Two months into the Target security breach, fraud is turning up on 10 percent to 15 percent of the stolen card accounts, a security specialist says.
Based on that brisk level of criminal activity, one Wall Street analyst estimates that perhaps 5 million of the 40 million stolen credit and debit cards might have been used fraudulently — an exposure that could hit Target Corp. with industry fines topping $1 billion.
Daniel Binder, an analyst at Jeffries, this week tried to make a rough estimate of Target’s liability from its holiday data breach, which lasted from Nov. 27 to Dec. 15.
“Our conclusion is the costs to Target could be significant and higher than we first thought,” Binder wrote.
He’s not the first to estimate those costs. Earlier estimates have varied wildly, with some security firms predicting immense costs to Target but much of Wall Street expecting quite limited exposure.
As for Target itself, “We are not speculating or estimating on the potential financial impact of the breach at this time,” spokeswoman Molly Snyder said Thursday.
Binder’s numbers relied on Julie Conroy, research director for Aite Group’s retail banking practice, who has privately talked with major card issuers. One issuer told her that among the Target-breach cards, “10 to 15 percent are actually manifesting fraud,” Conroy said Tuesday during a forum on card security.
Based on that level of fraud, Binder did some rough calculations.
“We could ultimately see 4.8 (million) to 7.2 million cards with fraudulent activity, and this is out of the 40 million cards that were captured in the data breach,” Binder wrote in a research note to clients Wednesday.
“All 40 million accounts won’t have fraud on them,” Conroy said at the forum. “They’ll be put in higher risk/watch categories, and the banks will be able to shut down the fraud before it happens. The amount of fraud that occurs, it’s difficult to put a number that applies to the entire industry.”
One wrinkle in the Target breach is that Target’s own Redcards don’t seem to be getting hit with fraudulent charges at all.
“I can confirm that we continue to see no fraud on our proprietary (credit) and debit cards as a result of this breach,” Target spokeswoman Snyder said in an email. She added that Target Visa cards “have seen very low levels of additional fraud … but beyond that, I can’t speak to what other banks are seeing or why.”
Based on a rough estimate of $300 in fraud losses per card, Binder calculates, “This would amount to roughly $1.4 (billion) to $2.2 billion in fraudulent charges.”
Banks, not retailers, are on the hook for most of that loss, Conroy noted. But the banking industry will demand payment from Target to recover some of that loss. Binder figures that Target will pay 30 percent to 50 percent of any fraud losses, which “would put the potential cost to Target at $400 million to $1.1 billion.”
Nor are those Target’s only costs. Dozens of lawsuits already have been filed, including some from smaller banks that want fuller recovery. Many seek class-action status.
Binder also notes, “This estimate does not incorporate lost sales and customer goodwill from the incident.”
After running the numbers, Binder lowered his earnings estimates for Target, and voiced skepticism about whether Target will follow its plans to repurchase $4 billion of its stock this year.
On Wall Street, Target shares hit a 20-month low. In Thursday trading, shares fell 22 cents, or 0.4 percent, to close at $56.67.
