Last winter during their peak season, Target suffered a severe retail data breach when over 100 million customers had their card data and personal information stolen. Shoppers were furious and the breach cost the company $148 million, not to mention the negative impact on profits for the next six months. According to this CBS news report, the hack could have been prevented if Target had adequately responded to warnings from its own 1.6 million dollar security system (FireEye).
This and similar incidents with Home Depot and Michaels have collectively brought consumer data security to the forefront of the industry.
According to the California Data Breach Report, there has been a 600% increase in the number of compromised records among California residents due to cyber attacks in the last year alone. Retail breaches constitute 84% of these breaches, even more than breaches that occur in the financial industry. State Attorney General Kamala Harris has commented, “Data breaches pose a serious threat to the privacy, finances and personal security of consumers…The fight against these kind of cyber crimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses.”
Concerns over cyber attacks have existed since a decade ago. Major credit card companies including MasterCard, AmEx, Discover, and Visa tried to address these concerns by requiring businesses to follow a checklist of security rules to prove they were safeguarding computer-hosted credit card data. However, this checklist has been insufficient in protecting cyber attacks against retailers.
What have we learned? Compliance is simply not enough. Audits are only conducted on a yearly basis and there is a conflict of interest with security firms that do the testing and then sell solutions to retailers. As attacks increase in frequency and hackers become more savvy, credit card companies have realized it’s time to find a solution. One recent introduction has been credit cards with embedded microchips and PIN codes rather than the traditional magnetic stripe/signature. While this helps prevent the use of counterfeit cards, experts feel the industry should have addressed security earlier “when there was still time to do something.” As a result of the credit card industry’s inaction, retailers now face a serious security problem. Retailers consequently suffer as proven by a new survey by CreditCards.com, in which 45% of respondents say they are less likely to shop at stores that have suffered a data breach.
Also important to note is the recent rise in “data breach fatigue.” Although Target suffered, Home Depot did fine as a business after the data breach begging the question — do consumers care? After the breach of Home Depot’s payment system, sales continued to grow untouched by the cyber attack on 50+ million customers.
This “data breach fatigue” coined by consumer-security expert Neal O’Farrell refers to the increasing indifference from shoppers who hear reports of credit card and personal information being stolen. In his words, “the more breaches consumers go through without experiencing any direct/tangible financial consequences, the less likely they are to care or worry about the next breach or the next one after that.”
As this Yahoo Finance video demonstrates, Americans are experiencing cyber breach fatigue and we are only just realizing the tremendous problem at hand. As incidents continue to happen, consumers have seemingly accepted the status quo. According to a study by the Ponemon Institute on information security, researchers found that 32% of consumers “ignored the notifications and did nothing when alerted to a possible data breach involving their personal information.” Moreover, “71% of respondents said they did not stop doing business with the company that had been reached.” The Institute also found that in response to being a data breach victim, customers wanted to be told the truth, what happened, and how the business would protect them in the future.
A Washington Post article on data breach fatigue cited several reasons for this phenomenon including the fact that replacement products are hard to find, consumers have started believing data breaches are “unavoidable”, and consumers are never held responsible for fraudulent charges when data theft occurs.
“I think we get upset. I think we get angry. And then we go back to what’s easy, convenient and we’re used to.”
Steven Weisman, author of Identify Theft Alert
Software Advice recently surveyed over 4000 US adults and found that only 2 of the top data breaches in the past year registered greater than 23% awareness. This lack of awareness combined with greater apathy towards these issues means consumers are more and more likely to ignore alerts and less inclined to monitor their credit or take precautions to protect themselves from identity theft.
Taking a step back, how can we push consumers to be more attune to these major data breaches? Future breaches can be much worse with full-scale identity theft that can’t be fixed by merely getting a new credit card.
How can we make businesses like Target and Home Depot more accountable and more concerned with potential consequences?
Lastly, where does the burden of responsibility lie? Is it the retailers or credit card companies? Regardless of the answer, we should enact change to get both sides to take the necessary precautions to better protect today’s consumers.
18.5M Californians lose data to hackers. (n.d.). Retrieved November 3, 2014, from http://www.utsandiego.com/news/2014/oct/29/hackers-data-breach-california-target/
Are Americans experiencing cyber breach fatigue? (n.d.). Retrieved November 3, 2014, from http://finance.yahoo.com/video/americans-experiencing-cyber-breach-fatigue-191252714.html
Data-Breach Fatigue: Consumers Pay the Highest Price. (2014, October 16). Retrieved November 3, 2014, from http://www.huffingtonpost.com/creditsesamecom/data-breach-fatigue-consu_b_5990040.html
Did Target ignore data breach warnings? (n.d.). Retrieved November 3, 2014, from http://www.cbsnews.com/news/target-ignored-systems-hacking-warnings-report-says/
Home Depot and JPMorgan are doing fine. Is it a sign we’re numb to data breaches? (n.d.). Retrieved November 3, 2014, from http://www.washingtonpost.com/news/get-there/wp/2014/10/06/home-depot-and-jpmorgan-are-doing-fine-is-it-a-sign-were-numb-to-data-breaches/
Malcolm, H. (2014, October 21). Target leaves breach behind this holiday season. Retrieved November 3, 2014, from http://www.usatoday.com/story/money/business/2014/10/21/target-holiday-plans/17663057/
Poll: Nearly half of cardholders likely to avoid stores hit by data breaches. (n.d.). Retrieved November 3, 2014.
Smith, G. (2014, October 29). Why Credit Card Companies Couldn’t Stop Hacks At Target And Home Depot. Retrieved November 3, 2014, from http://www.huffingtonpost.com/2014/10/29/credit-card-hacks-target_n_6035818.html