As we noted in our last post “The Hidden Costs of a Data Breach,” one major data breach impact is lost revenue. Lost business can result from the reputational damage that occurs in the wake of a data breach. In our recent post, we referenced a Harris Poll survey commissioned by IBM back in 2018. That survey found that 75% of consumers refuse to buy products from companies they “don’t trust…to protect their data.” Many data breaches become public knowledge once higher-ups in the company have been notified – particularly when consumer data was compromised. Regardless of whether anonymous or personally identifiable consumer information was leaked, harm to a company’s brand, image and future revenue is highly likely. In this post, we consider the reputational consequences data breach incidents wreak. What happens to a company’s reputation after a data breach? We look back on three major customer data breaches and discuss how consumers reacted. Have the reputations of these companies since recovered? Read on to learn more.
Do Companies Really Lose Customers When a Data Breach Becomes Public Knowledge?
Companies can lose even their most loyal customers and suffer blows to their business reputation after a data breach puts consumer information at risk. When software company Ping Identity released their 2019 Consumer Survey, it provided a few stats about lost business post-breach. At the time, 63% of surveyed consumers felt that companies are “always responsible for protecting data” entrusted to them.
A greater percentage would refuse to work with a business in at least some capacity after learning that a data breach happened. According to Ping Identity, “81% would stop engaging with a brand online following a data breach.” In a press release published by BusinessWire, Ping Identity’s Richard Bird underscored the consequences of failing to secure data. Bird said that “‘there’s no question, businesses risk losing customers and damaging their brands if they lack strong, transparent data protection practices.'”
Another survey from secure payment solution PCI Pal produced similar results. The 2019 survey — summarized in a press release from BusinessWire — found that 83% of US consumers “will stop spending with a business for several months [after] a security breach.” 21% of American consumers say “they will never return to a business post-breach.”
How Much Does Lost Business Cost Companies After a Data Breach?
Lost business is just one of many data breach costs, but it represents a significant share of a company’s total expenditure. According to IBM’s Cost of a Data Breach Report 2022, lost business after a data breach cost companies an average $1.42 million USD.
Interestingly, 2022 was the first year in the last six where lost business “wasn’t the largest share of data breach costs.” IBM’s report notes that “lost business costs decreased from USD 1.59 million in 2021, a decrease of 10.7%.”
Of course, an average $1.42 million is nothing to sneeze at. Consider the average total cost of a data breach globally. In 2022, this was $4.2 million USD. Based on the global average, $1.42M USD represents over a third of an organization’s entire expenditure during and after such an incident.
What Contributes to Brand Damage After a Data Breach?
Breaches of consumer data often impact brand reputation and consumer perception. According to this 2013 report from Forbes Insights, nearly half of all organizations that suffer data breaches also suffer damage to their corporate brand. The report found that 46% of organizations “experienced damage to their reputation and brand value” after a cybersecurity breach. The report identifies data loss as “the fourth most common threat to reputation.”
However, the impact of data breaches on brand reputation is not equal across the board. Some companies suffer greater, longer-lasting reputational damage than others. There are a lot of factors that determine whether a data breach will cause lasting damage to a company’s reputation.
We list three potential contributing factors below. First is the brand reputation and perceived duty to protect customer data before a security breach. The second major factor is the type of data that was compromised during a security breach. Third is the way in which that company addressed customer grievances after a security breach.
The Company’s Reputation and Perceived Duty to Protect Customer Data Before a Breach
The first contributing factor is a company’s prior reputation and perceived duty to protect customer data. A company’s reputation for excellent cybersecurity practices — for example — might cause backlash from consumers and threaten brand loyalty. Another company less renowned for their secure handling of customer data might not receive such harsh treatment.
Of course, a newly announced data breach might come on the heels of many previous breaches in the brand’s history. In that case, the company’s poor reputation for data security could cause even greater brand damage.
Similarly, companies operating in industries entrusted with the care of sensitive data might be held to higher standards. Failure to protect that data could cause consumers to lose faith in the brand irrevocably. Consumers might turn to another company in the same industry after learning about lack of secure access control or other gap in data protection. Companies in industries that do not owe consumers a similar fiduciary duty might escape a breach with less damage to customer loyalty.
The Type of Data That Was Compromised During a Breach
Next, the type of consumer data compromised during a breach likely affects the intensity and endurance of brand damage and revenue loss. In their article “Customer Data: Designing for Transparency and Trust” for Harvard Business Review, Timothy Morey, Theodore “Theo” Forbath and Allison Schoop elaborate. Morey et al. write that “the value consumers place on their data rises as its sensitivity and breadth increase.”
Consumers might react more harshly against a company if their credit card information or medical records were lost or leaked during a breach. They might react less strongly against a company if their email addresses, phone numbers or what the HBR writers call “profiling data” were compromised.
Similarly, consumers might not be too concerned with the loss of basic self-reported data they released to the company. They might lash out against a brand if data they had no idea the company was collecting in the first place was compromised.
The Ways in Which a Company Addresses Grievances After a Breach
How customers assign blame also plays a major role in how much reputational damage the brand suffers after a data breach. In their 2019 paper “Strategic Marketing and Cybersecurity: The Case of Data Breaches” for Issues in Information Systems, George Kirk and Jose Noguera explain. They write that “market value impact [of a data breach] is moderated by a firm’s reputation and customer attributions [of] blame.” As such, how a company responds to a data breach could either protect or further damage its brand.
Kirk and Noguera suggest that many companies basically ignore customers whose data has been compromised, focusing instead on “legally protecting” themselves. They fuss over shareholders who could devalue the company by dumping stock rather than supporting customers, clients and/or consumers.
Failing to level with data breach victims and acknowledge how they were impacted by the breach can further damage a company’s brand. To effectively manage customer perception and boost consumer trust, a company must demonstrate more care for victims than for stock prices.
Experts argue that properly explaining the breach in timely public announcements is vital to protecting company reputation. This includes discussing how long hackers had access to customer data and explaining why it took so long to discover the breach occurred.
Here’s How Customers Reacted to Three Major Consumer Data Breaches
Equifax Data Breach
One of the largest data breaches in US history occurred in 2017, compromising the sensitive information of more than 140 million people. That data included everything from home addresses to Social Security numbers.
Five years after the Equifax breach became public knowledge, information about the case still pops up in media coverage — even on social media. After all, Equifax just reached a final settlement with the FTC — to the tune of $425 million USD — in February 2022.
This case is somewhat unusual compared to others on our list as Equifax bears a greater duty to protect consumer data than other companies. As we note in our post “The Hidden Costs of a Data Breach,” Equifax collects data relevant to consumer credit reports.
Consumers cannot actually prevent this type of data collection. Because consumers could not opt out, the FTC determined that Equifax bore a fiduciary duty to protect such data. Equifax was then held legally — and financially — liable for the 2017 breach.
As Edward Segal describes in a Forbes article published earlier this year, Equifax’s response to the breach left much to be desired. Shortly after Equifax announced the breach, multiple news outlets pointed to both the loss of sensitive data and loss of trust as major consequences.
To this point, Segal quotes USA Today’s Brian Tierney, who wrote about the breach back in 2017. Tierney said that “‘the breach of sensitive personal data may be impossible to repair…[but] the second breach of customers’ trust may prove just as difficult.’”
How Did the Company Respond?
Tierney’s statement was quite prescient. As Lily Hay Newman put it in a September 2017 article for Wired, “the Equifax breach…was bad [but] the response was almost worse.” Their approach to informing the public and compensating victims was piecemeal at best.
Newman notes that the company initially threw together a “slapdash” site through which consumers could learn if their information had been compromised. To do so, consumers had to enter the “last six digits of their Social Security number,” trusting the just-breached Equifax with sensitive data. Adding insult to injury, Equifax’s social media accounts posted phishing links multiple times mere weeks after the breach.
Equifax also came under fire for failing to inform the public about the initial data breach — and a second incident — in a timely manner. The company waited six weeks to report the first breach and months to report another breach. Between discovering the breach and announcing it to the public, Equifax informed shareholders.
Several higher-ups in the company then sold their stock before news of the breach hit airwaves. Of course, the company argued that those executives had no idea the breached had occurred when they offloaded stock. News of such behavior led to multiple investigations — both state and federal — into how Equifax directors handled the massive data breach.
How Did Consumers React?
Consumers initially reacted to Equifax’s announcement and subsequent response with confusion, anger and frustration. In a September 2017 article for CNBC, Sarah O’Brien wrote that the aforementioned website used to alert consumers “left some people scratching their heads.” Writing for Business Insider around the same time, Lydia Ramsey Pflanzer said “people were furious.”
As Tara Siegel Bernard writes in a 2020 article for The NYT, “consumers were outraged” after learning of the breach and watching Equifax respond. However, only a small share of the 147 million people impacted by the breach chose to join a class action suit against Equifax. According to Bernard, about “10 percent of the consumers affected had filed for some type of compensation” by the deadline to do so.
An article written by Ian Bogost for The Atlantic back in 2017 might explain why consumers moved on so quickly. Bogost noted that “consumer data breaches have become so frequent, the anger and worry once associated with them has turned to apathy.” Even though the public had a right to anger, confusion and frustration following Equifax’s announcement, “public shock was diluted by resignation.”
Though some consumers did throw up their hands, others remained vigilant. In an article for IAPP, Jedidiah Bracy, CIPP/E, CIPP/US writes that the Equifax breach “created a firestorm of media coverage.” It also impacted legislation, and has yet to be forgotten by many consumers.
How Do Consumers Feel Today?
Some sources suggest that Equifax was able to rehabilitate its damaged reputation following the data breaches that caused many consumers to lose trust. In a 2018 article for MarketWatch, David Lord noted that while the breach “elicited unprecedented uproar from the public,” many had already moved on.
Referencing a YouGov survey, Lord wrote that “public perception [of Equifax]” plummeted right after the breach. In fact, it “declined at a faster rate than that of any other company that had suffered such a breach in the recent past.” According to that survey, the public’s feelings towards Equifax actually impacted the rest of the credit reporting industry.
However, a little over one year after the breach was announced, Lord wrote that “public sentiment toward Equifax [was] slowly getting restored.” Data released by YouGov in 2018 showed consumer trust in Equifax was about equal to what it was before the breach.
Equifax might have recovered its good reputation in the years following these breaches. However, it suffered a fresh blow earlier this year. Andrew Ackerman and AnnaMaria Andriotis reported on this incident in an August 2022 article for The WSJ. According to The WSJ, Equifax “provided inaccurate credit scores on millions of U.S. consumers seeking loans during a three-week period.” Plus, the massive global settlement Equifax agreed to renewed media coverage of the 2017 breaches.
2013 Target Data Breach
Target is yet another larger company that suffered a post-data breach reputational hit. Before the Equifax breach, it was one of the largest consumer data breaches in US history. More than 40 million credit card details were compromised when hackers used stolen credentials to access sensitive data. As Kevin McCoy noted in a 2017 article for USA Today, the breach also “affected contact information for more than 60 million Target customers.” The company eventually settled for $18.5 million several years after announcing the breach.
How Did the Company Respond?
Target personnel in Minnesota first learned of a potential data breach in late November 2013. However, the company did not address the hack until approached by the Department of Justice. Shortly thereafter, the news broke and Target reached out the millions of consumers whose data was compromised by the reach. Miloslava Plachkinova and Chris Maurer elaborate in an article published by the Journal of Information Systems Education. They write that Target CEO and President Gregg Steinhafel released a public statement on 18 December.
Steinhafel said that “’Target’s first priority [was] preserving the trust of [its] guests.'” He proclaimed that Target had “‘moved swiftly to address this issue, so guests [could] shop with confidence.'” Steinhafel also explicitly outlined the extent of the breach, announced a security audit and explained how Target planned to collaborate with law enforcement. The Justice Department launched a formal investigation into the origins of Target’s data breach. Target continued to work closely with the federal government — both FBI and DOJ — in the months that followed.
Despite Bumps, Target’s Response Was Fairly Swift and Effective
There were a few bumps along the road, however. To assuage concerned customers, Target also offered “free credit monitoring” in a mass email. Unfortunately, this email was not sent solely to Target customers. Those who had not done business with the retail giant questioned how it had obtained their information. It would later come out that Target was not entirely upfront about the breadth of Target’s data breach.
Still, Target’s response to its massive data breach was fairly swift compared to the responses of other companies. It was also quite personal, which might have contributed to the relatively quick recovery of its overall reputation. As Jeffrey Roman wrote in a 2014 article for Data Breach Today, Target CEO Gregg Steinhafel resigned not long after the breach went public.
According to Roman, Steinhafel “‘held himself personally accountable and pledged that Target would emerge a better company.'” During hearings before the US Senate, Steinhafel admitted Target’s failure to protect consumer data and committed the company to better privacy practices.
How Did Consumers React?
Many consumers were frustrated and fearful after learning of Target’s holiday hack. Much of the frustration emerged after customers tried to figure out whether their account data had been compromised. In a January 2014 article for Reuters, Beth Pinsker noted that Target’s customer service was often unavailable. Furthermore, its “website [was] too convoluted to navigate for more information.” Some of the loyal customers Pinsker interviewed had since returned to Target but would pay only with cash — not card. Others refused to shop at Target after the breach.
As noted above, Target’s credit monitoring email gaffe reignited criticism of the company after initial anger over the breach had somewhat subsided. Consumer perception certainly suffered after Target’s data security breach — as did the company’s profits. Writing a postmortem of the data security breach for Slate earlier this year, Woodrow Hartzog and Daniel J. Solove elaborate. Hartzog and Solove write that Target experienced “the single largest decline of holiday transactions since it first began reporting the statistic.” After the 2013 data security breach, “Target sales plummeted…[and] the company’s profits for the holiday shopping period fell a whopping 46 percent.”
How Do Consumers Feel Today?
Target’s brand reputation has since recovered from the 2013 data breaches. Within a few months after the breach, customers regained faith in the brand. According to Dhanya Skariachan and Jim Finkle in a 2014 article for Reuters, shares were up mere months after their initial announcement. They wrote that “Target shares, which had fallen 11 percent since news of the breach…were up 6.8 percent” in the middle of February.
In their 2018 article “Teaching Case: Security Breach at Target” published in the Journal of Information Systems Education, Miloslava Plachkinova and Chris Maurer agree. Plachkinova and Maurer write that “the attack did impact the company.” However, “there are some key factors that had a positive impact on Target’s image.” Plachkinova and Maurer note that “even such a massive security flaw could be overlooked” by dedicated shoppers.
According to Plachkinova and Maurer, some customers actually “perceived Target as a victim of the attackers.” Many Target shoppers “sympathized with the company during the hard times it was experiencing.” Put simply, Target’s existing reputation amongst customers and “incident management [were] still successful as they were able to regain the customers’ trust.”
2013 and 2014 Yahoo! Data Breaches
Last on our list are the Yahoo! data breaches. These data breaches occurred between 2013 and 2014 but were not announced to the public until September and December 2016. While credit card data was not stolen, personal information like email addresses and security information like passwords were.
In a report for NPR, Alina Selyukh notes that “every user who had a Yahoo account in August 2013 was likely affected.” Yahoo! initially estimated that hackers stole “data associated with 1 billion user accounts.” Verizon’s 2017 announcement “escalates that number to 3 billion.”
Yahoo! never recovered from the damage to its brand reputation after waiting years to disclose these breaches. As alluded to above, its operating business was eventually purchased by Verizon Media. During sale negotiations, Yahoo! misrepresented its knowledge of the data breaches to Verizon.
Both consumers and government officials reacted strongly to Yahoo!’s handling of their data breaches. According to this article from The National Law Review, Yahoo! “became the first public company to be fined by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches.” In 2018, the SEC fined Yahoo! $35M USD. In addition to hefty fines, Yahoo! also agreed to a massive settlement totaling more than $117M USD.
Final Thoughts About the Reputational Damage of Data Breaches
Looking back on the Target, Equifax and Yahoo! hacks, this post examined how a company’s reputation fares after a major data breach. In doing so, we paid particular attention to the impact of a company’s response on consumer perception. The reputations of many large companies eventually recover from data breaches.
Some — like Yahoo! — never recover from reputational damage after a data breach occurs. As Yanfang Ye wrote in a 2016 article for The Conversation, the key to “recovering a corporate reputation…is early disclosure.” When Yahoo! and Equifax waited to disclose their data breaches, they “manifestly betrayed [their] users’ trust.”
It is important to note that while many larger companies do recover, small businesses struggle. They rarely have the financial resources to withstand significant swings in revenue and customer trust. According to this resource from the SEC, “half of small businesses that suffer a cyberattack go out of business within six months.”
While large corporations can often weather the storm brought to shore by a data breach, small businesses typically cannot. Still, early disclosure and taking personal responsibility for data breaches can go a long way towards protecting a company’s reputation.