Anyone know what penalties and liability Target will face over this?
My impression is that companies don't pay a very heavy price for failing to secure their customers' data, whether credit cards or passwords.
There have been many incidents where millions of peoples' credit cards and account/passwords have been stolen, frequently due to poor security practices by companies who had those peoples' information in their databases. I don't recall many reports of the companies paying heavy fines or their management suffering serious consequences.
Target's card theft isn't expected to hurt the company much. It is not quite, but almost, business as usual.
Here is an article describing a similar theft of 100 million credit card numbers from TJ Maxx. The company eventually spent $250MM on lawsuits, fines, and improvements to its technology. Some of that probably needed to be spent anyway (IT investment), and anyway it is a small sum vs TJX's $20 billion/year in sales. The company's stock didn't get hurt, investors didn't care at all, none of the C-level executives suffered any consequences.
Target's Credit Card Breach Is Bad, But Won't Hurt Business Much
40 million account passwords were lost at Adobe, 6 million at LinkedIn, there are dozens more like this, and a new one every month or three.
Do the companies that obtain and store our personal information have enough incentive to harden their security?