During the holiday shopping season last year, about 40 million consumers who made purchases at Target stores had their credit and debit card numbers stolen by hackers that invaded the company’s payment card readers; another 70 million Target customers also had their personal contact information – names, addresses and telephones numbers – compromised.
The fallout from the retail giant’s data breach was dramatic: As of February, Target had spent $61 million to pay for legal fees, software updates, customer reimbursement and credit monitoring, and other costs due to the failure in cyber security, the Washington Post reported. The company has also been hit with more than 140 lawsuits, according to the St. Paul Pioneer Press, and its CEO Gregg Steinhafel resigned – over both the security failure and the company’s less-than-successful expansion into Canada.
But even more importantly, last year’s data breach eroded customer trust, which was demonstrated in Target’s sales numbers after the breach: The company’s profit dropped almost 50 percent in last year’s fourth fiscal quarter and fell by more than a third for all of 2013, the Washington Post reported.
Indeed, a recent study confirms the lessons learned from Target’s cyber attacks: Customers lose confidence in a company after a security breach and change their spending habits accordingly. Carried out by consumer experience marketing firm Interactions, “Retail’s Reality: Shopping Behavior After Security Breaches” reported that 12 percent of a retailer’s local customers said they stopped shopping at that retailer after a breach; about 36 percent said they will shop at the retailer less frequently. Interactions conducted the study in May – after the infamous Target breach – and surveyed the same sampling as the 2010 U.S. Census, the company told Triple Pundit.
Of consumers who said they would continue to shop at a retailer after a security breach, 79 percent said they would be more likely to use cash instead of credit cards – which means they’ll spend less money overall, according to the report. Furthermore, 26 percent of shoppers who return to the retailer will knowingly spend less money than what they would have prior to the breach.
Shoppers who have had their personal information stolen during a retail security failure are also likely to spread the word about their negative experience, the survey found. About 85 percent of retail-breach victims said they tell others about the incident, 34 percent complain on social media and 20 percent comment directly on the retailer’s website.
Showing just how widespread the problem is, “Retail’s Reality” discovered that 44 percent of all consumers surveyed have had personal information stolen through a data breach, while 60 percent of consumers aged 18 to 24 years reported that they are cyber crime victims. Millennials are more susceptible to security breaches than Baby Boomers because they are more likely to share their information online, use retail loyalty cards and maintain multiple accounts, said Giovanni DeMeo, vice president of global marketing and analytics at Interactions.
While Target may be the most publicized case of a data breach in our recent collective memory, cyber criminals have also stolen customer information from Adobe Systems, Sony, Living Social and TJX, the parent company of T.J. Maxx and Marshalls. And for every high-profile data breach at a large company, there are “dozens of threats to confidential data” held by small businesses, the Los Angeles Times reported.
Likely due to the prevalence of data breaches, “Retail’s Reality” reported that 45 percent of shoppers said they don’t trust retailers to keep their personal information safe.
Retailers may be alarmed by Interactions' survey statistics, but the report clearly revealed an opportunity for companies to regain their customers’ trust after a security breach. While some survey respondents indicated they would only return to a retailer after a certain period of time had lapsed after the data breach (one month, three to six months, or one year), 22 percent of shoppers said they would feel comfortable returning to a retailer at any time – as long as the retailer resolved the security issue and passes on that information to customers. Furthermore, 52 percent of consumers said they would be willing to sign up for a retailer loyalty card if they believe security matters have been corrected, DeMeo said.
The key to restoring customer faith after a data security crisis is clear and quick communication, DeMeo said.
“Tell me as soon as [the security breach] happens so I can prepare,” DeMeo said. “Preparing can be as simple as checking credit reports or bank statements. If you communicate with me and tell me what’s going on, I’m going to trust you more than if I have to find out about it from someone else – the news, a friend or social media. Immediately contact me, and let me know if happened; let me know you’re taking appropriate measures like freezing accounts. That is the feedback we’ve gotten from the survey; that will make shoppers and consumers feel more comfortable and can minimize the huge negative impact lost trust can generate.”
Providing free customer credit monitoring, offering incentives and discounts, and increasing cyber security measures are other ways to rebuild trust, the report found, but without clearly explaining all these actions to the customer, they will not be met with success, DeMeo said.
These additional measures “can start the relationship up again, but if I don’t trust you, I might take advantage of some of the things you’re offering, but only as long as it doesn’t require me to put myself in a compromising position,” DeMeo said. “If you’re offering a huge discount, but I can pay anonymously with cash – and spend less than I would than with an alternative method – than I would take advantage of that discount, but I’m not loyal to you.”
Indeed, a common complaint among customers and industry observers about Target’s handling of its data breach was that it failed to keep affected customers informed of the crisis, despite setting up customer credit monitoring and attempting to lure in customers with huge new sales.
While companies are beginning to recognize the need for an excellent PR campaign after a security failure, businesses can also take steps to prevent data breaches from occurring in the first place. The majority of data breaches are avoidable, according to Kevin Haley, director or Symantec’s security response program. Over 50 percent of data breaches are the result of an accidental data disclosure or the theft or loss of removable media like a laptop, he said; encrypting data easily keeps this information safe.
For more complicated cyber attacks, Haley advises that companies strengthen their security infrastructure with data loss prevention, network security, endpoint security, encryption, and strong authentication and defensive measures. He also advocates for employee education, informing workers of policies and procedures for protecting sensitive data on personal and corporate devices.
“Symantec recommends companies of all sizes re-examine, rethink and possibly re-architect their security posture,” Haley said. “While it’s not difficult to quantify the impact of data breaches, the damage to a company’s reputation and the loss of consumer trust can be much harder to recover.”
Image credit: Target
Passionate about both writing and sustainability, Alexis Petru is freelance journalist and communications consultant based in the San Francisco Bay Area whose work has appeared on Earth911, Huffington Post and Patch.com. Prior to working as a writer, she coordinated environmental programs for various Bay Area cities and counties for seven years. She has a degree in cultural anthropology from UC Berkeley.