Target Data Breach: Accounting for Contingent Liabilities

4 Pages Posted: 20 Oct 2017

See all articles by Justin Hopkins

Justin Hopkins

University of Virginia - Darden School of Business


This is a flexible case that provides for discussion about the form and content of 10-K reports, managerial discussion and analysis, non-GAAP reporting, and accounting for contingent liabilities. What is unique is that Target included lengthy disclosures about the data breach, but many questions remain because the breach occurred shortly before year end. Further, the instructor can compare the contingent liability of $17 million reported in the 2013 10-K to the $201 million costs incurred by Target related to the breach as of the 2015 year end.



Oct. 6, 2017

Target Data Breach: Accounting for Contingent Liabilities

It was December 19, 2013, and Josiah Thrasher had just hung up the phone. His grandmother was very worried about the news disclosed that day that millions of credit cards were stolen from Target Corporation (Target) because she loved shopping at Target and was not sure what the news meant for her. Was she at risk of fraud? Thrasher was not sure what it meant for himself, either, as Target was a publicly traded company (NYSE: TGT) in his portfolio of investments. Thrasher figured it was worth the time to get to the bottom of the story.

He read the press release Target issued, which indicated that 40 million credit and debit cards belonging to customers who had shopped at Target stores from November 27 through December 15, 2013 had been compromised. The next day, Target issued two press releases. The first reassured customers that they would not be responsible for any fraudulent charges to their cards, and the second was a more personal message from the CEO, Gregg Steinhafel, which confirmed Target's commitment to its customers and offered a 10% discount for all shoppers on December 21 and 22. “That seems generous,” Thrasher thought, but he wondered who would shop at a store that had just been hacked. The next several days were busy for Target's public relations group, and it continued to issue security updates throughout December.

What bad luck to be on the receiving end of the largest hack of a retailer in history, right in the middle of the busiest shopping season of the year! Luckily for Thrasher, though, Target's stock had barely budged (Exhibit 1). While the Internet was full of discussion about the breach, very little of it related to the costs Target was likely to incur. Target had just filed Q3 results on November 27, 2013, and would not file year-end results until March because, as a retailer, it had a fiscal year that ended on an unusual date. The current fiscal year would end on February1. Thrasher would have to wait until then to figure out the extent of the financial damage caused by the data breach.

. . .

Keywords: Target, 10-K, data breaches, MD&A

Suggested Citation

Hopkins, Justin, Target Data Breach: Accounting for Contingent Liabilities. Darden Case No. UVA-C-2390, Available at SSRN: or

Justin Hopkins (Contact Author)

University of Virginia - Darden School of Business ( email )

P.O. Box 6550
Charlottesville, VA 22906-6550
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics