Photo: Getty Images
How much will POS malware attack cost Eddie Bauer?
It’s pretty much guaranteed that Eddie Bauer’s business will take a hit after customers’ payment card information was compromised following an admission by the chain that its point of sale (POS) was hit by a malware attack. What’s not known is just how big the hit will be.
The retailer has reported that records compromised were restricted to its stores in Canada and the U.S. while purchases made on eddiebauer.com were not affected. Digital forensic experts brought in by Eddie Bauer have found transactions made between January 2 and July 17, 2016 may have been affected.
“We have been working closely with the FBI, cyber security experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts,” said Mike Egeck, CEO of Eddie Bauer, in a statement. “In addition, we’ve taken steps to strengthen the security of our point of sale systems to prevent this from happening in the future.”
The chain began notifying customers who may have been affected last week. It has offered identity protection to all its customers as a precaution although not all transactions were affected.
The “2016 KPMG Consumer Loss Barometer” has found that 19 percent of consumers surveyed would stop shopping at a retailer if they had been the victim of a cyber-security hack. Thirty-three percent say they would stop shopping at a breached retailer for at least three months as a matter of caution.
“Make no mistake, there is a lot at stake here for retailers,” said Mark Larson, KPMG’s business leader for consumer markets and global and U.S. sector leader for retail, said in a statement. “Consumers are clearly demanding that their information be protected and they’re going to let their wallets do the talking.”
Discussion Questions
DISCUSSION QUESTIONS: How much of a problem will the malware attack be for Eddie Bauer’s business prospects in the short and longer term? Has the chain responded appropriately?
Poll
BrainTrust
Max Goldberg
President, Max Goldberg & Associates
Adrian Weidmann
Managing Director, StoreStream Metrics, LLC
Here we go again. Another retailer is hacked and customer information stolen. The Eddie Bauer hacks took place over a six month period. This is not going to sit well with consumers. Some will not shop Bauer for a while, until they feel sure that their data will be safe. Some may never go back. A lot of this will depend on how Bauer’s management responds. Will they be open about the situation and express deep concern about customers’ well-being? Or will they pay lip service, offer a year of credit monitoring, and go back to business as usual? One thing is certain, they are about to take a multi-million dollar hit to their business.
So the customer forgives a retailer the first time. Then another retailer gets hit and the customer forgives them. Then to another. At some point the customer will not understand why the retailer does not take the precautions to not get hacked. How many times does this have to happen before the retailer gets serious? The conclusion by the customer at this point is if the retailer gets hacked, the retailer cares more about saving money than protecting their customers. Each progressive hack, even if it is the retailer’s first, will create a stronger and stronger reaction by the customers.
No one is invulnerable to a cyber attack. Retailers need to get out of the business of storing any customer identifier related to payment information, capture of credit card information needs to go to hardware devices with direct token/encryption transmission to the banks, and the banks are the ones who have to store and protect credit card information.
This takes a longer-term strategy and plan that can be an industry standard with all sides working diligently towards implementation. The technology and mechanisms exist to do this, unfortunately the organization, cooperation and will to do so does not. So instead we get EMV which largely seems to have just transferred the blame (aka cost and risk) to the retailer doing astonishingly little (given today’s technical capabilities) to actually protect customer payment data in the first place. Eddie Bauer probably did and is doing what it can, they just happened to be the unlucky retailer this time.
I actually think consumers are getting a bit numb to the “we’ve been hacked” notices. Not that they have moved into the “just deal with it” world of robo-calls. But hacks have occurred often enough and with enough different retailers that consumers know it is not due to some unique sloppiness on the part of the latest retailer affected. As a result, the impact on sales of a hack attack should soften. Except for those consumers who are burdened with having their personal data compromised. The sting of that experience will likely keep them away from the retailer that caused their pain for quite a while.
Any data breach that impacts shoppers credit card or personal data will significantly tarnish a retailer’s reputation and, as studies have proven, will cause many consumers to stop shopping at the brand.
Eddie Bauer is doing the best they can by assuring customers that they have fixed the problem and offering those impacted with free identity protection services for 12 months. However, these actions won’t truly alleviate consumers’ fears and this breach will cost Eddie Bauer millions in lost business.
The real issue is the alarming number of retailers that still haven’t taken payment and data security protection seriously. While there is no silver bullet to fend off fraudsters, there are payment and data security best practices that go a long way in protecting your customers and your brand. Prevention is far more important than reaction. It is imperative that retailers move to a real-time retail, cloud based model and stop exposing store level information to fraudsters at every store location. Thin client, no data at store level, no data at rest, encryption everywhere and tokenization across the board is the best way to win this battle.
While it’s easy to criticize retailers who are attacked — “they should have done something!” — it’s difficult to criticize intelligently (WHAT should they have done?) … at least for those of us who aren’t cybersecurity experts.
As for the effect, barring something unexpected, I expect it to be minimal. It’s become a familiar routine by now: a retailer is attacked, “experts” scold them, they act contrite and vow to improve things, a few skittish customers stay away for a while — which may be intuitive but probably makes little sense since the attackee is now likely to be more on guard than the average retailer — but life goes on and we return to worrying about how they can defend themselves against Amazon.
When I read in the Eddie Bauer press release that the data thefts took place over a 6 month period (Jan. to July), I had to sigh. Even if the attackers were “sophisticated” as claimed, the company was asleep at the switch. Heads hafta roll.
Now we witness yet another retail company mobilizing to padlock the barn door after the horses have been rustled through a hole cut in the side wall. This happens so regularly that its almost funny. And yes, Ben, I suspect consumers are becoming numb about this sort of incident.
What’s been missing from this story and many that preceded it is a precise assessment of the actual damage to shoppers. How many identities and credit card numbers were stolen? How many consumers suffered direct losses on those accounts? What proportion of those losses were covered by the retailers and banks? How many affected shoppers actually make use of free identity protection services offered?
Finally, do those affected shoppers actually stay away in droves following a reported cyber attack? Or do they just say they will when they answer surveys?