Home Depot and JPMorgan Chase have revealed in recent weeks that each was hit by one of the largest security breaches the retail and banking industries have ever seen.
But Wall Street – and consumers – appear ready to shrug it off.
The home improvement retailer’s stock is up more than 14 percent this year and more than 2 percent since it confirmed a six-month breach of its payment system that affected some 53 million credit and debit cards. Home Depot says it expects its sales growth this year to be unaffected by the massive cyber intrusion.
And after JPMorgan said last Thursday that cybercriminals had obtained customer names, addresses, phone numbers and email addresses for 76 million households, the company’s stock price has hardly budged.
The companies may be benefiting from what experts say is a potentially dangerous shift among consumers: data breach fatigue.
Shoppers, they say, have become numb to reports that their credit cards and other personal information have been compromised as incidents have piled up in the last year. Target suffered a major breach during last year’s holiday shopping frenzy. Restaurants P.F. Chang’s and Jimmy John’s have acknowledged hacks this year. So have Neiman Marcus, Michaels and Sally Beauty Supply. SuperValu says it was hacked twice this year.
There have been 579 data breaches this year, a 27.5 percent increase over the same period last year, and it is only expected to become more common as consumers become more dependent on Internet-connected devices, according to the Identity Theft Research Center.
Recent research suggests that many consumers have become complacent about these intrusions: Some 32 percent of consumers said they “ignored the notifications and did nothing” when they were alerted to a possible data breach involving their personal information, according to a study by the Ponemon Institute, which studies information security. In the same study, 71 percent of respondents said they did not stop doing business with the company that had been breached.
Their explanations help explain why some consumers may be reaching breach fatigue: In many cases, those surveyed said they believed data breaches are “unavoidable” and affect most companies. Still more said it was too hard to find similar products from another company.
“I think we get upset. I think we get angry. And then we go back to what’s easy, convenient and we’re used to,” said Steven Weisman, a senior lecturer at Bentley University and author of “Identify Theft Alert.”
Joshua Cyr, a Web developer from Portsmouth, New Hampshire, was notified last month that his credit card had been compromised during the Home Depot intrusion. He was annoyed by the hassle of having to get a new card, but he said it won’t change his shopping habits much.
“I can use Home Depot again because they’re probably going to be more secure after the fact,” Cyr said. “But there’s also not a lot of options,” he added, for buying similar goods.
Experts say some of the nonchalance about breaches may be because consumers largely haven’t been on the hook for fraudulent charges in these incidents. Under federal law, consumers are not liable for unauthorized purchases made with a stolen credit card number. They could be liable in some cases for fraudulent debit card purchases, but many banks cover those anyway.
And some breached retailers, including Home Depot and Target, have offered free credit monitoring services to customers who may have been affected by the breaches.
“I don’t think consumers really take it out on retailers like they had two or three years ago,” said Terry Redding, vice president of marketing at CFI Group, a firm that provides customer feedback to the retail industry.
JPMorgan’s breach, meanwhile, may not be spurring strong consumer backlash because it doesn’t involve especially sensitive personal information. Details such as a customer’s address and telephone number are readily available from other sources.
Still, experts say consumers ignore notifications of possible breaches at their own peril, as cybercriminals will likely continue to find holes in retailers’ security systems. And while a breach that affects only credit card numbers can be fixed relatively easily by obtaining a new card, a future theft could include bank account information or other sensitive data that enables full-scale identity theft, which is much harder to thwart.
Home Depot may also be getting the benefit of the doubt thanks to its strong financial bottom line. The company recently delivered an especially solid second quarter, a marker of reassurance of the company’s broader health at a time when many retailers saw meager sales growth.