Retailer Data Breaches: Stop Giving Them A Free Pass
(Bloomberg Gadfly) -- The news has been dominated lately by the failure of one company, Facebook Inc., to safeguard customer data. But Facebook isn't alone.
In just the past two weeks, several major retailers have reported consumer data-security incidents:
- Under Armour Inc. said 150 million accounts in its MyFitnessPal app were affected by a recent hack.
- Hudson's Bay Co. reported a payment-card data breach at some Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor stores. Gemini Advisory, a security firm, said a hacking syndicate got 5 million stolen card numbers that appear to have been grabbed from those retailers.
- Fast-casual eatery Panera Bread exposed a trove of its customer records.
- Sears Holdings Corp. said some of its shoppers' credit-card information was compromised in a security incident at a company that provides online services to the retailer.
But while the Facebook story has shaken the business and political worlds for days, these other data security lapses, affecting millions of U.S. consumers, have barely made a ripple.
Under Armour shares initially fell after it announced the breach, but have already bounced back.
Hudson's Bay stock fell just 0.45 percent the day after it revealed its breach -- a day when major stock indexes tumbled on the threat of a U.S.-China trade war.
It's difficult to measure how rattled consumers have been about these data-security issues. But I certainly haven't seen a groundswell of social-media outrage at these companies that is anything like the #deleteFacebook movement percolating online.
Perhaps I shouldn't be terribly surprised that no one is panicking about these data leaks. In 2014, when I was new to covering the retail industry, Home Depot Inc. acknowledged a massive data breach that affected 56 million credit and debit cards. I remember thinking, "I'm going to be writing about the fallout of this for months -- if not years."
Turns out I was wrong. Home Depot's sales never took a meaningful hit.
With the exception of Target Corp., which saw its sales whacked after a 2013 breach, shoppers generally don't appear to respond to these incidents by changing their shopping habits. Investors know it, so they don't dump a stock when these things happen.
And I worry this dynamic is a harmful one, leaving consumers more vulnerable than they should be. What incentive do retailers have to beef up their security operations or invest in security-related innovation if there are no consequences when they mess up?
I understand why the Facebook scandal has captured so much more attention than these other incidents. The social network has said political consultancy Cambridge Analytica improperly gained access to data about up to 87 million of its users. That's a huge number. And this issue is tangled up in so many other captivating storylines, including whether Silicon Valley behemoths have too much power and how social media may have influenced the U.S. presidential election.
And people are generally more anxious about data security with social media sites than with other companies. Perhaps the Facebook story has resonated partly because it confirms something many people already feared.
I suspect some of the consumer complacency about the retailer security incidents simply reflects what's known as "breach fatigue." After you've had to replace a compromised card or dispute fraudulent charges so many times, it just starts to feel ordinary.
But consumers should not accept these conditions as ordinary. Retailers and the payments industry will surely do better if they sense their customers will flee -- or at least be indignant -- if they do not.
This column does not necessarily reflect the opinion of Bloomberg LP and its owners.
Sarah Halzack is a Bloomberg Gadfly columnist covering the consumer and retail industries. She was previously a national retail reporter for the Washington Post.
©2018 Bloomberg L.P.