Is this the beginning of an epidemic?
This story first appeared in the January 13, 2014 issue of WWD. Subscribe Today.
Retailers are on high alert following the cyber-security attacks at Neiman Marcus and Target affecting more than 100 million consumers.
Neiman Marcus Group Ltd. LLC and Target Corp. will have to pay dearly to restore customer confidence that it’s safe to shop their stores and Web sites, and to beef up information security — and so will the rest of the industry, whether they’ve been victims of information theft or not.
At the National Retail Federation annual convention Sunday, it was apparent that the cyber attacks at two of the country’s most prominent retailers are sending shivers through the industry. Store executives said they will act to protect themselves and shoppers from data theft and to reassure customers that it’s safe to shop with plastic, and said that the response will require, at least in the near term, increased investments in safer technology, protective measures and heightened communications with consumers.
Meanwhile, consultants and analysts said they wouldn’t be surprised if other retailers make disclosures on cyber attacks, similar to the ones announced by Neiman’s on Friday, and Target in mid-December.
Reports also were circulating over the weekend that three other prominent retailers have been the victims of similar attacks.
Adding to the urgency of the situation, a group of chief information officers convened at the NRF’s Big Show, being held at the Jacob K. Javits Convention Center in Manhattan through Wednesday, to grapple with mounting worries about protecting consumers’ information, one source at the convention said.
Brooks Brothers’ chairman and chief executive officer Claudio Del Vecchio is clearly concerned. “We’ve never had a breech,” he said. Still, the company has begun spending “a lot of money.…We’re relooking at this on a daily basis,” Del Vecchio said. “Unfortunately, today this has become an everyday agenda, a new way of life. This is very sophisticated criminal activity. The crime organizations behind this are very sophisticated. Shoppers won’t shop with us if they cannot use their credit cards.”
“I don’t think we know the extent of this situation yet,” said Marie Driscoll, an independent equity analyst at Driscoll Advisors. “There is worry that other retailers will have to make the same kind of announcements as Target and Neiman’s. My concern is how it will impact consumers and that they become reluctant to shop. In some cases, maybe they revert to spending with cash. Certainly it’s possibly at Target, where consumers might have enough cash.” Neiman’s would be another story, considering its luxury prices.
“This also could have been a coordinated attack on more than one retailer,” suggested Adam Levin, cofounder of IdentityTheft911.com and Credit.com, noting that the breeches occurred when more people are out shopping and using their credit and debit cards.
He characterized retail information security systems as not as sophisticated as those of other industries. “Sometimes during the holidays, retailers let down some security to speed up transactions,” Levin said. “Encryption can slow down data processing at registers. The people who hack know when systems are likely to be overloaded.”
Beyond the serious cyber concerns, Craig Johnson, president of Customer Growth Partners, raised another question — whether retailers are being straight with consumers and acting fast enough to disclose security breaches in their information systems. “It’s apparent that management, if not top management, at each company knew about the problems for at least a week before publicly releasing or warning their customers,” Johnson said. He suggested management at Neiman’s “slow-walked the release of information to their customers, presumably not to lose Christmas sales. However, a delay of a couple days before public release may well have made sense so FBI and Secret Service could have tracked down the perps before they were tipped — but not five to 10 days.”
Target has already issued an apology and a 10 percent discount to customers, though Johnson thinks more should be done. “The best step is for Gregg Steinhafel [Target’s chairman, president and ceo] to get on the news and morning shows and do a Chris Christie full-fledged apology and explanation,” Johnson said. “Plus, Target needs to hire the nation’s leading data security experts, whether from IBM, Accenture, etc., and pay them a bundle, and have them reporting directly to Steinhafel.”
“The good news is our store checks so far this weekend showed wide awareness of the wider breach, but only modest sales attrition, only about 5 percent at Target, but a fear that a third shoe would drop.”
“Even though Target has gotten out in front of this, on the margin, this just isn’t good,” said Driscoll. “It makes Amazon look better because in its 20 years of e-commerce, I can’t recall anything of this magnitude. From what I understand, this breech at Neiman’s and Target is a function of the [credit card] swiping at store locations and how that information is transmitted from point of sale to the banks. It could make online at stores more attractive.”
Late Friday, after media reports started to surface, Neiman’s disclosed that it was hit by a credit card security breach, though the luxury retailer did not say how many customers had credit and personal information stolen. The disclosure came right on the heels of Target upping its estimate of how many of its customers had credit card and personal information stolen, to more than 100 million.
Neiman’s confirmed that it was informed by its merchant processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at its stores. The company also said it was taking steps to contain the situation and enhance information security. “We informed federal law enforcement agencies and are working actively with the U.S. Secret Service; the payment brands; our merchant processor; a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation,” Neiman’s said. “On Jan. 1, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.
“The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”
Target’s problem came to light before Christmas and consequently is believed to have reduced the level of holiday gift shopping at the chain during a critical business period. The Neiman’s situation could have less impact on the luxury chain’s business, considering the Christmas season has ended.
On Friday, the Target situation grew more serious.
As part of its ongoing forensic investigation into the data breach involving consumer credit and debit cards in its U.S. stores, Target said it has discovered that certain guest data separate from the credit card information was also stolen. The number of potentially affected consumers has grown from the 40 million who shopped at Target between Black Friday and Dec. 15. to more than 100 million. Target said many may have had their names, mailing addresses, e-mail addresses and/or phone numbers taken. Experts said not all impacted consumers are necessarily Target shoppers; the Minneapolis-based retailer might have purchased lists from other retailers to further its marketing efforts.
“The identity thieves got into what appears to be the Target database,” said IdentityTheft911.com’s Levin. “This is a whole different magnitude than what we were dealing with before. Once you get to names, addresses, e-mail addresses and phone numbers, it brings it into a much more dangerous zone.”
The payment card incident has taken a toll on Target’s business. Since Target announced the data theft on Dec. 19, sales have been weaker, the retailer said.
“We know it’s frustrating for our guests to know that this information was taken and we are truly sorry they are having to endure this,” said Steinhafel. He said Target is offering one year of free credit card protection and identity-theft monitoring services.
Target also updated its fourth-quarter outlook following the breach. In its U.S. segment, Target expects fourth-quarter 2013 adjusted earnings per share of $1.20 to $1.30, compared with prior guidance of $1.50 to $1.60. This outlook anticipates a fourth-quarter 2013 comp-store sales decline of about 2.5 percent, compared with prior guidance of approximately flat comp-store sales. Third-quarter EPS on a generally accepted accounting principles basis may include charges related to the breach. Prior to the Dec. 19 announcement, Target was experiencing stronger-than-expected fourth-quarter sales.
Target will close eight U.S. stores in May, in West Dundee, Ill.; Las Vegas; North Las Vegas; Duluth, Ga.; Memphis; Orange Park, Fla., and Middletown and Trotwood, Ohio. GAAP results are expected to include 5 cents to 10 cents of dilution related to the closings. Eligible employees will be offered similar positions at nearby Target locations.
The retailer said it expects 45 cents of dilution related to Target’s Canadian segment, compared with prior guidance of 22 cents to 32 cents of dilution, driven by the gross margin impact of efforts to clear excess inventory.
“Breaches are inevitable,” Levin said. “We overshare. Big data is everywhere. The more information that’s collected, the more vulnerable we really are.”
Even small retailers are vulnerable. “Eight or nine years ago, we were hacked into,” said Gary Peltz, ceo of Peltz Shoes, based in Clearwater, Fla., which has five stores from 9,000 to 15,000 square feet and an e-commerce site. “Twelve thousand credit card numbers were stolen.” He said the situation was remedied through the use of TrustWave.com, a company that helps businesses fight cyber crime, protect data and reduce security risk and conducts “penetration tests” to help determine if a system can be compromised. Peltz also utilizes IFrame technology, whereby customers are making transactions directly with banks, rather than through the retailer. “We don’t touch a single credit card or PIN number in any of our systems,” Peltz said.
“Across the board, U.S. credit card companies have not yet adopted the new technology of embedding chips in credit cards. That would make it more difficult to steal information,” said Robin Lewis of the The Robin Report. “It’s very costly, but after these latest fiascoes, the costs might be worth it.”