Most Minnesotans haven’t changed their shopping habits at Target since its massive data breach in December, according to a new Star Tribune Minnesota Poll.
The poll found that 82 percent of respondents are visiting the Minneapolis-based retailer as often as they did before data thieves successfully infiltrated Target’s information systems and obtained shoppers’ personal information and millions of card numbers.
Eleven percent of Minnesotans said they are upset enough about the theft of consumer data that they will shop less often at Target; another 5 percent say they won’t be going back at all.
Brian Yarbrough, a consumer analyst at Edward Jones & Co, said the loss of some shoppers shouldn’t be that surprising for Target. But the fact that a large majority of those polled said they won’t change their shopping habits is a “pretty good” number for the retailer, he said.
“I have always said 5 to 10 percent will never shop there again,” Yarbrough said.
Since the data breach was revealed, Target has seen a drag on sales. Comparable-store sales were up nearly 1 percent until the data theft was revealed, Yarbrough said, then sales sharply reversed.
Target has been quiet about the impact on its business over the past several weeks, except for a Jan. 10 financial update that showed sales were beginning to improve.
“By late spring, end of summer, you’ll be back to more normal business trends,” Yarbrough said.
The Star Tribune interviewed 800 Minnesota adults by phone Feb. 10 to Feb. 12. The poll has a margin of sampling error of 3.5 percentage points, plus or minus.
Outreach and delay divide, too
Asked how satisfied they are with Target’s outreach to customers, which included a company apology, a brief store discount and free credit monitoring, about half the poll respondents said they were “somewhat satisfied,” 25 percent said they were very satisfied and 15 percent said they were not satisfied.
A total of 46 percent of those polled accepted the company’s position that it waited four days to announce the cyberattack because it wanted to make sure its data system was secure again and it was equipped to handle customer questions.
Meanwhile, 42 percent said the retailer was too slow, and 12 percent were unsure.
Cynthia Olson, 64, of Duluth said she shopped at Target during the breach but paid cash and hasn’t experienced any problems. The breach won’t have any effect on her Target shopping.
Still, she thinks Target should have more quickly spread the news.
“I just thought that immediately without question they should have disclosed it so people could take the proper measures to protect themselves,” Olson said.
Sue Uppole, 61, of Blaine said she used to go to Target once or twice a month, mainly for the low prices on groceries and dog food. She will shop there less now, she said, though she hasn’t seen any fraud on her Target Redcard debit card or the other debit card she uses.
“It’s not that I’m mad,” Uppole said. “It’s more trust than anything.”
Target explains the wait
Target has faced intense criticism for the cyberattack and its handling of the matter, and the theft is expected to cost it hundreds of millions of dollars, only some of which will be covered by insurance.
Target has said it first heard about a possible breach from the U.S. Justice Department on Dec. 12 and that it confirmed the attack and eliminated all known malware on Dec. 15. But the company did not publicly disclose the breach until Dec. 19, the morning after a data security blogger revealed it.
The company has said it was moving as quickly as possible to give customers accurate information, while hiring an independent forensics investigator and working with law enforcement.
“As soon as we identified and removed the malware from our system on 12/15, we immediately began the process of notifying the relevant financial institutions,” spokeswoman Molly Snyder said in an e-mail. “Each state has their own notification requirements and we were working around the clock to ensure we could reach the greatest numbers of U.S. guests in a way that would provide them with information, be clear about what happened, provide resources and next steps.”
Snyder said Target knew it needed to prepare for “a massive increase in volume of calls.”
The attack began after thieves stole network credentials from a heating and refrigeration contractor in Pennsylvania and used them to infiltrate Target’s computer networks, inserting malware on the point-of-sale systems at cash registers in more than 1,700 U.S. stores.
Attackers ultimately made off with two sets of data: the payment card information of about 40 million customers and personal information, such as phone numbers and e-mail addresses, of 70 million customers.
Costly to banks, credit unions
Considered one of the country’s largest recorded data breaches, the heist remains the subject of several investigations.
The breach forced banks and credit unions across the country to reissue millions of debit and credit cards, an expensive endeavor estimated to have cost them more than $200 million to date. So far they’ve replaced about half of the 40 million cards affected, the Consumer Bankers Association and the Credit Union National Association said Tuesday.
How much of that effort is being driven by actual fraud on cards, or the desire to be proactive and head off potential fraud, isn’t clear. The full extent of what crooks have done with the information will not be known for some time.