The Real Cost of a Retail Data Breach

Last updated: 16 May 2016

When I was growing up and found myself in hot water with my parents, there was nothing in the fallout – no punishment, no lost privileges – that compared to hearing my father use his go-to haymaker: “You broke my trust.” It was said quietly, but it stung and stuck with me for days the few times I was unfortunate enough to hear it.

In terms of information security, that’s the same message consumers are conveying to retailers involved in data breaches. But they’re doing it with their money.

Based on SafeNet’s Breach Level Index (BLI) Second Quarter Report, 83% of the data records stolen from April-June 2014 came from the retail industry. In all, the retail industry had more than 145 million data records stolen in the quarter.

So what? Breaches happen, customers are notified, passwords are reset, and in no time the retailers can go about conducting business as usual, right? That’s not how it works anymore, as SafeNet’s new Global Consumer Sentiment Survey shows.

Of the 4,500 adults surveyed in the U.S., U.K., Germany, Japan, and Australia, 37 percent of respondents said they would never or would be very unlikely to shop or do business again with a company that had experienced a data breach involving personally identifiable information. Additionally, if financial data was stolen in the breach, that number of dissatisfied and potentially lost customers increased to 65 percent of respondents.

Cost of a Retail Data Breach - Customer Loyalty Survey Statistics

When you consider that the vast majority of records stolen in Q2 were attributed to retailers and these often make headlines, it becomes clear that these organizations stand to lose a great deal of consumer trust and revenue.

Discount retailer Target suffered financially after its front-page breach in Q4 2013, with profits that quarter down by 46 percent. But that’s not the end of the repercussions its dealing with after losing customers’ financial data. In the fallout, CEO Gregg Steinhafel stepped down, holding himself “personally accountable” for the breach.

For eBay, a Q2 2014 breach led to a decrease in user activity and forced the company to lower its annual sales targets by $200 million.

Sony is proposing a $15 million settlement to a class action lawsuit filed against the organization after a 2011 breach of its PlayStation Network  exposed tens of millions of user names, addresses, passwords and credit card numbers

The financial repercussions of the breaches already discussed don’t even include the actual cost of the breaches themselves. In the case of StubHub, for example, a recent breach in which hackers used the preexisting payment card information in customers’ accounts to purchase and resell tickets defrauded the company out of $1 million.

Regional organizations can be equally appealing targets. In Q2, hackers stole more than 600,000 customer details from Domino’s Pizza France and Belgium, demanding 30,000 Euros in exchange for not releasing the information publicly.

Based on the Global Consumer Sentiment Survey findings, the costs that result from lost business could be significant for both organizations.

Data Records Stolen in Retail Industry

Today, a breach isn’t just an IT or PR problem. It’s not just something for information security professionals to be concerned about. A breach is an organization-wide business problem, and a very serious one for retailers.

In addition to the costs resulting from a loss of customers and the breach itself, there’s also a great deal of time and money that must be invested in addressing the vulnerability that opened the door to the breach in the first place.

Unfortunately, in most instances, there’s a lot of work to be done after the breach because enough steps weren’t taken before it.  Supporting that argument, the Breach Level Index also found that strong authentication, encryption, or key management solutions were used in only two of the 237 data breaches reported in Q2 2014.

Seeing the long-term business repercussions that come with a data breach, more organizations need to take those data security measures to minimize the customer losses that will come when a breach ultimately occurs.

Secure the Breach Square ImageDownload the Secure the Breach Research Kit to learn how to use authentication, encryption, and key management to prepare for a breach effectively.

The kit includes access to the Secure the Breach manifesto, white paper, and other helpful resources.