Breaches are not stopping people from shopping at hacked stores

A new survey shows just about everyone ends up back at stores that get hacked, despite vows never to return.

After the Target hack that affected about 40 million people two years ago, the promises flew fast and furious on social media.

“Hell, no, will not shop at Target ever again,” wrote an angry customer on Target’s Facebook page in 2014.

“Thanks for nothing, Target,” said another. “What a joke! Lost my business.”

“I used to shop at Target on a weekly basis (groceries, pet supplies, clothes),” explained a customer. “Ever since this data breach, I haven’t been back. Love the store, but y’all fudged up bad.”

But a new survey shows the vows people make about eliminating data-breached stores from their shopping routes may not always hold.

The survey report said only 2% of people surveyed did not return to a store after a breach was made public.

The Associated Press reports that Target’s annual profit fell 34% after the breach, but has since—with a turnaround plan in place—rebounded, with an expected net income up 22% over the past year, and sale increases every quarter.

Target stock has risen from about $56 in early 2014, to $74 in December, according to the Associated Press.

The breach survey report from Dr. Branden Williams in partnership with the Merchant Acquirers’ Committee suggests that people are creatures of habit when it comes to breaches.

“This research indicates, for the most part, that consumers do not feel enough harm, or simply do not care enough about payment card breaches to change their spending behavior,” the report said.

How long before people return?

The research project surveyed about 1,000 people between the ages of 18 and 70 who live in the U.S., own a debit or credit card, make more than $30,000 a year, and have shopped at one of 15 breached retail stores, including Target, Home Depot, Michael’s, Staples and Toys“R”Us. 

The report said most people surveyed returned to the breached store within three months of the breach announcement, though some of the people were not aware the breaches had happened.

In the group of people surveyed who said they were aware of the breach, most still returned, usually between three and six months after the breach was made public. Stores selling “necessities” had better success in getting customers back in.

“Consumers are quick to return to breached merchants,” the report said. “They appear to either be unfazed or unaware of breaches in a way that materially changes their shopping behavior.”

Lack of pain

Some cybersecurity experts say most people do not feel that they are directly affected by breaches.

“The short attention span of consumers is probably more related to their lack of pain in these breaches more than anything else,” said Patrick Coyle with Chemical Facility Security News.

“Since banks currently bear the brunt of any financial loss due to credit card fraud, there is little harm felt by the consumer when these large breaches happen,” he said.

“Since most of the ‘affected’ consumers just had to change out their payment card, they never really experienced the breach,” he added.

Pain

Coyle suggested a research project on the attitudes of people who actually had their credit card or debit card data used as a result of the breach.

“I was a victim of this already, and I have $500+ of my money still held up by my bank while they investigate the charges!” an unhappy customer reported after the Target attack.

“Took all my money from my account!! Very dissatisfied in this whole process & how Target is handing it all!!” another said. “I’ve spent over three hours on the phone & on hold w/FTC, my bank, police & the credit bureaus.”

“These people had the slightly more invasive problem of having to contact their card issuer to get money refunded,” Coyle said. “I would suspect that they would have had a slightly longer period to forgive the breached store.”

Breach fatigue?

Previous surveys by other organizations have shown more people declaring a breached store off-limits. 

But the news of a security hack at a big company has become commonplace. One in three Americans has been hit in a data breach, according to recent research.

“Data breaches happen at such a frequency that the general public may be desensitized to them,” the report said.

A privacy report released by Morrison and Foerster at the end of January showed 35% of 900 people surveyed said they chose not to buy a company’s product or service in the past year over privacy concerns.

However, that shows a big drop in the number of people willing to take a stand about privacy.

The company’s survey in 2011 showed 54% of people surveyed said they would not buy products or services from a business because of privacy concerns, according to Corporate Counsel.

When asked why they trust a company with their personal information, the top response—from almost 25% of people surveyed—was, “No company is perfect.”

Change

The pain of the 2013 breach is still lingering for Target.

The company has settled a number of lawsuits, including a $10 million settlement with customers affected by the breach, and a more than $100 million settlement with financial institutions who had to reissue credit cards and pay back customers whose accounts were used by criminals, according to the Star Tribune in Minneapolis, where Target’s headquarters are located.

“The suit may set a precedent as the first time a U.S. retailer has absorbed most of the costs incurred by financial firms in a data breach,” the Star Tribune reported. “Home Depot and several other retailers are locked in similar litigation after hackers gained access to their systems.”

Coyle said there may be a tipping point, where the two sides will begin to fight online attacks together.

“As the number of credit accounts being compromised continues to grow, the cost of credit fraud will start to become a significant burden on the banking industry,” he said.

“Then, and probably only then, will the banking and commercial sectors begin to work together to reduce the incidence of this fraud,” he added.