Over the past few years, data breaches have pounded the payments industry. Target’s 40-million credit and debit card data breach washed away their C-suite, billions of their market capitalization, and hundreds of millions of profit in lost sales and imposed fines. The list of catastrophic data breaches continues to grow as Issuers struggle with a rising tide of fraud losses, merchants faced with a public breach are most often swept under within six months. Consumers, faced with reissued card after reissued card feel lost at sea, distrustful of the whole system.
Would it surprise you if we told you there were 174 confirmed data breaches for 2015 already? What if we were to say that nearly 100 million records have been exposed due to data breaches for 2015 in less than three months? Did you have the same reaction just now as when you first heard about the Target data breach during the 2013 holidays? Like the majority of American consumers, seeing data breach after data breach hit the news in what seems like every few days is starting to have an effect on how we react to data breaches. This feeling is what many call breach fatigue and if data breaches continue at this rampant pace, this term should become better known.
The Public's Awareness of Major Data Breaches
Breach fatigue at its essence, tries to understand how data breaches affect consumers from a psychological standpoint. For every time that a data breach occurs where a consumer does not directly experience any negative financial ramifications, fraudulent spending for example, he or she is less likely to worry about the following breach, or the one after that for that matter. Because it takes up to twelve months from the moment cybercriminals steal the sensitive payment information, to when the first fraudulent cards and transactions appear, consumers are often reacting to data breaches that they’ve already forgotten about.
In a study on public awarness of security breaches put together by Software Advice, over 4,000 U.S. adult consumers were surveyed to gauge their awareness of 10 of the most well-known data breaches in 2014. Based on the results of the study, we as consumers may have already reached a point of no return when it comes to data breach fatigue.
As you can see in the above graph, only two of the ten listed data breaches received a high score for consumer awareness. While the Target and Home Depot data breaches involved two retailers which most U.S. consumers have transacted with at least once, the percentage drop-off for the remaining data breaches was much higher than expected.
From Catasrophe To Back Of Our Minds
When news first broke in May of 2014 that eBay had suffered a data breach, the idea of having 148 million exposed accounts seemed beyond catastrophic. Customer names, email addresses, physical addresses and dates of birth were all exposed and compromised. With such a large number of records exposed and the sensitive data associated with it, awareness of eBay’s data breach should have been at a much higher level.
However, Software Advice’s study would say differently. When surveyed, 65 percent of respondents were unaware that a data breach at eBay had ever occurred and 13% of respondents believed the data breach had occurred at another merchant. While the data breach did not expose payment information including credit card numbers and card verification values (CVV), which often leads to more news coverage, there could be a variety of reasons as to why eBay’s data breach slipped through the cracks.
Can A Business' Post Data Breach Response Have A Significant Impact On Public Awareness?
Let’s take a deeper look into two major retailers, eBay and Target, and how each company reacted following their respective breaches. With over 40 million credit and debit cards stolen during the 2013 holiday season, Target tried to remain as transparent as possible when notifying their affected customers and fielding inquiries from law enforcement, members of the media and experts in the payments industry. Due to this transparency, 70 percent of respondents knew that Target had a suffered a data breach.
It’s safe to say that Target paid a hefty price, and will continue to pay, for its transparency regarding its 2013 data breach. Looking at reports from executives at eBay, one would be hard pressed to find any significant impact following the company’s massive data breach. When eBay first announced the company had suffered a data breach in May of 2014, eBay provided very little information regarding the details of the breach.
In July of last year, President and CEO John Donahue spoke about the company’s second quarter filings. eBay reported that they experienced a drop in users that were required to reset their password. But unlike Target post data breach, Donahue stated that eBay’s profits had risen despite “several distractions.” Two of these “distractions” included the compromise of the personal information of nearly 150 million customers and the departure of PayPal’s President, eBay’s recent acquisition, to Facebook.
When looking from the perspective of a breached retailer, eBay’s tight-lipped approach appears to have been effective. The company’s profits rose after the breach, eBay’s CEO is still employed by the company and nearly 77 percent of the survey’s respondents were unaware that eBay suffered a data breach. Target saw a plunge in their share prices, as low as 13% from its November 20, 2013 peak; they parted ways with their CEO and CIO, and lost consumer confidence in their brand.
But for the real victims of data breach, the consumers who have their personal and payment information exposed, which is the better approach for breached retailers?
Don't fall victim to data breach fatigue. Keep up with the latest data breach news, sign-up for our Data Breach Ripples newsletter - subscribed to by MasterCard, Visa, FICO, and the U.S. Dept of Justice, among others.