Consumers seem to be very forgiving of retailers who experience data breaches, according to findings from a recent survey for the Merchant Acquirers’ Committee, a trade group of payment processors. Most customers resume shopping—and using a payment card—at a breached retailer within a few months, and among those that don’t go back, only 6% cite a breach-related reason, results show.
A veteran executive of several payment-security companies, Dallas-based MAC board member Branden R. Williams polled consumers about their awareness of 15 data breaches at national merchants disclosed between late 2013 and early 2015, and their post-breach behavior. Breaches presented to the respondents included such highly publicized ones as Target Corp.’s (more than 40 million cards compromised), The Home Depot Inc.’s (56 million), and smaller ones that also made headlines, including Michaels Stores, Neiman Marcus, Sally Beauty, and others.
Williams conducted the research in the second half of 2015 through the SurveyMonkey online service. He obtained 1,031 complete responses from U.S. adults with annual incomes over $30,000 who had shopped at one or more of the breached retailers within the preceding three years.
Some key findings:
• Overall consumer awareness of the 15 breaches was low, with two exceptions. Some 81% of respondents knew about Target’s, and 38% were aware of Home Depot’s. But 13% were unaware of any of the breaches presented. Older consumers, those ages 54 to 64 years, tended to be somewhat more aware of breaches than other age groups, but there was little difference in breach awareness by income group, gender, or region of residence.
• Consumers were quick to return to breached merchants after a breach became publicly known. If they were aware of a breach, most shoppers returned to the affected retailer in three to six months.
• Among those that didn’t return within a year of the breach, 70% said they weren’t regular customers of the particular retailer in the first place, and 16% said they shopped at a more convenient competitor. Only 2% cited the security breach specifically, while 4% mentioned going to a more secure competitor.
• Customers also showed little hesitation to use credit or debit cards at the breached retailers. Some 79% respondents paid by debit or credit card at the merchants’ stores post-breach, with cash a distant second at 16%. Consumers over age 46 showed a slightly greater preference for cash.
Customers seem to be especially quick to return to, and use plastic at, retailers who sell groceries and must-have household goods. For example, customers on average returned to Target about two months after learning of its breach.
“It’s 9:00 p.m. on Saturday and they’re out of diapers and Target’s the closest store— they’re going to go there and use a credit card,” says Williams.
The survey did not ask about consumers’ reactions to data breaches at small merchants, nor did it get into the why’s or why nots of post-breach customer behavior.
Williams, however, speculates that consumers’ reactions are heavily influenced by the zero-liability policies of card networks and individual issuers. Those policies cover cardholders’ fraud costs if illegitimate transactions are charged to their accounts.
“They don’t feel enough harm, it’s not causing them enough harm to change their behavior,” says Williams.
Despite this seeming consumer indifference, merchants must be prepared for a dip in sales, or least slower-growing sales, in the aftermath of a breach, according to Williams. “Security breaches in a lot of cases … can be compared as the digital equivalent of a natural disaster,” he says. “It’s an interruption that they have to weather.”
In related, news, a new breach may have occurred: fast-food chain The Wendy’s Co.told the KrebsOnSecurity news service today that it is investigating claims of a possible payment card breach at some locations. Bankers told Krebs, which broke the news about many of the earlier breaches, that they had seen a pattern of fraud on some of their customers’ cards recently used at Wendy’s.