And after JPMorgan said last Thursday that cybercriminals had obtained customer names, addresses, phone numbers and e-mail addresses for 76 million households, the company’s stock price has hardly budged.
The companies may be benefiting from what experts say is a potentially dangerous shift among consumers: data breach fatigue.
Shoppers, they say, have become numb to reports that their credit cards and other personal information have been compromised as incidents have piled up in the last year. Target suffered a major breach during last year’s holiday shopping frenzy. Restaurants P.F. Chang’s and Jimmy John’s have acknowledged hacks this year. So have Neiman Marcus, Michaels and Sally Beauty Supply. SuperValu says it was hacked twice this year.
There have been 579 data breaches this year, a 27.5 percent increase over the same period last year, and it is only expected to become more common as consumers become more dependent on Internet-connected devices, according to the Identity Theft Resource Center.
Recent research suggests that many consumers have become complacent about these intrusions: Some 32 percent of consumers said they “ignored the notifications and did nothing” when they were alerted to a possible data breach involving their personal information, according to a study by the Ponemon Institute, which studies information security. In the same study, 71 percent of respondents said they did not stop doing business with the company that had been breached.
Their explanations help explain why some consumers may be reaching breach fatigue: In many cases, those surveyed said they believed data breaches are “unavoidable” and affect most companies. Still more said it was too hard to find similar products from another company.
“I think we get upset. I think we get angry. And then we go back to what’s easy, convenient and we’re used to,” said Steven Weisman, a senior lecturer at Bentley University and author of “Identify Theft Alert.”
Joshua Cyr, a Web developer from Portsmouth, N.H., was notified last month that his credit card had been compromised during the Home Depot intrusion. He was annoyed by the hassle of having to get a new card, but he said it won’t change his shopping habits much.
“I can use Home Depot again because they’re probably going to be more secure after the fact,” Cyr said. “But there’s also not a lot of options,” he added, for buying similar goods.
Experts say some of the nonchalance about breaches may be because consumers largely haven’t been on the hook for fraudulent charges in these incidents. Under federal law, consumers are not liable for unauthorized purchases made with a stolen credit card number. They could be liable in some cases for fraudulent debit card purchases, but many banks cover those anyway.
And some breached retailers, including Home Depot and Target, have offered free credit monitoring services to customers who may have been affected by the breaches.
“I don’t think consumers really take it out on retailers like they had two or three years ago,” said Terry Redding, vice president of marketing at CFI Group, a firm that provides customer feedback to the retail industry.
JPMorgan’s breach, meanwhile, may not be spurring strong consumer backlash because it doesn’t involve especially sensitive personal information. Details such as a customer’s address and telephone number are readily available from other sources.
Still, experts say consumers ignore notifications of possible breaches at their own peril, as cybercriminals will likely continue to find holes in retailers’ security systems. And while a breach that affects only credit card numbers can be fixed relatively easily by obtaining a new card, a future theft could include bank account information or other sensitive data that enables full-scale identity theft, which is much harder to thwart.
Home Depot may also be getting the benefit of the doubt thanks to its strong financial bottom line. The company recently delivered an especially solid second quarter, a marker of reassurance of the company’s broader health at a time when many retailers saw meager sales growth. By contrast, Target was already struggling with lackluster sales when its systems were compromised.
Home Depot said that in the wake of the breach its September sales remained in line with its previous expectations. The company also said it expects 4.8 percent sales growth for fiscal 2014, unchanged from its forecast before the discovery of the breach.
The attacks at both Home Depot and Target took place during each company’s most crucial seasons. For Home Depot, that’s spring, when warm weather typically heralds a pick-up in construction activity and home improvement projects. The Target breach took place and was disclosed just before Christmas, the busiest shopping period of the year. Still, Laura Kennedy, senior analyst at consultancy Kantar Retail, said Home Depot may have benefited from the breach being discovered and disclosed in September, a period when shopping is not top-of-mind for consumers.
Some analysts said that customers may also have appreciated Home Depot’s relative swiftness in communicating with them about its breach. While Target took about a week to notify customers of its cyberattack, Home Depot announced that it was investigating a possible intrusion before the company had even confirmed it occurred. (However, Home Depot’s statement came after information security blogger Brian Krebs had written a story about a possible breach.)
“While the PR side of things was very much typical Home Depot: straightforward, up-front,” Kennedy said, “there’s the bigger question of why it took four to five months to discover that it was happening.”
Target’s breach undoubtedly created drag for the retail titan: Its sales stumbled immediately after the hack, and the company said it has cost them $146 million to date. But in August, chief financial officer John Mulligan said that the “vast majority” of Target shoppers who came to the store before the breach have since returned, a sign that the company is regaining consumers’ trust.
The next clear snapshot of just how much Home Depot has been affected by the breach should come in November, when the company is slated to report its third quarter earnings.
“[The breach] hurts; you don’t want it to happen,” said Efraim Levy, an analyst with S&P Capital IQ. “But I think they can bounce back.”
Correction: An earlier version of this post referred to the Identity Theft Resource Center as the Identity Theft Research Center.