Data Breaches – A Tangled Web
Cyberattacks on consumer data is bad for business. Just ask Target. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant by hackers in Eastern Europe. Target continues to suffer the fallout and lousy media coverage long after. Its shares are down 8.5% year-to-date and this week reported that related costs reached $148 million in the latest quarter. The latest breach and possibly the largest ever pulled off was reported by The New York Times yesterday. According to researchers cited in the article, “a Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.” The discovery was made by Milwaukee-based Hold Security, which says that confidential material was gathered from 420,000 websites that spanned the range from Fortune 500 firms to small businesses. Clearly, consumers are uneasy about such events. But is it changing their behavior? Indeed it is. Data from a recent survey by ChangeWave Research, a service of 451 Research, shows that 37% of respondents say the recent security breaches have impacted the way they shop. Among this group, nearly a third are now Using Cash More Often (31%) and Limiting Debit Card Usage (31%), closely followed by Limiting Credit Card Usage (27%). Cyberattacks are something that every company has to confront, starting with planning and often in response to a breach of one sort or another. Yet not all managers believe that full transparency is necessarily the best method for dealing with any ordeal. On Monday, the head of information security at Urban Outfitters Inc. told The Wall Street Journal that she believes “there is this crazy hysteria” about the hack attacks and that “placing blame, it doesn’t help anybody.” The Journal article looks at corporate execs running counter to the conventional wisdom about disclosing cyberattacks. This group questions whether it makes sense for companies to always notify customers, vendors and authorities after a breach. Their case for less transparency is from the corporate perspective, but it reveals all the knotty issues that must be considered from all sides. For example, not all breaches are necessarily harmful or costly to companies or customers. Furthermore, disclosure can sometimes be worse than the hack itself, since going public could expose weaknesses that others could exploit. The ongoing debate appears to be heading toward some middle line, but where will this line be drawn – and at what cost to consumers and investors?