But experts say consumers' growing concern that retailers are careless with their cards is eroding their trust. In fact, the idea that all stores are equally vulnerable means the thieves aren't just stealing data, they're also siphoning off stores' brand identity.
The latest breach involves Hannaford, with 1,500 stores throughout New England, as well as the Sweetbay chain in Florida. (Both are owned by Belgium's Delhaize Group SA.)
"These thefts zap trust," says Ken Banks, of KAB Consulting, a marketing and brand consultant in Seminole, Fla. "If people feel they can't trust a store with basic financial transactions, why should they trust it on anything? Sweetbay, for example, has been trying to establish itself a low-price alternative to Publix. But this may make shoppers think: 'Can I trust that their prices really are lower?' A data theft makes shoppers think a store isn't as buttoned-down as it needs to be, across the board."
Often, shoppers are right to think the worst of stores. "Retailers have not been doing their part," says Bruce E. Spitzer, a spokesperson for the Massachusetts Bankers Association, which sued TJX after its breach. "And that's causing a major reputation issue for banks," he says, since consumers often get angry at bank that issued the card, rather than the store that didn't guard transaction data carefully enough.
In some ways, he says, the situation is improving. When the MBA sued TJX last year, he says, only 40% of retailers were meeting adequate security standards. "By the time we settled that suit, that number had grown to 70%. More and more, retailers are thinking: 'There but for the grace of God go we,' and are willing to spend the money needed to upgrade their security systems."
And to be sure, retailers aren't the only ones with security issues. While TJX's breach remains the largest, there have also been massive thefts at banks (Citibank lost track of 30 million records in 2005), brokers (TD Ameritrade exposed 6.3 million people last September) and even government agencies. (A U.S. Department of Veteran Affairs laptop with 26.5 million veterans' Social Security numbers was stolen in 2006.)
In fact, the sheer volume increase in thefts may result in another problem--customers reacting to an increasing threat by letting their guard down. A risk, says Spitzer, is that as consumers become increasingly aware that banks, Visa and MasterCard will reimburse them for any fraudulent charges, they may be less vigilant. "Right now, it's just card theft, and it's important for consumers to know they don't have a lot to worry about. But if thieves get more information--Social Security numbers, account numbers, and passwords, it could be full-blown identity theft," he says.
So far, Hannaford has said it knows of about 1,800 cases of fraud stemming from the breach, and is warning its customers to be extra careful about reading bank statements.
Meanwhile, Banks says retailers need to be on guard for the way data thieves may be robbing them of customer loyalty. "To an extent, shoppers will be forgiving," he says. "They can see these breaches are happening everywhere, and they certainly aren't about to stop using credit and debit cards." But even as retailers work harder to define their stores for consumers, he adds, they need to recognize that data theft can undermine their brand positioning, making them look careless, clueless, or both.
It all speaks to the ongoing evaporation of consumer confidence, Spitzer says. "And while some retailers still continue with that 'Customer confidence be damned, and the banks will pick up the costs anyway' attitude, the effect of diminished consumer trust will hurt all of us."