Target Breach Lessons Learned: The Straw that (Maybe) Broke the Camel’s Back
January 9th, 2014
There is a routine that most fraud/risk executives should be following after any large loss or event that erodes customer confidence or even after a large implementation. As part of this routine, understanding what could have been done better underlines the direction of these actions so that history does not repeat itself.
What I noticed during the recent Target event was that some of the “lessons learned” from past data breaches were not applied to ensure the best possible customer experience. From what I’ve seen, banks can experience a 15-20% attrition rate from a fraud event, however any attrition rate in the industry will have variances depending on how customers are treated in the after-care process. In my opinion, this is where a fraud event can turn to a loyalty building opportunity – if managed well.
Here is the list of routine actions that reflect lessons learned from the recent Target data breach, as well as previous incidents, that should be applied in the event of a similar critical data breach:
1. Resist the “Sledge Hammer” Effect of Lowered Limits
Some banks lower limits for cash withdrawals and merchandise for all or many of their customers. While I applaud these banks for taking action, there is a better way. Ensuring you have the tools to segment the population at risk and channel this population to a watch list for scoring or rules is a much better approach. This way, the customers “at risk” are protected, and the remaining customers are not adversely and unnecessarily affected. Ensure your technology is updated to put this more focused strategy into place.
2. Prevent Customer Attrition through Education
I had several family members who suffered from both fraud and attempted fraud over the holidays; in one case, a family member closed his account. It seems that some customers have “gut reactions” to fraud events that can be damaging to your business, so it is critical to equip your customer-facing teams to be trained and empowered to handle customer concerns. This training should be delivered not only as a onetime event, but also as part of on-going fraud awareness education. In addition, an educated, aware, and well-equipped customer provides one of the most effective lines of defense.
3. Prepare for the Next Large Data Breach
All merchants and banks should have a crisis “game plan” in place to manage a large breach. It is not a matter of if, it is a matter of when the next large breach will occur. The customers who are on the receiving end of a well prepared organization appreciate this and expect to experience seamless aftercare as a victim of fraud.
4. Protect Customers in all channels, it’s not just about cards
Often, after a large data breach event, one channel or product will get the “all the attention,” resources, and investment. It is not just about card transactions per se; it is about protecting across channels and products.
If the Target data breach does not teach us anything else, it should teach us that having a comprehensive strategy to protect customers on all channels and all devices is critical — and possible with the right cross-channel crisis strategy in place.