Home Depot and JPMorgan are doing fine. Is it a sign we're numb to data breaches?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://readingeagle.com/ap/article/home-depot-and-jpmorgan-are-doing-fine-is-it-a-sign-were-numb-to-data-breaches

Home Depot and JPMorgan Chase have revealed in recent weeks that each was
hit by one of the largest security breaches the retail and banking
industries have ever seen.

But Wall Street — and consumers — appear ready to shrug it off.

The home improvement retailer's stock is up more than 14 percent this year
and more than 2 percent since it confirmed a six-month breach of its
payment system that affected some 53 million credit and debit cards. Home
Depot says it expects its sales growth this year to be unaffected by the
massive cyber intrusion.

And after JPMorgan said last Thursday that cybercriminals had obtained
customer names, addresses, phone numbers and email addresses for 76 million
households, the company's stock price has hardly budged.

The companies may be benefiting from what experts say is a potentially
dangerous shift among consumers: data breach fatigue.

Shoppers, they say, have become numb to reports that their credit cards and
other personal information have been compromised as incidents have piled up
in the last year. Target suffered a major breach during last year's holiday
shopping frenzy. Restaurants P.F. Chang's and Jimmy John's have
acknowledged hacks this year. So have Neiman Marcus, Michaels and Sally
Beauty Supply. SuperValu says it was hacked twice this year.

There have been 579 data breaches this year, a 27.5 percent increase over
the same period last year, and it is only expected to become more common as
consumers become more dependent on Internet-connected devices, according to
the Identity Theft Research Center.

Recent research suggests that many consumers have become complacent about
these intrusions: Some 32 percent of consumers said they "ignored the
notifications and did nothing" when they were alerted to a possible data
breach involving their personal information, according to a study by the
Ponemon Institute, which studies information security. In the same study,
71 percent of respondents said they did not stop doing business with the
company that had been breached.

Their explanations help explain why some consumers may be reaching breach
fatigue: In many cases, those surveyed said they believed data breaches are
"unavoidable" and affect most companies. Still more said it was too hard to
find similar products from another company.

"I think we get upset. I think we get angry. And then we go back to what's
easy, convenient and we're used to," said Steven Weisman, a senior lecturer
at Bentley University and author of "Identify Theft Alert."

Joshua Cyr, a Web developer from Portsmouth, New Hampshire, was notified
last month that his credit card had been compromised during the Home Depot
intrusion. He was annoyed by the hassle of having to get a new card, but he
said it won't change his shopping habits much.

"I can use Home Depot again because they're probably going to be more
secure after the fact," Cyr said. "But there's also not a lot of options,"
he added, for buying similar goods.

Experts say some of the nonchalance about breaches may be because consumers
largely haven't been on the hook for fraudulent charges in these incidents.
Under federal law, consumers are not liable for unauthorized purchases made
with a stolen credit card number. They could be liable in some cases for
fraudulent debit card purchases, but many banks cover those anyway.

And some breached retailers, including Home Depot and Target, have offered
free credit monitoring services to customers who may have been affected by
the breaches.

"I don't think consumers really take it out on retailers like they had two
or three years ago," said Terry Redding, vice president of marketing at CFI
Group, a firm that provides customer feedback to the retail industry.

JPMorgan's breach, meanwhile, may not be spurring strong consumer backlash
because it doesn't involve especially sensitive personal information.
Details such as a customer's address and telephone number are readily
available from other sources.

Still, experts say consumers ignore notifications of possible breaches at
their own peril, as cybercriminals will likely continue to find holes in
retailers' security systems. And while a breach that affects only credit
card numbers can be fixed relatively easily by obtaining a new card, a
future theft could include bank account information or other sensitive data
that enables full-scale identity theft, which is much harder to thwart.

Home Depot may also be getting the benefit of the doubt thanks to its
strong financial bottom line. The company recently delivered an especially
solid second quarter, a marker of reassurance of the company's broader
health at a time when many retailers saw meager sales growth. By contrast,
Target was already struggling with lackluster sales when its systems were
comprised.

Home Depot said that in the wake of the breach its September sales remained
in line with its previous expectations. The company also said it expects
4.8 percent sales growth for fiscal 2014, unchanged from its forecast
before the discovery of the breach.

The attacks at both Home Depot and Target took place during each company's
most crucial seasons. For Home Depot, that's spring, when warm weather
typically heralds a pick-up in construction activity and home improvement
projects. The Target breach took place and was disclosed just before
Christmas, the busiest shopping period of the year. Still, Laura Kennedy,
senior analyst at consultancy Kantar Retail, said Home Depot may have
benefited from the breach being discovered and disclosed in September, a
period when shopping is not top-of-mind for consumers.

Some analysts said that customers may also have appreciated Home Depot's
relative swiftness in communicating with them about its breach. While
Target took about a week to notify customers of its cyberattack, Home Depot
announced that it was investigating a possible intrusion before the company
had even confirmed it occurred. (However, Home Depot's statement came after
information security blogger Brian Krebs had written a story about a
possible breach.)

"While the PR side of things was very much typical Home Depot:
straightforward, up-front," Kennedy said, "there's the bigger question of
why it took four to five months to discover that it was happening."

The next clear snapshot of just how much Home Depot has been affected by
the breach should come in November, when the company is slated to report
its third quarter earnings.

"[The breach] hurts; you don't want it to happen," said Efraim Levy, an
analyst with S&P Capital IQ. "But I think they can bounce back."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!