Security breaches at major retailers including Target and Neiman Marcus in which thieves stole payment card information from millions of customers could erode consumer confidence, and have costly and lasting effects for those companies, local retail experts said.
Target Corp. last week disclosed that the massive data theft was significantly more extensive and affected millions more shoppers than the company reported in December.
On Saturday, luxury retailer Neiman Marcus confirmed that hackers stole credit and debit card information from up to 1 million customers and made unauthorized charges over the 2013 holiday season.
It is unclear if Target customers saw unauthorized charges as a result of the breach.
“This is going to affect those retailers, especially Target, in a very negative way,” said Serdar Durmusoglu, a University of Dayton associate professor of marketing.
Area shoppers said they would continue to shop at Target, although personal and payment card information for up to 110 million customers was stolen in a pre-Christmas data breach. Minneapolis-based Target, the nation’s second-largest discount retailer, has 1,792 stores in the U.S.
“I’m not really too worried,” said Ann Mort of Middletown. “I’ve been to Target since then and used a credit card.”
Credit and debit card information from 40 million Target customers was taken during the breach that happened from Nov. 27 to Dec. 15. An internal investigation revealed that names, mailing addresses, phone numbers or email addresses for up to 70 Target million customers also may be at risk. Some overlap exists between the two groups, officials said.
Target officials said the breach was caused by malicious software, known as “malware,” that was installed on point-of-sale registers at its U.S. stores.
“It looks like something was clearly lacking in their software, that they weren’t able to detect this,” Durmusoglu said.
Beyond personal and payment card information, Target could have access to customers’ medical information through its pharmacies, and driver’s license data through liquor sales, he said.
Retailers use information systems to manage customer relationships, but databases containing lucrative consumer data are attractive targets for hackers and identity thieves, experts said.
According to the Privacy Rights Clearinghouse, more than 662 million records have been involved in data security breaches since 2005.
In 2007, more than 90 million records were stolen from TJX Cos. Inc., the parent company of T.J. Maxx and Marshalls. The incident cost the retail chain a reported $256 million.
“It took them some years to recover from it, not only with respect to customer trust, but with respect to paying for some of those credit cards being misused,” Durmosoglu said.
Consumers are protected against data breaches by federal and state law.
The Ohio Attorney General’s Office has enforcement authority over the state’s Security Breach Notification Act and violations under the Consumer Sales Practices Act.
“There is no relevant public legal action to discuss,” said Kate Hanson, a spokeswoman for the AG’s office.
The AG’s office also offers tips and assistance to Ohioans who suspect they have been victims of data breaches.
“Consumers should be vigilant in reviewing their credit card statements for mysterious or unfamiliar charges. If they find suspicious charges, they should contact their bank or credit card provider,” Hanson said.
JPMorgan Chase Bank last month temporarily limited 2 million potentially affected customers’ use of debit cards and Chase Liquid cards at ATMs and for purchases until new cards could be reissued, said Emily Smith, a Chase spokeswoman.
“We continue to monitor our customers’ accounts with sophisticated tools,” Smith said. “We encourage our customers to monitor their accounts and contact us if they see any transactions they don’t recognize. Electronic Benefit Transfer recipients should contact their agency and local authorities.”
Less than 10 percent of Chase’s customers were affected by the Target breach, she said.
The U.S. lacks strong federal laws regarding data breaches, leaving it for states to address, said Thaddeus Hoffmeister, a UD professor of law. “Some states, like California, have pretty good laws; other states, not so much,” he said.
Hoffmeister said Congress should establish national standards for reporting data breaches, as well as tougher penalties for companies whose information is accessed improperly.
Target has apologized and advised customers “they will have zero liability for the cost of any fraudulent charges arising from the breach.”
The company also said customers will have until April 30 to sign up for one year of free credit monitoring and identity theft protection for all guests who shopped in Target stores in the U.S.
Mort said customers received $5 gift cards last week at the Middletown Target. “I think they’re doing everything they can to keep their customers happy,” she said.
Retailers such as Target use store credit cards that offer discounts to build customer loyalty. However, consumers may refuse such cards in the future for fear that they aren’t secure, especially if they are tied to the customer’s bank account, Durmusoglu said.
Credit card companies including Visa, MasterCard, American Express and Discover reportedly plan to transition from magnetic strip payment cards to secure chipped Smart Card technology by October 2015. The Smart Cards are used in about 80 countries and contain an encrypted microchip, experts said.
Existing payment methods such as personal checks and cash also have their drawbacks, Durmusoglu said.
Checks typically contain personal information, including a name, mailing address and bank account number. Carrying cash isn’t convenient, “and depending on what kind of a neighborhood we’re talking about, it also may not be the safest way to go,” he said.