Public Awareness of Security Breaches
IndustryView | 2014
2014 has been the year of the breach. Watching the news, it often seems as though one giant company after another has fallen prey to cybercriminals, leading to a non-stop flood of customer data into criminal hands. The massive Target hack actually occurred at the end of 2013, but the fallout continued into the new year. And since then, so many big names—including P.F. Chang’s, JP Morgan Chase, AOL.com, eBay and, most recently, Home Depot—have suffered breaches, it’s hard to keep up.
As a result, some analysts have started to suggest that we might have achieved “data breach fatigue,” with the result that nobody is paying very much attention anymore. Indeed, Unisys chief information security officer Dave Frymier suggested this year that the onslaught of breach-related news stories might be leading consumers to think they are powerless in the face of cybercriminals, increasing the likelihood that security apathy is taking root. And following the eBay breach, the firm’s profits actually rose.
Thus, we wondered: Is “data breach fatigue” setting in? Or worse, have consumers already tuned out? We surveyed 4,235 adults in the U.S. to gauge their awareness of 10 of the year’s headline-scoring breaches. Here’s what we found.
It is important to remember, when thinking about breaches, that they are hardly a new phenomenon. Indeed, the 2013 Target breach (40 million credit cards stolen) is smaller than the T.J. Maxx breach of 2007 (45 million cards stolen)—while the Heartland breach of 2008 saw a staggering 130 million user accounts compromised.
Thus, even if 2014 may feel to people who follow security news that it has been “all breaches, all the time,” the public has in fact been hearing about breaches for years. We picked 10 different high-profile breaches and, in each case, asked respondents to select the victim of the real breach (e.g., Target) amidst a range of false alternatives (e.g., Target, Wal-Mart, Costco, Randall’s).
As the chart shows, two breaches scored highly for public awareness—and then there was a precipitous decline. It is little surprise to see that Target and Home Depot—the biggest breaches on the list—were the champions, but it is striking to see how little awareness there was for the others. To show how steep the drop-off was, here are the precise statistics:
Indeed, aside from the eBay breach, none of these scored higher than 20 percent. Of course, these other breaches were not as big as the Target or Home Depot breaches, and some (e.g., AOL.com, eBay) resulted in leaks of user credentials rather than financial information. Still, the numbers are so low as to suggest that if such a thing as data breach fatigue exists, we reached it a long time ago. The Michael’s and Neiman Marcus breaches occurred within weeks of Target’s, yet neither scored higher than 20 percent.
It was striking that in many cases, wrong guesses outnumbered correct answers. For example, Bank of America might be concerned to know that 15 percent of our respondents thought it had suffered a breach, and not JP Morgan Chase. Similarly, Facebook might be concerned to know that 17.4 percent of respondents thought its security had been compromised, rather than AOL.com’s.
Having taken our overview of the subject, we are now going to look a little more closely at the three breaches with the highest levels of public awareness: Target, Home Depot and eBay.
First, let’s look at Target, which throughout 2014 has had the dubious honor of serving as the breach “poster child.”
With 40 million credit cards compromised and news coverage that lasted for weeks, if any of these breaches was going to have made an impact on the public, this would be the one. And indeed, we found that 70 percent of respondents knew Target had been the victim of a data breach. Clearly, the agonizing leaking of ever-worsening details over a prolonged period involved with this breach did a lot of damage to Target’s reputation; 10 months later, and memories are still fresh.
On the other hand, another 30 percent either did not know about the Target breach, or selected the wrong retailer from our range of options. And 30 percent is rather a large number, when you consider how many people may have continued using compromised credit cards in the aftermath.
It is very interesting to compare the eBay breach with Target’s. Occurring in February of this year, the online retail giant went public with the breach in May, when it advised all 145 million of its users to update their passwords and admitted that hackers had infiltrated an internal eBay corporate account. However, relatively few people know about it:
Indeed, a staggering 77 percent of respondents were unaware of what was billed as “one of the biggest data breaches in history.”
It is important to note that the data compromised in the eBay hack included user names, email addresses, physical addresses, phone numbers and dates of birth. The hackers were also able to access passwords, although these were encrypted. However, they did not lay their hands on credit card numbers—so, although there was an initial wave of grandiose headlines, the mega-breach faded from view quite quickly. Not only that, but as we mentioned at the start, the firm’s profits actually rose.
However, another contributing factor to this vanishing act may have been eBay’s very different response. Whereas Target opted for maximum openness and then suffered as the details that emerged were worse and worse, eBay remained tight-lipped.
After admitting to the hack in May and advising users to change passwords, the firm said very little until July—when President and CEO John Donahoe reported that although profits had risen, there had been a slowdown among some users who had reset their passwords. He noted that the company was “stepping up targeted marketing efforts ... to fully re-engage these and other users."
In short: It was far from an insurmountable business problem. And indeed, unlike the Target CEO, who lost his job, eBay’s CEO is still employed by the company—indicating that he retains the confidence of its investors. From a reputation-management perspective, 23 percent awareness of a titanic data breach is a triumph.
As we were preparing the questions for this survey, security reporter Brian Krebs broke the story that hardware giant Home Depot had also suffered a breach—and one that was possibly larger than Target’s. However, Home Depot adopted an information-control strategy that was much closer to eBay’s, and for days, neither denied nor confirmed the reports.
We held off on launching the survey until the day Home Depot confirmed it—but even then, the firm was refusing to reveal any numbers. This minimal-information strategy seems to have been highly effective, for although we launched the survey when the Home Depot breach was breaking news, awareness was almost 20 percent lower than it was for the 10-month-old Target breach:
Indeed, only 53 percent of respondents were aware of it.
Shortly after our results came in, Home Depot revealed that its breach was considerably more severe than Target’s: 52 million cards had been compromised. We decided to launch another survey that day to see how it affected awareness. The result was eye-opening:
The figure was higher, but only five percentage points higher. Forty-two percent of respondents remained unaware of the breach, despite the fact that it was literally front-page news—and that it was much larger than the Target breach, of which only 30 percent of respondents were unaware. Perhaps, indeed, breaches are becoming normalized.
The public may be paying less attention to breaches, but this is not the only reason businesses need not panic if the data they hold is compromised. As we have seen, eBay announced an increase in profits in spite of all the negative publicity surrounding its data breach. Meanwhile, of those firms that had released financial data at the time of writing, Michael’s also saw earnings increase while AOL.com saw a slight dip yet still outperformed analyst estimates. Neiman Marcus saw a drop—but, interestingly, an increase in its online business.
Target saw a decline in profits, but even here there is not a clear correlation. Analysts also pointed to a flailing attempt at expansion in Canada as significant; indeed, this was also undoubtedly one of the factors leading to the departure of the CEO. Thus, while breaches may be the focus of security-watchers, it seems that they are only one factor and not the deciding factor, as far as shareholders and the public are concerned.
Even Heartland—which suffered the worst breach in history—recovered quickly. Within five months of the announcement of the breach, Gartner analyst Avivah Litan said that the firm was “leading the way for the rest of the industry” with regards to its data encryption policies, and today the firm is a Fortune 1000 company.
In a similar vein, Target has seized the opportunity to rebrand itself as a security-conscious firm, boosting its credit and debit card security by announcing plans to have more advanced chip-and-PIN technology installed in its stores by early 2014. The company has also hired its first-ever chief information security officer (CISO), who is not afraid to talk to the press and seems genuinely excited by the opportunity he has to turn Target’s security—and, perhaps, its reputation for security—around.
The headlines of 2014 aside, the breach is not a new phenomenon. Meanwhile, the results of our poll suggest that the public may already have reached “peak breach,” responding to most of these stories with a shrug. A breach has to be truly massive, and focus on credit cards over other types of data loss, for it to attain any serious level of public awareness. And even then, the Home Depot breach seems to be having less of an impact than the Target breach did—so even the mega-breaches may be having less impact.
On the one hand, this is good news for companies: Security breaches need not have any long-term effect on their fortunes; rather, they act as speed bumps. And yet, this lack of long-term effects is also a danger. Public anger at data breaches could act as a strong incentive for firms to improve the quality of their security; in its absence, that incentive may be lacking.
Meanwhile, if the public is unconcerned about the wholesale leakage of sensitive data by firms to which they have entrusted it, it seems unlikely they will be doing much to protect their own identities and card details online. And finally, Target has put the costs of its breach at $148 million: Whether the public is paying attention or not, breaches are expensive.