Neiman Marcus Group Ltd. LLC and Target Corp. will have to pay dearly to restore customer confidence that it’s safe to shop their stores and Web sites, and to beef up information security — and so will the rest of the industry, whether they’ve been victims of information theft or not.
At the National Retail Federation annual convention Sunday, it was apparent that the cyber attacks at two of the country’s most prominent retailers are sending shivers through the industry. Store executives said they will act to protect themselves and shoppers from data theft and to reassure customers that it’s safe to shop with plastic, and said that the response will require, at least in the near term, increased investments in safer technology, protective measures and heightened communications with consumers.
Meanwhile, consultants and analysts said they wouldn’t be surprised if other retailers make disclosures on cyber attacks, similar to the ones announced by Neiman’s on Friday, and Target in mid-December.
Reports also were circulating over the weekend that three other prominent retailers have been the victims of similar attacks.
Adding to the urgency of the situation, a group of chief information officers convened at the NRF’s Big Show, being held at the Jacob K. Javits Convention Center in Manhattan through Wednesday, to grapple with mounting worries about protecting consumers’ information, one source at the convention said.
Brooks Brothers’ chairman and chief executive officer Claudio Del Vecchio is clearly concerned. “We’ve never had a breech,” he said. Still, the company has begun spending “a lot of money.…We’re relooking at this on a daily basis,” Del Vecchio said. “Unfortunately, today this has become an everyday agenda, a new way of life. This is very sophisticated criminal activity. The crime organizations behind this are very sophisticated. Shoppers won’t shop with us if they cannot use their credit cards.”
“I don’t think we know the extent of this situation yet,” said Marie Driscoll, an independent equity analyst at Driscoll Advisors. “There is worry that other retailers will have to make the same kind of announcements as Target and Neiman’s. My concern is how it will impact consumers and that they become reluctant to shop. In some cases, maybe they revert to spending with cash. Certainly it’s possibly at Target, where consumers might have enough cash.” Neiman’s would be another story, considering its luxury prices.
“This also could have been a coordinated attack on more than one retailer,” suggested Adam Levin, cofounder of IdentityTheft911.com and Credit.com, noting that the breeches occurred when more people are out shopping and using their credit and debit cards.
He characterized retail information security systems as not as sophisticated as those of other industries. “Sometimes during the holidays, retailers let down some security to speed up transactions,” Levin said. “Encryption can slow down data processing at registers. The people who hack know when systems are likely to be overloaded.”
Beyond the serious cyber concerns, Craig Johnson, president of Customer Growth Partners, raised another question — whether retailers are being straight with consumers and acting fast enough to disclose security breaches in their information systems. “It’s apparent that management, if not top management, at each company knew about the problems for at least a week before publicly releasing or warning their customers,” Johnson said. He suggested management at Neiman’s “slow-walked the release of information to their customers, presumably not to lose Christmas sales. However, a delay of a couple days before public release may well have made sense so FBI and Secret Service could have tracked down the perps before they were tipped — but not five to 10 days.”
Target has already issued an apology and a 10 percent discount to customers, though Johnson thinks more should be done. “The best step is for Gregg Steinhafel [Target’s chairman, president and ceo] to get on the news and morning shows and do a Chris Christie full-fledged apology and explanation,” Johnson said. “Plus, Target needs to hire the nation’s leading data security experts, whether from IBM, Accenture, etc., and pay them a bundle, and have them reporting directly to Steinhafel.”
“The good news is our store checks so far this weekend showed wide awareness of the wider breach, but only modest sales attrition, only about 5 percent at Target, but a fear that a third shoe would drop.”
“Even though Target has gotten out in front of this, on the margin, this just isn’t good,” said Driscoll. “It makes Amazon look better because in its 20 years of e-commerce, I can’t recall anything of this magnitude. From what I understand, this breech at Neiman’s and Target is a function of the [credit card] swiping at store locations and how that information is transmitted from point of sale to the banks. It could make online at stores more attractive.”
Late Friday, after media reports started to surface, Neiman’s disclosed that it was hit by a credit card security breach, though the luxury retailer did not say how many customers had credit and personal information stolen. The disclosure came right on the heels of Target upping its estimate of how many of its customers had credit card and personal information stolen, to more than 100 million.
Neiman’s confirmed that it was informed by its merchant processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at its stores. The company also said it was taking steps to contain the situation and enhance information security. “We informed federal law enforcement agencies and are working actively with the U.S. Secret Service; the payment brands; our merchant processor; a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation,” Neiman’s said. “On Jan. 1, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.
“The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”
Target’s problem came to light before Christmas and consequently is believed to have reduced the level of holiday gift shopping at the chain during a critical business period. The Neiman’s situation could have less impact on the luxury chain’s business, considering the Christmas season has ended.
On Friday, the Target situation grew more serious.
As part of its ongoing forensic investigation into the data breach involving consumer credit and debit cards in its U.S. stores, Target said it has discovered that certain guest data separate from the credit card information was also stolen. The number of potentially affected consumers has grown from the 40 million who shopped at Target between Black Friday and Dec. 15. to more than 100 million. Target said many may have had their names, mailing addresses, e-mail addresses and/or phone numbers taken. Experts said not all impacted consumers are necessarily Target shoppers; the Minneapolis-based retailer might have purchased lists from other retailers to further its marketing efforts.
“The identity thieves got into what appears to be the Target database,” said IdentityTheft911.com’s Levin. “This is a whole different magnitude than what we were dealing with before. Once you get to names, addresses, e-mail addresses and phone numbers, it brings it into a much more dangerous zone.”
The payment card incident has taken a toll on Target’s business. Since Target announced the data theft on Dec. 19, sales have been weaker, the retailer said.
“We know it’s frustrating for our guests to know that this information was taken and we are truly sorry they are having to endure this,” said Steinhafel. He said Target is offering one year of free credit card protection and identity-theft monitoring services.
Target also updated its fourth-quarter outlook following the breach. In its U.S. segment, Target expects fourth-quarter 2013 adjusted earnings per share of $1.20 to $1.30, compared with prior guidance of $1.50 to $1.60. This outlook anticipates a fourth-quarter 2013 comp-store sales decline of about 2.5 percent, compared with prior guidance of approximately flat comp-store sales. Third-quarter EPS on a generally accepted accounting principles basis may include charges related to the breach. Prior to the Dec. 19 announcement, Target was experiencing stronger-than-expected fourth-quarter sales.
Target will close eight U.S. stores in May, in West Dundee, Ill.; Las Vegas; North Las Vegas; Duluth, Ga.; Memphis; Orange Park, Fla., and Middletown and Trotwood, Ohio. GAAP results are expected to include 5 cents to 10 cents of dilution related to the closings. Eligible employees will be offered similar positions at nearby Target locations.
The retailer said it expects 45 cents of dilution related to Target’s Canadian segment, compared with prior guidance of 22 cents to 32 cents of dilution, driven by the gross margin impact of efforts to clear excess inventory.
“Breaches are inevitable,” Levin said. “We overshare. Big data is everywhere. The more information that’s collected, the more vulnerable we really are.”
Even small retailers are vulnerable. “Eight or nine years ago, we were hacked into,” said Gary Peltz, ceo of Peltz Shoes, based in Clearwater, Fla., which has five stores from 9,000 to 15,000 square feet and an e-commerce site. “Twelve thousand credit card numbers were stolen.” He said the situation was remedied through the use of TrustWave.com, a company that helps businesses fight cyber crime, protect data and reduce security risk and conducts “penetration tests” to help determine if a system can be compromised. Peltz also utilizes IFrame technology, whereby customers are making transactions directly with banks, rather than through the retailer. “We don’t touch a single credit card or PIN number in any of our systems,” Peltz said.
“Across the board, U.S. credit card companies have not yet adopted the new technology of embedding chips in credit cards. That would make it more difficult to steal information,” said Robin Lewis of the The Robin Report. “It’s very costly, but after these latest fiascoes, the costs might be worth it.”
EXCLUSIVE: @tomford is opening its first-ever beauty store. The boutique, which opens November 20 in London’s Covent Gardens, was designed with the over-the-top glam Ford is known for. Read the full story on WWD.com, link in bio. #wwdbeauty #wwdnews (📷: Simon Wagner) #TomFordBeauty
New York-based DJ @harleyvnewton threw a party to celebrate the holiday collection of her dress and pajama line @hvn at the Ladurée Beverly Hills. It Girls @katebosworth, @rashidajones and more joined in on the fun, which included cocktails, croque monsieur sandwiches and a photo booth. #wwdfashion (📷: Owen Kolasinski/BFA.com)
For the holidays, @Burberry partnered with 20-year-old artist @blondeymccoy on a series of three outdoor murals in downtown Manhattan. The murals are McCoy’s interpretation of a Christmas eve party, the idea of charity and the spirit of family. His third mural, pictured here, is the most personal. The image depicts McCoy’s grandparents and father in London’s Trafalgar Square in the Seventies. “My work often features lots of sentimental objects.” #wwdeye
For spring 2018, designers applied bold colors and cartoonish motifs on everything from sneakers and belts to key chains. See all the top men’s accessories trends on WWD.com. #wwdtrends (📷: George Chinsee; Prop Styling by @rnasti; Market Editor: @luiscampuzano)
The @dior-sponsored @guggenheim international gala pre-party has a history of drawing cool-girl musical acts to serenade the crowd –– and last night was no exception. @haimtheband performed songs both new and old, and lured a star-studded audience with the likes of Rebecca Hall, Kate Mara, Mamoudou Athie and more. #wwdeye (📷: @lexieblacklock)
In a partnership between the @metopera and the @englishnationalopera, “Marnie” was born. The opera, with costumes sponsored by @mrporterlive, is an adaptation of the 1961 thriller by Winston Graham. Arianne Phillips, who created the costumes, is no rookie: She’s styled Madonna for her tours and created costumes for a myriad of films in the past. Read WWD’s interview with Phillips, where she talks about her inspiration for the opera’s costumes on WWD.com #wwdfashion
@barneysnyc took a different approach to their holiday windows this year. Instead of Christmas decor, Barneys tapped @thehaasbrothers to tell a story of positivity, gratitude and inclusivity via heartwarming silliness and humor. “It’s about kids and it’s about coming together and being family and loving each other,” said Simon Haas. #wwdfashion (📷: @joshuascottphoto)
Beauty influencer @kandeejohnson makes her foray into hair care with a collaboration with @ogx_beauty — making it the first time that OGX has teamed up for a product creation. The collab includes shampoos and conditioners in three scents. At 39 and a mom, Johnson is a different profile than the emerging social media stars, but is considered one of the pioneers of the digital beauty influencer world. Read WWD’s interview with her on wwd.com, including the strangest beauty product she’s ever tried #wwdbeauty