Attacks/Breaches
4/29/2014
07:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Consumers Ditch Their Breached Retailers, Banks and Doctors

New survey shows how data breaches do affect some consumers' buying decisions.

Welcome to the post-Target breach world: One-third of consumers stop shopping at retailers that have been breached, and nearly one-third ditch their healthcare providers after they've been breached, a study published today finds. One-fifth of consumers say they will leave banks or credit card companies that have been breached.

The high-profile data breach at the retailer TJX hardly put a dent in its business, but times have changed. Target's revenue dipped in the third quarter after its massive payment card hack late last year, which to date has cost the company $61 million in legal fees and credit monitoring offerings.

"I think the straw breaking the camel's back is customers now in droves are being inconvenienced [by breaches]. They never thought it could happen to them... Now they think, 'This can happen to me,'" says Al Pascual, senior analyst of security, risk, and fraud at Javelin Strategy & Research.

The combination of the number of high-profile attacks, scope, and publicity surrounding them has given consumers pause. "It's sticking," Pascual says.

About one-third of consumers surveyed by Javelin Research said they will ditch their retailer if it gets breached; 30% said they will seek a new doctor or hospital if it gets breached; and 24% said they will switch banks or credit card providers that get breached.

Changing big-box retailers is obviously not as complicated as choosing a new doctor. However, "for me, the only thing that was surprising [in the survey] was that healthcare [business departure] was as high as it was. It's easy to walk down the street and say, 'Target or Marshalls, McDonald's or Burger King,'" says Todd Feinman, CEO at Identity Finder, which commissioned the report. "But healthcare is not as much of a commodity, so that those numbers were only second in line was a surprise to me."

Breached organizations typically offer customers free identity protection services in the wake of an attack; 54% of healthcare providers do so, as do 40% of financial/banking fims and 30% of retailers.

The full Javelin report is available here for download (registration required).

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/2/2014 | 1:03:19 PM
Re: What are you gonna do?
I think it would be much more of a personal betrayal with a doctor, although based on what i've experienced with HIT systems, my expectations of healthcare's ability to protect data is pretty low...
LysaMyers
50%
50%
LysaMyers,
User Rank: Author
5/2/2014 | 12:53:14 PM
Re: What are you gonna do?
For most people, the relationship with a doctor is a much more personal one, so those results strike me as most interesting. Swapping retailers is almost a non-issue, but changing doctors means starting out a new trust relationship. Do people feel it to be a kind of betrayal when their doctor fails to protect their data?  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/2/2014 | 12:50:53 PM
Re: What are you gonna do?
True--I doubt Walmart's security is any better than Target's, and as we saw, it probably doesn't matter anyway if they don't properly respond to alerts. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/2/2014 | 11:20:48 AM
Re: What are you gonna do?
And if shoppers go from Target to Walmart, it's not based on assurances that Walmart has better data security than Target, or any other retailer. Maybe PCI-DSS should include some better consumer disclosure requirements...
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
4/30/2014 | 1:41:37 PM
Re: What are you gonna do?
I still wonder if the retail exodus is more short-term...some shoppers are ticked off with Target, so they go to Walmart. But when you start changing banks and docs, that's a longer-term impact. #foodforthought
Anthony Schimizzi
50%
50%
Anthony Schimizzi,
User Rank: Apprentice
4/30/2014 | 1:41:25 PM
Re: What are you gonna do?
Although I commend Target for regaining the consumer's confidence, I think it may be long gone.  Regarding chip-n-pin, I have to disagree this is the right approach, let alone, it wouldn't even have stopped the breach if it was implemented prior.  Michael Santarcangelo has some great facts and interesting reads about how chip-n-pin can solve these fraudulent activities at Point Of Sale systems but it isn't the right business move to reduce the risk of fraud due to cost of implementation and the fact the retailers have increased cost and liability. 

Here is his article on chip-n-pin: http://www.csoonline.com/article/2136747/security-leadership/does-chip-and-pin-actually-solve-the-problem--find-out-by-asking-these-questions.html
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/30/2014 | 9:47:58 AM
Re: What are you gonna do?
It's encouraging that Target is taking some major (better-late-than-never) steps to regain consumer confidence, including an accelerated $100 million plan to move to chip-and-PIN-enabled technology, and to install supporting software and next-generation payment devices in stores. But can Target deliver and will the industry will follow? Those are questions TBD. The fact that consumers are talking with their feet should keep the pressure on, though. 
Jim Donahue
0%
100%
Jim Donahue,
User Rank: Apprentice
4/30/2014 | 9:15:35 AM
What are you gonna do?
It seems virtually every retailer is going to get hit sooner or later. Unless we transition to a barter economy, we have some hard decisions to make.

 

Meanwhile, anyone have anything to trade for this chicken I happen to have here?

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.