Will Target Incident Stoke Data Breach Fears?

While consumers weren’t so freaked out over past data breaches at TJX Cos., Genesco Inc. or even Schnuck Markets, Target may be another story.

The theft of data from up to 40 million credit and debit cards used at Target’s stores that began over Thanksgiving weekend became the lead story on most news broadcasts on Thursday. The grim reports urged consumers to check their credit cards for suspicious charges, call toll free numbers with concerns, and take down numerous tips to avoid identity theft.

For the security world, the surprise was the speed of the hacking. The infraction was carried out over 19 days, from the day before Thanksgiving to this past Sunday. The largest breach against a U.S retailer previously occurred at TJX Co., the parent of T.J. Maxx and Marshalls. Uncovered in 2007, TJX exposed some 45 million-card users to fraud but the theft took over 18 months. Security measures have been greatly enhanced since that time.

For Target, a small to extremely large bill is coming. It’s still unknown how many customers were affected but TJX wound up paying $250 million in remediation expenses, settlements of bank claims, credit monitoring services for victims, legal fees and fines.

For all retailers as well as Target, it’s unknown whether shoppers will become more hesitant to use credit and debit cards and derail what’s left of the holiday season. A brief pullback could crush the final weeks before Christmas, and several reports heard shoppers vowing to use only cash this holiday.

Consumers apparently aren’t liable but face the minor to major chore of cleaning up their credit accounts.

"Thank you Target for nearly costing me and my wife our identities, we will never shop or purchase anything in your store again," said one posting on Target’s Facebook page.

"Shop at Target, become a target," remarked another. "Gee, thanks."

Target’s REDcard private label debit and credit card, which provides a 5 percent discount on every purchase, has been a major loyalty driver and is tied to many programs. But the bigger issue for Target is its name being directly tied to the breach.

"All consumers will hear is that Target is not a safe place to use your credit card," said Carol Spieckerman, president of newmarketbuilders. "That impacts trust, which in turn can impact retail’s fastest-growing and most trust-sensitive touch points: online and mobile."

Mark Bower, director of information protection solutions at Voltage Security, told RetailWire that with increasing adoption of point-to-point encryption, page encryption, and tokenization technologies to remove the cardholder data from retail and e-commerce systems, these kinds of data breaches will decline. But he said any data breach creates nervousness and can impact consumer confidence in retailers.

"Some may resort to cash or check, but with the continued growth in e-commerce, especially at this time of year, consumers don’t have many choices," said Mr. Bower.

BrainTrust

Discussion Questions

How do you expect the Target breach to impact the retailer’s sales during the holiday season? Will consumer fears spill over to their activity at other retailers? What will determine the longer-term impact?

Poll

21 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Peter Fader
Peter Fader
10 years ago

From a consumer standpoint, it’s a total non-issue. Sure there will be a short-term PR dust-up, but then it’s back to business as usual. For better or worse, consumers are coming to accept these data breaches as part of today’s business landscape.

Paula Rosenblum
Paula Rosenblum
10 years ago

Hi. I just don’t see it. The media is really good at finding dissatisfied people, but I think we could find a quorum to defend any position we wanted to take.

To me, the answer is in the numbers. And the numbers for TJX after the breach were sales up, profits up and stock price up. And I believe (although I could be wrong, but that’s what Google told me) that TJX appealed and they settled with Visa later for “up to” $49 million.

David Biernbaum
David Biernbaum
10 years ago

Consumers “react” to specific incidents, so in my opinion, many consumers will stay away from Target until the company is able to issue a very reassuring statement about why consumers should not worry. However, I doubt very much that consumers will be afraid to use their credit cards in any other stores over this incident. No doubt though that retailers and other types of businesses need to get a firm grip on technology so that these incidents do not happen.

Dick Seesel
Dick Seesel
10 years ago

It’s hard to measure the impact of the security breach on Target’s sales until the company announces its 4th quarter results. Under the circumstances, the company would be smart to be transparent about the impact sooner (at the end of fiscal December) rather than later, since the story broke about a week before Christmas.

Somebody with good access to research data ought to be able to track the impact of these breaches on past consumer behavior. For example, did the TJX security breach several years ago have an impact on their sales? (Obviously not recently.) Or did the identity theft happen over such a long time period that it flew under customers’ radar screens? The Target situation is different in terms of its speed and the “lead story” news coverage it has received in the last two days.

Max Goldberg
Max Goldberg
10 years ago

While this will prompt hand wringing and cause consumers to take valuable time to check the status of their credit accounts, I doubt this will have a significant impact on Target.

That said, I don’t think Target handled this well and missed an opportunity to rebuild trust. There were expressions of remorse, but little has been done to assure consumers that Target can be trusted and that this will not happen again. Target scrupulously avoided giving advice to consumers on how to deal with the issue, other than to contact the credit bureaus.

For the people affected by the security breech, it will not be a very happy holiday. Target should be doing all it can to help them through the tedious process of restoring their identities.

Liz Crawford
Liz Crawford
10 years ago

I don’t think that consumers will change their behavior significantly for this holiday season, although it may negatively impact Target specifically.

In the new year, there may be a segment of consumers who decide to switch to cash for purchasing in bricks & mortar, to avoid breaches and tracking. However, this is likely to be a small-ish segment, like people who have decided not to be on Facebook. It’s a pain in neck, and it limits access somewhat, but may be worth it.

Marge Laney
Marge Laney
10 years ago

Will the breach affect the rest of the holiday for retailers? Target, maybe a little – the rest probably not. Have you tried to get a significant amount of cash from an ATM lately, or even get cash from a credit card line? It’s not easy or cheap, so most people will continue to purchase with credit or debit.

The big impact will be on the nerves of the retail IT departments. They’re already a jumpy group, and with good reason. They spend most of their days attempting to keep transaction data safe and secure, while maneuvering the ever growing appetite for mobile apps and big data insights that require third party vendors to have access to networks. Data breaches like this one cause any forward progress to take at least two steps back.

Ed Rosenbaum
Ed Rosenbaum
10 years ago

Target might see a dip in projected sales until there is a reliable response to this breach. It is certainly going to affect the holiday sales.

Warren Thayer
Warren Thayer
10 years ago

Peter Fader and Paula Rosenblum have it exactly right. ‘nuf said.

Tony Orlando
Tony Orlando
10 years ago

If Target was giving away 50″ TVs at $59.99, a whole lot of consumers will bring their credit cards in, fighting over them. We have short memories when it comes to killer deals, so if was Target, I’d bring in some door busters to smooth things over. Don’t you just love the holidays?
Merry Christmas, and Happy Holidays to everyone.

Jason Goldberg
Jason Goldberg
10 years ago

This latest breach (and the media echo chamber that followed it) are a very big deal. What I think some of my colleagues are missing is that TRUST was already one of the biggest impediments to purchase decisions (especially online).

When we survey users about their impressions of major e-commerce sites, and ask the specific question “Would you trust this website with your credit card?” responses hover at around 50%! But don’t trust the surveys…by my calculations shoppers will spend $200M with walmart.com this year, by driving to a store and paying for online purchases with a credit card (because they trust the clerk more than the website)! Never mind that the store is probably less safe than the website…. Shoppers have a major trust issue, and it’s getting worse.

Not only do we have the major breach stories (TJX, Target, Barnes & Noble, Heartland, Global, etc.), but we have major user account breaches (Sony, Adobe, Gawker). Go here to see if your e-mail is in the 150M compromised accounts in their database.

Shoppers don’t hear online/offline, retailer/payment provider, credit card/account. They just hear that their identity is not safe, which compounds an already bad problem.

In a season in which all the sales growth is coming from digital, any news that erodes consumer confidence in using their digital identity is going to hurt.

Nikki Baird
Nikki Baird
10 years ago

So personally, I’m definitely impacted. But as a consumer, I have yet to find out the answers to my most important questions. So far, I haven’t been particularly angry at Target, but the continued lack of information may sour me.

I have a REDcard. It’s tied to my debit card. So does that mean my whole debit card plus checking account have been compromised, or just the REDcard number and PIN, which means it’s only vulnerable to use at a Target store or online? If I change my REDcard PIN, or ask to have a new account number issued, does that protect my checking account, or do I need to worry about that too?

As an industry observer, I have no doubt that it will take Target at least a couple of weeks to get their feet under them in terms of response. From what I’ve seen, they’re very protective of their brand, and they don’t like it at all when customers have complaints – they’re serious about customer service, I have no doubt about that, but they prefer it to be private, individual customer service. It’s going to take awhile for it to seep in that this breech is not going to be handled with that kind of approach.

In the end, though, I think Paula’s right. This incident is annoying now, but my sense is that consumers are waking up to the fact that this is the last weekend before Christmas, and security breeches will already be the last thing on their minds – as it will most definitely be the last thing on their minds a year from now.

Bryan Pearson
Bryan Pearson
10 years ago

The breach isn’t likely to effect holiday shopping now, but it does highlight the value of consumer information. Shoppers know that their data is important to merchants, so the onus is on retailers to deliver something of appreciative value in return. A 2013 survey by LoyaltyOne shows that only 49 percent of U.S. consumers feel companies use their personal information to better serve them. Yet 63 percent of those surveyed said they would share more information if it meant they would receive relevant offers.

The information exchange is in many ways a partnership, built on trust. The long-term impact depends on merchants being transparent, immediate and clear in terms of how they use the data.

Al McClain
Al McClain
10 years ago

I don’t know about the financial impact, but this is a major PR disaster at a crucial time of the year. Customers are hopping mad on the Target Facebook page, and Target is only issuing canned responses. In one case, I read a thread with dozens and dozens of comments from shoppers arguing with each other about what happened, and all of them dissing Target. If social media is the big deal we say it is, Target is going to take a big hit in that department.

Lee Kent
Lee Kent
10 years ago

As long as consumers know someone has their back, they will be back shopping at Target and everywhere else. The bigger issue here is finding a way to protect credit card information or perhaps it is another payment method that can’t easily be stolen and used.

I know that EMV chips are coming but not so sure this is the answer either. Methinks it’s time to take a serious look at PayPal! Hmmm….

Shep Hyken
Shep Hyken
10 years ago

It is a shame that there is negative publicity around this incident that would have consumers concerned about doing business with a particular retailer. This time it was Target. Next time it can be another big-name retailer. This could have happened to anyone. And unfortunately, no matter what preventative measures retailers take, the criminals will find a way around them. That said, retailers need to stay up with the latest in prevention.

Bill Davis
Bill Davis
10 years ago

I would bet Target’s sales will be lower once this was announced. The biggest concern here is that this breach happened in store where brick & mortar retailers have far more familiarity with the PoS infrastructure so what happens in their online efforts where they have much less experience?

For me, this just widens the moat that eTailers like Amazon, eBay and others have on traditional retailers online.

Carol Spieckerman
Carol Spieckerman
10 years ago

I completely agree with Al. A scroll through Facebook and/or Twitter will validate the virality of the news and shopper concern. The good news is that it probably won’t have long-term impact on Target. The bad news is all about timing.

Craig Sundstrom
Craig Sundstrom
10 years ago

One dilemma for Target: the more they try to argue “it’s not just us, it could happen to anybody” – whatever the merits of that argument may be, I don’t really know – the more they will spread a general unease about data security everywhere else (and won’t other retailers love that?). All the while, the more they try to contain such fears, the more culpable they will appear.

Li McClelland
Li McClelland
10 years ago

The story here and on TV has focused on the number and types of accounts that may have been breached at Target. What nobody really knows yet is how that stolen information is being used and monetized by the hackers as we speak – or how many actual humans may be affected when the dust settles.

By all accounts this breach was an ambitious and unprecedented undertaking. The perpetrators clearly had a plan and executed it well and boldly. It is too soon for Target’s customers to have felt all the possible criminal impact to their accounts and lives. How many houses will be bought in their names? How many loans taken out? How many false IRS return claims made? How many fake social security cards? Sorry, but I think some of the hopeful people here who say it is no big deal and that it will blow over soon and be of little consequence to Target’s business may be being overly optimistic on this one.

Gordon Arnold
Gordon Arnold
10 years ago

The number of accounts compromised in such a short period of time makes this security breach a lot more than just a software glitch. Those responsible for the loss should be brought before a company governing body for immediate employment reconsideration. To suggest or imply that misplaced responsibility can or will be possible anywhere at any time is a gross overstatement of the possibility which by itself clearly demonstrates an immense lack of systems security knowledge and systems management capability. It is perhaps more likely to be found and logged as an ID-10-T system management error within the company’s Information Technology department(s).

Sales will be slower for some time to come as more and more individuals repeat their corrupted credit experience to family and friends over and over.