Most retailers do not disclose data breaches after they happen, Gartner says.
While nearly half of US retailers have been hit with some kind of information security attack, only a small percentage of them have actually reported breaches to their customers, research company Gartner reports.
In a new study based on interviews with 50 US retailers, Gartner found that 21 of them were certain they had had a data breach. However, just three of the retailers had disclosed the incident to the public.
The small number of retailers in the survey make it impossible to draw any firm conclusions from the data, but it does underscore a noteworthy trend, said Gartner analyst Avivah Litan. "Sensitive data is being stolen and most of the time it's not being disclosed," she said. "There are a lot more breaches than we hear about."
Many US states now have laws that require that consumers be notified when their personal information is compromised, but the bad publicity that results from such disclosures has made retailers reluctant to make them, she said. "They see what happens to companies like TJX and Hannaford and they don't want to call attention to themselves unless they need to."
Litan didn't know whether the retailers had broken state laws by not informing their customers of the breaches, but she said it was a possibility. Some of the breaches may have happened before applicable state laws were in effect.
In 2006, data thieves were able to get access to an estimated 94 million payment card numbers by hacking TJX's computer systems. The retailer has set aside a $107m reserve fund to cover lawsuits from credit card issuers that stem from the breach. At the Hannaford Bros supermarket chain, criminals stole an estimated 4.2 million account numbers after computers there were hacked. That breach was disclosed in March.
Gartner counted phishing attacks and data compromises at third parties as breaches, along with lost or stolen laptops, insider breaches and computer hacking attacks.
Litan said four of the retailers had been fined by credit card companies for not meeting Payment Card Industry (PCI) compliance requirements. Another 11 were threatened with fines for noncompliance.
Data breaches at retailers are the top cause of credit and debit card theft, accounting for about 20 percent of all incidents, Gartner said.
And this type of crime is not going away. Credit card companies predict that payment card fraud rates will double over the next two years, the research company said.