Target Breach Impact Survey July 2014 Prepared by Benchmarking & Survey Research.
Table of Contents Page Survey Methodology 3 Profile of Survey Participants 4 Impact of Target Breach 5 16 Reimbursement for Previous Breaches 17 21 2
Survey Methodology Between May and June 2014, the American Bankers Association surveyed its members to assess the Target Breach s impact on their card portfolios, bank operations, suppliers, and customers. The survey also collected information on the costs and fraud loss banks incurred as a result of the Target breach. This confidential survey was conducted online. Email communication was used to distribute the survey and follow up reminder notes. By the response cutoff date, 535 banks had participated in the survey. Approximately 75 percent of participating institutions had assets of less than $1 billion. Total cards represented by survey respondents portfolios amounted to 165 million debit cards and 140 million credit cards (as of 12/31/2013). 3
Profile of Survey Participants Number of Survey Participants = 535 $10B $50B 17 3% $50B or more 9 2% Distribution by Asset Size $1B $10B 110 20% Under $1B 399 75% 4
Impact of Target Breach 5
Percentage of Cards Involved in Target Breach (by asset size) Bank Asset Size: < $1 B $1B $10B $10B $50B $50B+ Debit 7.55% 8.23% 7.87% 9.32% Credit 3.68% 4.50% 3.73% 2.94% NOTE: Unless specified otherwise, the mean (average) statistics are reported in the remainder of this report. 6
Percentage of Cards Reissued (by asset size) Bank Asset Size: < $1 B $1B $10B $10B $50B $50B+ Debit 5.80% 6.71% 8.48% 8.59% Credit 3.45% 4.39% 3.50% 2.77% 7
Cards Involved in Target Breach and Cards Reissued (all respondents) On average, 8.12% of debit cards were involved in the Target breach; 8.08% of debit cards were reissued Credit Cards: 3.84% of cards were involved in the breach; 3.65% of cards were reissued % of cards involved in Target breach % of cards reissued 8.12% 8.08% 3.84% 3.65% Debit Credit 8
Percentage of Cards With Fraud Loss to Bank (by asset size) Bank Asset Size: < $1 B $1B $10B $10B $50B $50B+ 0.81% ($342)* Debit 0.08% ($339) 0.31% ($190) 0.11% ($285) 0.02% ($399) Credit 0.08% 0.07% ($653) ($655) 0.10% ($382) * Average loss per card with loss. 9
Percentage of Cards With Fraud Loss to Bank (all respondents) Average loss per debit card with loss: $331 Average loss per credit card with loss: $530 % of Cards With Fraud Loss to Bank 0.64% 0.05% Debit Credit 10
Average Reissue Cost* per Card (by asset size) $11.02 Bank Asset Size: < $1 B $1B $10B $10B $50B $50B+ $12.75 $6.45 $5.63 $3.23 $3.66 $2.70 $2.99 Debit Credit * Included are costs for mailing, card stock, and additional staff resources, etc. Because many respondents were unable to track additional staff time spent to respond to customer inquiries and to monitor and prevent fraud related to the Target breach, the reissue costs reported here are conservative, baseline figures. 11
Average Reissue Cost* per Card (all respondents) Reissue cost averaged $9.72 per debit card; $8.11 per credit card Survey respondents reported reissuing a combined 4.1 million debit cards and 2.7 million credit cards Average Reissue Costs per Card $9.72 $8.11 * Included are costs for mailing, card stock, and additional staff resources, etc. Because many respondents were unable to track additional staff time spent to respond to customer inquiries and to monitor and prevent fraud related to the Target breach, the reissue costs reported here are conservative, baseline figures. Debit Credit 12
Other Impacts Target Breach Had on Bank Operations, Suppliers, and Customers Impact on bank customers: Members stated that the Target breach caused a major inconvenience to cardholders, right amid the busy holiday shopping season. Many bank customers only have a debit card and no longer use checks, so it was a very significant inconvenience to them. Impact on bank operations: The breach caused a major disruption to employees daily duties at the bank. Sample respondent comments, from banks with <$1B in assets: Our Call Center was swamped for several weeks impacting our ability to provide normal servicing. The amount of research necessary to review customer transactions because customers who had shopped at Target wanted to see if they had unauthorized transactions was enormous. The misinformation spread by the news media was out of control. All many customers heard was call your bank and have your card replaced if you have shopped at Target. A very large number of customer conversations occurred even if the card was not compromised. Card issuers simply cannot prepare for an event like this Over 323 hours were spent by 32 employees to facilitate the responsibilities of administering the required procedures necessary to complete this debit card compromise response. This includes time spent by various departments such as executive, technical, customer service, and others who were removed from their normal job duties to complete this effort instead of performing their usual job a detriment to the bank and the communities we serve that cannot be easily quantified. Impact on suppliers: The breach resulted in longer turnaround time for card reissuance due to volume of requests. Card vendors were reportedly behind for weeks because of the vast number of cards they needed to produce. One bank experienced delay for replacement cards up to three months; delay for normal expired cards not involved in the breach up to two months. 13
Other Impacts Target Breach Had on Bank Operations, Suppliers, and Customers (continued) Impact on bank revenue: Members cited loss of spend on reissued portfolio and some accounts lost due to failure of customer to activate new card, reducing spend and revenue. Members also experienced loss of revenue due to legitimate point of sale declines related to heightened fraud strategies. Other costs to bank: In addition to the costs of reissuing cards, survey participants cited expenses for inbound and outbound phone calls, staff time spent on implementing heightened fraud strategies, fraud monitoring, claims processing, and responding to customer inquiries. Sample respondent comments, from banks with <$1B in assets: Phone calls [to cardholders] were placed within 24 hours of being notified by our processor of who was affected. Phone calls were completed by our contact center, branches, and back office areas. The branches spent approximately 35 hours making customer calls and handling customer complaints. Our contact center reported 40 hours in making calls and answering increased phone call volume. Marketing spent 25 hours drafting customer correspondence and scripts for calling customers. Our call center volume doubled and the cost per call was as high as the cost per card. We use a third party vendor that charges by the minute. The additional number of calls was similar to the number of cards compromised. Public news of the Target data breach broke at the same time Bank began receiving lists of potentially compromised cards from our processor. This news generated the largest customer reaction I have experienced to any event in my 22 years at this Bank. Bank phones rang, literally, non stop for the first few business days following the public announcement. Handling and responding to these calls consumed a majority of Bank resources during this time. Callers were alarmed and very concerned about the safety of their accounts and personal information. Many customers requested to have new debit cards issued to them even if their card had not been identified as potentially compromised in the data breach We are continuing to see an upward trend in fraud/losses. Most customers prefer the ease of debit cards, but with all the compromises it makes it harder to sell the product. Most people do not realize that it is NOT Target or any other businesses that has endured the losses of this compromise or any compromise or fraud losses, but rather their bank that issued them the card that suffers the loss and stands behind our customers! 14
How much fraud related to Target did your bank see prior to their formal Dec. 19 announcement of the breach? (by asset size) Percentage of Banks 14.4% 21.0% 5.9% 14.3% None/minimal 15.6% 70.0% 26.0% 53.0% 70.6% 23.5% 85.7% Experienced fraud loss/fraud attempts/ card disputes Unable to tell/did not track < $1 B $1B $10B $10B $50B $50B+ Bank Asset Size 15
How much fraud related to Target did your bank see prior to their formal Dec. 19 announcement of the breach? (all respondents) 1 in 5 respondents reported experiencing fraud related to Target prior to the company s formal announcement on Dec. 19 Unable to tell/did not track 15.5% Percentage of Banks Experienced fraud loss/fraud attempts/card disputes 21.1% None/minimal 63.4% 16
Reimbursement for Previous Breaches 17
Did your bank receive any reimbursement for previous breaches between 2009 and 2014? (by asset size) Percentage of Banks 48.6% 35.3% Yes No 74.9% 100.0% 51.4% 64.7% 25.1% < $1 B $1B $10B $10B $50B $50B+ Bank Asset Size 18
Did your bank receive any reimbursement for previous breaches between 2009 and 2014? (all respondents) Percentage of Banks Yes 33.1% No 66.9% 19
If Yes, please provide reimbursement received, as compared to your bank s total costs + fraud loss associated with those breaches (by asset size) Percentage of Banks 3.6% 1.8% 10.1% 15.8% 9.0% 13.6% 14.0% 27.3% 23.6% 17.5% 45.5% 49.1% 50.9% 18.2% 33.4% 50.0% 16.6% Reimbursement received as a percentage of total costs + fraud loss <1% 1% 5% 6% 10% 11% 50% More than 50% < $1 B $1B $10B $10B $50B $50B+ Bank Asset Size 20
If Yes, please provide reimbursement received, as compared to your bank s total costs + fraud loss associated with those breaches (all respondents) Percentage of Banks The majority (83.1%) reported a reimbursement rate of no more than 10 cents on the dollar, with 46.2% reporting less than 1 cent on the dollar 13.6% 3.3% Reimbursement received as a percentage of total costs + fraud loss <1% 14.1% 1% 5% 6% 10% 11% 50% 22.8% 46.2% More than 50% 21