Twas’ the nightmare before Christmas, when all through the store,
All IT departments were stirring, when news of the Target breach came ashore.
The shoppers awoke to find their data handled without care,
In hopes that IT soon would be there.
When breach fallout ensued there arose such a clatter,
Shoppers looked to executives to see what was the matter.
Along came customer churn, and the retailers’ profits fell back,
And it was the CEO and CIO who had to pack.
While news of Target arose such a sight,
The fact that breach fall-out is over just isn’t right.
So while we hit two years after that initial dread,
Here is our report showing consumer fallout instead.
As we all well know, the Target data breach exposed 40 million credit and debit cards to fraud during the 2013 holiday season. The breach ranks among the highest profile data incidents to hit retailers in recent years. While the Target breach seems like a thing of the past, two years later and the retailer just signed a $39.4 million settlement with MasterCard. This settlement comes on the heels of a $67 million agreement struck with Visa in August.
Upon the two-year anniversary of the Target mega-data breach, it’s clear that Target’s data security strategies and perceptions have been vastly impacted. In light of the holiday season and data breach anniversary, we issued a survey, in conjunction with Wakefield identifying Americans’ shopping behaviors following a data breach. The data found that a breach could cost them one of their most valuable assets – loyal customers; with 85 percent of respondents reporting they would discontinue shopping if the retailer were the victim of a breach.
According to the survey, the type of data obtained affected sentiment, with 67 percent of Americans most concerned about keeping money in their checking account safe. Other reasons why they would take their business elsewhere include:
- If unauthorized charges appeared on their credit card (62%)
- If personal information were leaked (57%)
- If their credit score was damaged (54%)
In a November 2015 blog post, our CEO Alan Kessler discussed What We’ve Learned since the Target Breach. As Alan mentioned, the Target breach served as a wake-up call that no company is immune, not to mention the financial and reputational havoc on a brand.
In February, we released the results of the retail edition of our 2015 Vormetric Insider Threat Report. In the blog post, Data Security Earns Its Seat at the Table as a Board Level Issue; Mitigating Security Threats for Retail and Financial Services I laid out how 48 percent of U.S. retail respondents reported they had experienced a data breach or failed a compliance audit in the last 12 months (at the time the survey was issued). Retailers handle millions of credit cards daily and have thousands of touch points. Many retail data breaches have compromised privileged user accounts, providing access to the retailer’s network. In fact, there has been a three-fold increase in planned IT spending, according to the 2015 Insider Threat Report, for data breach prevention from 2013 to 2015.
However, despite long-lasting effects, I am proud to say we’ve made progress. Two years ago, many stood stunned as Target’s large infrastructure was infiltrated. Shortly thereafter, major retailers like Michaels, T.J. Maxx, Neiman Marcus and Home Depot were breached and many assumed that it was just a ‘retail problem.’ The current forecast is significantly different. While breach shock value has been almost entirely eliminated – individuals are realizing that no industry is immune.
Successful retailers understand the strategic advantage of what is called “lifetime value” in terms of the consumer. And nothing destroys lifetime value more quickly than lack of consumer confidence. For retailers, protecting customers’ information this holiday season, and all year long, has become a large part of maintaining this confidence.
With the parade of data breach incidents bound to continue, we’re likely to see organizations increase the volumes of data protected by the combination of encryption and access controls. This combination effectively limits the who, what, when, where and how of data availability. The result? Even when firewalls and networks have been breached and internal accounts compromised, or an insider goes rogue, is that the data available for theft to an attacker is severely limited, mitigating the impact of a breach.
Before Target, very few retailers seemed to have a clear vision about where and how their security budgets should be invested. Now, retailers are beginning to take a proactive approach, rather than a reactive one. CIOs, CISOs and CSOs nationally are asking more questions and are evaluating technology more frequently than standard security cycles suggest. And so are the CEO and boards who now understand the need to protect customers’ personal and financial information.
While security is a problem many have posed,
Let’s give a quick nod, to cybersecurity solutions getting exposed.
As tech companies exclaim, ‘encryption is right’
"Happy securing to all, and to all with data-at-rest a truly good night!"