Fears of further personal information exposure following cyberattack would prevent some consumers from shopping at breached retailer: study

Fears of further exposure of personal information following a cyberattack would prevent 33% of consumers from shopping at a breached retailer for at least three months, according to a recent survey from KPMG LLP, the audit, tax and advisory firm.

Consumers are wary of the increased frequency of cyberattacks against retailers and many are ready to walk away from their favourite retailers if a breach occurs, KPMG said in a press release on Tuesday. According to the 2016 Consumer Loss Barometer, 19% of respondents said that they would stop shopping at a retailer that had been a victim of a cybersecurity hack, even if the company took the necessary steps to remediate the issue.

The report is based on two separate surveys, one for businesses and another for consumers. Authored by KPMG and fielded by Forbes Insights, the survey was completed by 403 senior cybersecurity executives residing in the United States. Industries evenly represented included financial services, automotive, retail and technology.

In addition to those who would abandon the retailer entirely, 33% of the consumers polled indicated that fears of further exposure of their personal information would prevent them from shopping at a breached retailer for at least three months. When asked which factors most likely contribute to a customer not returning – or delaying a return – to the store, consumers surveyed cited a lack of a solid plan to prevent further attacks as a top factor.

For the banking/financial services industry, the survey asked respondents: “If your personal accounts were hacked, what would lead you to close your accounts and move to a new institution?” Thirty-seven per cent of respondents said the bank’s refusal to cover losses, 30% said a lack of timely acknowledgement/response (providing details of the incident and impact on customers), 24% said lack of a solid plan to prevent future attacks, 22% said learning about the incident via the media before being informed by the bank, and 48% said all of the above. When asked who is to blame if personal accounts are hacked for those who use mobile banking, 55% of respondents overall said the institution bears most of the risk.

The study also asked if a connected vehicle was hacked how would that change a user’s perception of the automaker. Thirty-seven per cent said it would have a “huge negative impact,” 42% said a moderate negative impact, 6% said a negative impact (but they would still be loyal to that automaker) and 15% said no impact. As well, 23% said that they are now “extremely concerned” that their car would be hacked, while 26% said somewhat concerned. Looking ahead to the next five years, 31% said that they are extremely concerned about their car being hacked, while 39% cited being somewhat concerned.

In conjunction with the consumer survey, KPMG conducted a survey of 100 retail senior cybersecurity executives distributed evenly between chief information officer (25%), chief information security officer (25%), chief security officer (25%) and chief technology officer (25%). Despite consumer concerns, the survey suggests that the issue is not as top of mind with retail executives as it should be. Fifty-five per cent say that they haven’t invested capital funds in cybersecurity protection in the past 12 months – placing the industry third out of the four industries featured in the report. Additionally, 42% stated that their company does not have a leader who is responsible for information security – again placing the industry third out of the four industries in the report.

“Make no mistake, there is a lot at stake here for retailers,” said Mark Larson, KPMG’s national line of business leader for consumer markets and global and U.S. sector leader for retail. “Consumers are clearly demanding that their information be protected and they’re going to let their wallets do the talking. Retailers that don’t make cyber security a strategic imperative are taking a big gamble.”

Tony Buffomante, principal and retail cyber security leader for KPMG, added in the release that “quite frankly, many retailers are not doing enough to protect their businesses from cyberattacks or react to them when they occur and the effects of their inaction will end up harming them in the long run. If retailers pay more attention to the issue of cybersecurity and are more transparent with their customers on their awareness, it could serve as a key business differentiator.”