It’s a toss up as to which is worse: news that millions of Americans had their credit card numbers, email and postal addresses stolen over the holidays at Target and Neiman Marcus – or, the revelation that Target and Neiman Marcus did not voluntarily, nor immediately, report the breach. By delaying confirmation of the hacking attacks, and only choosing to report them after word leaked, these stores put their shoppers at risk and violated the most important asset they had: customer trust.
Target failed to acknowledge its breech until a security blogger reported the news and the investors and reporters started asking questions. Meanwhile, Neiman Marcus knew by January 1 that it had been hacked yet, sat on the news for nine days. It wasn’t until the same security blogger, who was tracking reports about a surge in fraudulent charges linked to Neiman, contacted the company, that Neiman Marcus revealed its data breach.
Granted, Target and Neiman are themselves victims of the hackers. And, sadly, it seems that any business is vulnerable to these attacks. But, by failing to notify customers of the data breech, Target and Neiman put their corporate interests ahead of the interests of their customers. And, their customers are the true victims — the ones who are at risk for seeing their ATM accounts drained and credit cards maxed out.
The question that gets asked in any cover-up seems appropriate here, “what did [the retailers] know and when did they know it?” While it’s clear the retailers had a moral obligation to immediately inform their customers about the problem, it seems they may also now have legal headaches too. Class action lawyers filed lawsuits on the heels of the news and, with all the concern about consumer protection, retailers might also incur the wrath of the recently created Consumer Protection Bureau. Whatever the legal problems turn into, they were surely made worse by sitting on the news.
And, in fact, sitting on news like this may be industry practice. Target, along with struggling J.C. Penny, has a history of not reporting security breeches. Both companies actually waited two years before admitting they’d been hacked in 2007.
While the ultimate financial losses incurred by the retailers and their customers are still unknown, it’s clear that they have damaged their reputations. Not only do customers no longer trust the retailers to keep their data secure – they can’t trust them to do the right thing if there is a problem. Perhaps we should just all start paying with cash.
What do you think? Should retailers be required to immediately disclose a hack? Comment below or send me a tweet at @Trish_Regan.