks to agree to it,  so the lawsuits will continue against Target, who no doubt was hoping to put at least one lawsuit behind them.

As I wrote about before (see post), the deal was that in exchange for $19 million, the banks would drop their lawsuits against Target and Mastercard would dole out the money based on how many cards each bank had to reissue.  The banks had complained that this was not enough to cover their costs and had petitioned the judge to kill the deal (see post).  The judge said that he agreed, but was powerless to do anything about it.

The way the deal was constructed, if banks representing 90 percent of the cards that had to be reissued agreed to the deal, the deal was done.  If that  happened, the banks that objected could have pulled out of the deal, not shared in the $19 Mil and sued Target on their own.

Visa, which is separately trying to work a deal with Target, read the handwriting on the wall and agreed to up the per card payment to banks, with small banks now getting almost three times as much as they were getting (see post).

Well, today, Reuters is reporting that the deal fell apart and that the 90% requirement was not met (see article).  What this means is the banks which are party to this suit, who claim that they lost $160 million, evenly split between card reissue costs and fraud, will continue their lawsuit.  For Target, this means that either this will go to trial or they  will need to come up with more bucks to sweeten the pot.

Stay tuned.