MIT Sloan Executive Education innovation@work Blog

What we’re learning from the Target data breach

Data breaches in the news over the past two months have affected millions of people; 110 million Target shoppers and 1.1 million Neiman Marcus customers. Retailer Michaels Stores is investigating a possible data breach. In addition, some Marriott Hotels, Holiday Inns, Sheratons, and other sites managed by White Lodging Hotels were also the target of cybercriminals. As these retailers, businesses, and industry experts brief Congress on the situation, consumers are learning more about the implications of cybercrime. The overall takeaway is that data breaches are common and will continue. In fact, as The Washington Post reported in Experts warn of coming wave of serious cybercrime,” “Only 11% of businesses have adopted industry-standard security measures … and that even these ‘best practices’ fall short of what’s needed to defeat aggressive hackers.”

Here are some of the shocking numbers around data breaches:

  • According to a study by the Ponemon Institute, cybercrime costs U.S. companies an average of $11.5 million in 2012, which was up 26% from 2010

  • Companies are learning of these breaches months after they begin

  • U.S. banks spent more than $153 million replacing 15.3 million debit and credit cards after the Target incident (read more)

Perhaps most alarming: in the case of Target, it was not just the credit card and debit card numbers that were stolen—the hackers also grabbed other data such as names, addresses, and telephone numbers. So, it’s not just our finances that are at risk, but much of our personal information.

Unfortunately, cybercriminals are way ahead of how businesses handle purchases, and how they guard against cybercrime. As Christopher Soghoian, principal technologist at the American Civil Liberties Union told The Washington Post, “Our decades-old payment system was not designed with cybersecurity in mind. Times have changed. Data breaches now occur on a weekly basis, the result of which is that consumers become victims of fraud and identity theft.”

Businesses, the government, and even consumers all play a role in fighting what is expected to be an increase in cybercrime. Credit card companies and retailers are moving up their timeframes for adopting the EMV technology in Europe, which embeds a chip in the card instead of the magnetic stripe; this chip creates a new code for each transaction. According to the New York Times, the “cases have reignited calls for federal legislation setting database security standards and consumer notification requirements.” And consumers are urged to be vigilant in checking their credit card statements.

“When studying this topic empirically,” says MIT Sloan Professor and digital security expert Catherine Tucker, “one thing that really struck me was the extent to which so many breaches were due to employee error. Indeed, it seemed that when companies relied too heavily on technologies like encryption to protect them, it led them to put less time into ensuring that their employees understood the appropriate measures to take to protect customers' data."

What’s the takeaway?  There’s a lot more retailers need to start doing to protect their consumers from cybercrime.

Catherine Tucker is an Associate Professor of Marketing at MIT Sloan and teaches in the MIT Sloan Executive Education programs, Driving Strategic Innovation Throughout the Value Chain, Platform Strategy: Building and Thriving in a Vibrant Economy, Strategic Marketing for the Technical Executive, Systematic Innovation of Products, Processes, and Services, and the Global Executive Academy.


Search innovation@work Blog

Subscribe to Blog by Email

Cutting-edge research and business insights presented by MIT Sloan faculty.

Interested in writing a guest post?