Attacks/Breaches
4/29/2014
07:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Consumers Ditch Their Breached Retailers, Banks and Doctors

New survey shows how data breaches do affect some consumers' buying decisions.

Welcome to the post-Target breach world: One-third of consumers stop shopping at retailers that have been breached, and nearly one-third ditch their healthcare providers after they've been breached, a study published today finds. One-fifth of consumers say they will leave banks or credit card companies that have been breached.

The high-profile data breach at the retailer TJX hardly put a dent in its business, but times have changed. Target's revenue dipped in the third quarter after its massive payment card hack late last year, which to date has cost the company $61 million in legal fees and credit monitoring offerings.

"I think the straw breaking the camel's back is customers now in droves are being inconvenienced [by breaches]. They never thought it could happen to them... Now they think, 'This can happen to me,'" says Al Pascual, senior analyst of security, risk, and fraud at Javelin Strategy & Research.

The combination of the number of high-profile attacks, scope, and publicity surrounding them has given consumers pause. "It's sticking," Pascual says.

About one-third of consumers surveyed by Javelin Research said they will ditch their retailer if it gets breached; 30% said they will seek a new doctor or hospital if it gets breached; and 24% said they will switch banks or credit card providers that get breached.

Changing big-box retailers is obviously not as complicated as choosing a new doctor. However, "for me, the only thing that was surprising [in the survey] was that healthcare [business departure] was as high as it was. It's easy to walk down the street and say, 'Target or Marshalls, McDonald's or Burger King,'" says Todd Feinman, CEO at Identity Finder, which commissioned the report. "But healthcare is not as much of a commodity, so that those numbers were only second in line was a surprise to me."

Breached organizations typically offer customers free identity protection services in the wake of an attack; 54% of healthcare providers do so, as do 40% of financial/banking fims and 30% of retailers.

The full Javelin report is available here for download (registration required).

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/2/2014 | 1:03:19 PM
Re: What are you gonna do?
I think it would be much more of a personal betrayal with a doctor, although based on what i've experienced with HIT systems, my expectations of healthcare's ability to protect data is pretty low...
LysaMyers
50%
50%
LysaMyers,
User Rank: Author
5/2/2014 | 12:53:14 PM
Re: What are you gonna do?
For most people, the relationship with a doctor is a much more personal one, so those results strike me as most interesting. Swapping retailers is almost a non-issue, but changing doctors means starting out a new trust relationship. Do people feel it to be a kind of betrayal when their doctor fails to protect their data?  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/2/2014 | 12:50:53 PM
Re: What are you gonna do?
True--I doubt Walmart's security is any better than Target's, and as we saw, it probably doesn't matter anyway if they don't properly respond to alerts. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/2/2014 | 11:20:48 AM
Re: What are you gonna do?
And if shoppers go from Target to Walmart, it's not based on assurances that Walmart has better data security than Target, or any other retailer. Maybe PCI-DSS should include some better consumer disclosure requirements...
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
4/30/2014 | 1:41:37 PM
Re: What are you gonna do?
I still wonder if the retail exodus is more short-term...some shoppers are ticked off with Target, so they go to Walmart. But when you start changing banks and docs, that's a longer-term impact. #foodforthought
Anthony Schimizzi
50%
50%
Anthony Schimizzi,
User Rank: Apprentice
4/30/2014 | 1:41:25 PM
Re: What are you gonna do?
Although I commend Target for regaining the consumer's confidence, I think it may be long gone.  Regarding chip-n-pin, I have to disagree this is the right approach, let alone, it wouldn't even have stopped the breach if it was implemented prior.  Michael Santarcangelo has some great facts and interesting reads about how chip-n-pin can solve these fraudulent activities at Point Of Sale systems but it isn't the right business move to reduce the risk of fraud due to cost of implementation and the fact the retailers have increased cost and liability. 

Here is his article on chip-n-pin: http://www.csoonline.com/article/2136747/security-leadership/does-chip-and-pin-actually-solve-the-problem--find-out-by-asking-these-questions.html
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/30/2014 | 9:47:58 AM
Re: What are you gonna do?
It's encouraging that Target is taking some major (better-late-than-never) steps to regain consumer confidence, including an accelerated $100 million plan to move to chip-and-PIN-enabled technology, and to install supporting software and next-generation payment devices in stores. But can Target deliver and will the industry will follow? Those are questions TBD. The fact that consumers are talking with their feet should keep the pressure on, though. 
Jim Donahue
0%
100%
Jim Donahue,
User Rank: Apprentice
4/30/2014 | 9:15:35 AM
What are you gonna do?
It seems virtually every retailer is going to get hit sooner or later. Unless we transition to a barter economy, we have some hard decisions to make.

 

Meanwhile, anyone have anything to trade for this chicken I happen to have here?

 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.