Most retailer breaches are not disclosed, Gartner says

Most retailers do not disclose data breaches after they happen, Gartner says.

While nearly half of U.S. retailers have been hit with some kind of information security attack, only a small percentage of them have actually reported breaches to their customers, research company Gartner reports.

In a new study based on interviews with 50 U.S. retailers, Gartner found that 21 of them were certain they had had a data breach. However, just three of the retailers had disclosed the incident to the public.

The small number of retailers in the survey make it impossible to draw any firm conclusions from the data, but it does underscore a noteworthy trend, said Gartner analyst Avivah Litan. "Sensitive data is being stolen and most of the time it's not being disclosed," she said. "There are a lot more breaches than we hear about."

Many states now have laws that require that consumers be notified when their personal information is compromised, but the bad publicity that results from such disclosures has made retailers reluctant to make them, she said. "They see what happens to companies like TJX and Hannaford and they don't want to call attention to themselves unless they need to."

Litan didn't know whether the retailers had broken state laws by not informing their customers of the breaches, but she said it was a possibility. Some of the breaches may have happened before applicable state laws were in effect.

In 2006, data thieves were able to get access to an estimated 94 million payment card numbers by hacking TJX's computer systems. The retailer has set aside a US$107 million reserve fund to cover lawsuits from credit card issuers that stem from the breach. At the Hannaford Bros. supermarket chain, criminals stole an estimated 4.2 million account numbers after computers there were hacked. That breach was disclosed in March.

Gartner counted phishing attacks and data compromises at third parties as breaches, along with lost or stolen laptops, insider breaches and computer hacking attacks.

Litan said four of the retailers had been fined by credit card companies for not meeting Payment Card Industry (PCI) compliance requirements. Another 11 were threatened with fines for noncompliance.

Data breaches at retailers are the top cause of credit and debit card theft, accounting for about 20 percent of all incidents, Gartner said.

And this type of crime is not going away. Credit card companies predict that payment card fraud rates will double over the next two years, the research company said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?