The Target consumer data breach last year was costly for banks of all sizes—and especially for community banks—according to an ABA survey of 535 banks.
More than 8% of debit cards and nearly 4% of credit cards were implicated in the breach, and banks reissued nearly every card so implicated, representing tens of millions of cards reissued in response to the single breach.
The survey respondents alone reported reissuing a combined 4.1 million debit cards and 2.7 million credit cards; reissue cost averaged $9.72 per debit card and $8.11 per credit card, among these respondents.
Community banks experienced disproportionately higher costs in reissuing cards. Banks with less than $1 billion in assets spent just over $11 per debit card and $12.75 per credit card, including mailing, card production, and staff time. The largest banks—those with more than $50 billion—spent less than $3 per card.
“These costs are deeply troubling for all banks, especially for community banks,” says ABA President and CEO Frank Keating. “As each new retailer breach occurs, these costs will be repeated over and over. Enough is enough.”
Banks also bear the costs of retailer breaches through low reimbursement rates. Although the survey did not cover reimbursement specifically for the Target breach, only one third of banks reported receiving any reimbursement for fraud losses and reissue costs in the previous five years. Of those that did receive reimbursement, 83% said they received less than 10 cents on the dollar—and 46% reported receiving not even a penny on the dollar.
The breach caused a major, though less quantifiable, disruption to employees’ daily duties at the bank. Sample respondent comments, from banks with less than $1 billion in assets include:
• “Our Call Center was swamped for several weeks impacting our ability to provide normal servicing. The amount of research necessary to review customer transactions because customers who had shopped at Target wanted to see if they had unauthorized transactions was enormous. The misinformation spread by the news media was out of control. All many customers heard was ‘call your bank and have your card replaced if you have shopped at Target.’ A very large number of customer conversations occurred even if the card was not compromised. Card issuers simply cannot prepare for an event like this”
* “Over 323 hours were spent by 32 employees to facilitate the responsibilities of administering the required procedures necessary to complete this debit card compromise response. This includes time spent by various departments such as executive, technical, customer service, and others who were removed from their normal job duties to complete this effort instead of performing their usual job—a detriment to the bank and the communities we serve that cannot be easily quantified.”
Other costs also are noted in the survey, as represented by respondent comments:
• “Phone calls [to cardholders] were placed within 24 hours of being notified by our processor of who was affected. Phone calls were completed by our contact center, branches, and back office areas. The branches spent approximately 35 hours making customer calls and handling customer complaints. Our contact center reported 40 hours in making calls and answering increased phone call volume. Marketing spent 25 hours drafting customer correspondence and scripts for calling customers.”
• “Our call center volume doubled and the cost per call was as high as the cost per card. We use a third-party vendor that charges by the minute. The additional number of calls was similar to the number of cards compromised.”
• “Public news of the Target data breach broke at the same time bank began receiving lists of potentially compromised cards from our processor. This news generated the largest customer reaction I have experienced to any event in my 22 years at this bank. Bank phones rang, literally, non‐stop for the first few business days following the public announcement. Handling and responding to these calls consumed a majority of bank resources during this time. Callers were alarmed and very concerned about the safety of their accounts and personal information. Many customers requested to have new debit cards issued to them even if their card had not been identified as potentially compromised in the data breach.”
• “We are continuing to see an upward trend in fraud/losses. Most customers prefer the ease of debit cards, but with all the compromises it makes it harder to sell the product. Most people do not realize that it is NOT Target or any other businesses that has endured the losses of this compromise or any compromise or fraud losses, but rather their bank that issued them the card that suffers the loss and stands behind our customers!”
“We have engaged for the past year in discussions with the card associations on increasing bank reimbursement levels for data breach costs,” Keating says. “These findings make it clear that banks bear too much of the cost of retailers’ data breaches. We will continue to push to get these reimbursement levels up.”