Fine print, Protecting yourself, Research, regulation, industry reports, Shopping

Retailers receive brunt of data breach blame

Sienna Kossman

Target, Neiman Marcus, Michaels, Sally Beauty Supply, eBay and now P.F. Chang’s — the list of major retailers affected by data breaches in recent months keeps getting longer and as more consumers are affected by such incidents, everyone looks for someone (or something) to blame.

Two surveys — one of consumers, one of IT and IT security professionals — attempt to assign that blame: Consumers blame retailers. The IT pros say, “Sorry. My bad.”

Retailers receive brunt of data breach blame

A survey conducted by global business communications firm Brunswick Group found that many consumers blame retailers — nearly as much as they do the criminals behind the breaches. Of the 750 consumers polled nationwide, 61 percent blame retailers for data breaches far more than they blame card-issuing banks (34 percent). The only group blamed more than retailers? The criminals themselves, at 79 percent.

The fact that consumers blame retailers more than banks is remarkable when you consider that consumers generally hold retailers in high regard and generally despise banks, according to the 2013 Harris Poll Reputation Quotient Report, which annually assesses the U.S. public’s opinions of major industry sectors.

Despite overall respect for retailers, when it comes to data breaches, the public cuts them no slack. A whopping 94 percent of surveyed consumers are concerned about retail data breaches and a majority of those consumers feel retailers are not doing enough to protect their customers.

Survey respondents asked that significant steps be made to improve the security of the retailer payment systems. And, if a retailer’s payment system is found to be the point of access for a security breach, the retailer should be responsible for any resulting fraudulent charges, not the card issuer.

If things don’t improve, consumers are willing to change their retail shopping habits by using cash and online shopping. Some — 34 percent, according to the Brunswick poll — have stopped shopping at a retailer following a data breach.

So how do those responsible for data security feel about the current state of affairs?

A separate study conducted by the Ponemon Institute reveals that they may actually see some of the same faults in their organization’s systems that consumers do, placing a large portion of the blame on themselves and their organizations.

The Institute surveyed 1,082 information technology security practitioners in the United States, Europe, Middle East and Africa who handle security and incident response for their companies to better understand the current state of threat intelligence and how it can be improved.

There may be quite a bit to improve.

Eighty-six percent of respondents said detection of a cyberattack takes too long and approximately 35 percent of all such attacks are undetected.

The surveyed IT experts also reported that the pressure placed on them by their superiors for quick answers and resolution options in the wake of a breach may also play a role in lacking threat intelligence, according to the Ponemon report. In many cases, CEOs and boards of directors want answers well before they are available and this may open doors for predictions, errors or other general oversights by security professionals who need to report something.

That pressure coupled with lacking technical skills may compromise an IT security team’s ability to thoroughly protect a retailer’s system before and after a data breach.

Maybe consumers are right to be leery after all.

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.