Shopping at Breached Retailers This Holiday Season

Posted on by Fahmida Y. Rashid

We are about halfway into the holiday shopping season, and it’s not clear if the retail breaches have affected how consumers are shopping this year.

Overall shopper traffic over the Thanksgiving holiday—Thursday to Sunday—dropped 5.2 percent compared to 2013, according to early numbers from the National Retail Federation released earlier this month. There were also a lot of provocative numbers being thrown around just a few weeks ago suggesting that shoppers were going to avoid some stores or use only cash. While we won’t know what the actual numbers look like until January when retailers and credit card brands release their figures, there are some hints that shoppers aren’t going to punish the retailers that much for the past year’s data breaches and security missteps.

First of all, consumers don’t appear to planning to change their shopping habits just because the retailer had experienced a data breach. A report from released just before the shopping season kicked off found that 52 percent of major credit and debit cardholders either “probably” or “definitely” planned to shop at stores where personal data for shoppers had been exposed. This is in line with a separate study by consulting firm Deloitte which found that while 42 percent of consumers were concerned about their personal data when making in-store purchases, 56 percent still planned to shop at retailers who were breached.

Flipped the other way, only 45 percent were worried enough about the breaches to avoid the stores, and only 16 percent said they would definitely skip the stores, according to the survey.

Does that mean consumers don’t care about the data breaches or the fact that their data may be exposed and sold on underground forums? Not necessarily. About 58 percent of consumers surveyed by KPMG in November said they were either unsure of—or lacked confidence in—the security of their personal data collected in-store. The number jumps to 63 percent for online shopping. 

For some stores, it’s about the relationship. A contractor who has a business account with Home Depot is less likely to take his or her business elsewhere post-breach. If the small business relies on UPS to ship its packages, the fact that PoS malware was found in some of the shipping company’s retail locations this summer may not be enough of a reason to switch to a new shipper. And brand loyalty goes a long way, especially if it’s a specialty item the consumer is looking for.

About 27 percent of consumers surveyed by KPMG said they would only shop at a story that experienced a cyber-attack if they could not find the product elsewhere. Only 8 percent refused to shop at these stores at all, KPMG said.

Higher-income households were less likely to penalize the retailer, found. Only 31 percent of households earning $75,000 or more annually said they planned to avoid breached stores, compared to 56 percent of those earning $30,000 and less.

Perhaps the numbers just mean that shoppers are going to use their credit and debit cards less this holiday season—if you use cash, there is no financial data to steal, right? But the numbers aren’t backing up that assumption, either.  Only one-fifth of shoppers said they were “somewhat” or “very likely” going to let the breaches affect how they shop or pay for merchandise, according to the annual holiday spending survey by The National Retail Federation.

The fact that consumers appear to be de-sensitized to the wave of data breaches will be good news for retailers who have been hit recently. However, that doesn’t mean any organization—whether they’ve been breached recently or not—can be complacent. Just because consumers aren’t punishing retailers en masse doesn’t mean we don’t have to make changes and make things better, more secure. In fact, the last thing we want to hear in January is another retailer disclosing a data breach. There are only so many mistakes consumers would be willing to forgive before switching allegiances.

Click here to look at and download the infographic we’ve put together about consumer attitudes about shopping during the holiday season.

Fahmida Y. Rashid

Information Security Journalist, Editor-in-Chief, RSA Conference

Business Perspectives

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community