Target's new year is off to a rocky start.
In its first financial release since the December breach that enabled the theft of millions of customers' payment data, Target said profits fell 46 percent and that the breach had already cost the retailer $17 million. The final tally will be bigger, the company said, but it's unclear by how much.
The results don't surprise retail analysts, but they signal the onset of a rough year for one of the nation's biggest retailers while the industry is already facing setbacks. The extreme winter weather, weak holiday sales, sluggish labor market and low consumer confidence have hit most retailers' profits.
Target had the added burden of dealing with the breach in the midst of the critical holiday season. Sales nose-dived once news of the attack broke a week before Christmas. Target tried to pacify customers and salvage its sales by offering customers an extra 10 percent discount. But that wasn't enough, and the company lowered its earnings estimate in a January update to investors, citing the breach announcement.
Target said it couldn't provide an estimate of how much the breach would cost because of an ongoing government investigation.
"Regardless of the ultimate dollar amounts, we have the financial strength to move beyond these near-term impacts," John Mulligan, Target's chief financial officer, said in a call with investors Wednesday.
While the quarterly decline looks like a blip next to the big-box retailer's $73 billion annual sales, analysts say Target has a long way to go before it's out of the woods. Even after the immediate fallout from a data breach subsides, companies face costs that eat into their profits for years, according to industry observers. When the scale of the attack is as large as the Target one - up to 110 million customers' records were stolen - the price tag is higher.
More important, companies have to rebuild shoppers' faith in their brands, which is never an easy task.
On a recent snowy afternoon in the Target at Prince George's Plaza in Hyattsville, Md., it was business as usual. A lunchtime crowd milled around the store, and many customers used cards to pay for purchases. But shoppers weren't immune to the effects of the breach.
Mayelin and Jatnna Jimenez, both victims of the payment card theft, said they had changed the way they shopped at Target. Mayelin said she hadn't bought anything at the store since the holidays, while her sister said she used cash to pay for her purchase that afternoon. Both had been issued new cards by their banks, they said.
"We love Target, but we are disappointed," Mayelin Jimenez said.
Freda Miller was more optimistic. Miller said she was also affected by the data breach and was concerned about the security of payment systems. But she continued using her card to shop at the store, she said.
"I trust Target will stand by its customers," she said.
The hacking attacks on Target, Neiman Marcus and other retailers have triggered debates in Washington about data security practices, the country's outdated payment technology system and breach notification laws.
For Target, they have also unleashed a litany of costs that include legal fees, software updates, customer reimbursement and damage control. An exact figure is tricky to pin down, security experts say, but it won't be small. So far, the company has had to pay out $61 million in relation to the breach, of which it expects $44 million to be covered by insurance.
"They can't get out of this for less than $100 million," said John Kindervag, vice president and principal analyst at Forrester Research.
If an ongoing government investigation finds Target at fault for not complying with industry-specific security standards, the company faces fines in the range of $400 million to $1.1 billion, according to an estimate by Jefferies, an equity research company. That figure did not include lost sales or customer goodwill, the firm said. Banks foot the bill for reissuing customers new cards, but Target could end up paying part of that share depending on its agreement with financial institutions, experts say.
To understand how much the retailer stands to lose, analysts point to the 2007 attack that hit TJX, the parent company of T.J. Maxx and Marshall's. Hackers stole the payment data of more than 45 million customers by exploiting an unsecured wireless network. TJX's initial estimates put the damage at about $25 million, but once the dust settled, the company ended up paying more than $250 million. That probably means Target's troubles are just beginning.
"I doubt that we'll ever really know the full costs," said Kindervag.
Target reported net earnings of $520 million in the fourth quarter, down 46 percent from a year ago. For the full year, revenue was down more than 34 percent, while sales fell 6.6 percent during the fourth quarter. The company's share price was up more than 7 percent in morning trading Wednesday.