• by Sarah Mahoney , Staff Writer @mahoney_sarah, January 31, 2024

VF Corp., owner of the North Face and Vans, suffered a recent ransomware attack, exposing the personal data of 35.5 million customers. It’s just the latest, with cyberattacks, pfishing and malware sweeping some of the biggest names in retail. A new report from Apple says 2.6 billion records were leaked in 2021 and 2022. We asked Amber Boyes, an analyst at Gartner, to explain what these attacks do to brands.

Retail Insider: These breaches feel constant. And I remember going back to Target’s massive breach in 2013, hearing that they erode consumer trust and tarnish brands. Is that true? Target’s still here, and so are Home Depot and eBay. Consumers forgave them. As attacks becoming more common, are consumers just shrugging them off?

Amber Boyes: Our clients certainly aren’t. They are paying close attention to risks, and investing more in safety. But for consumers, breaches do seem ubiquitous. People see the headlines all the time. But I wouldn't say that means they are ho-hum about it. We track online data security in our omnibus data, and consumers still say they are very or extremely concerned about the security of their data. Just because they’re used to breaches doesn’t mean it doesn’t bother them. As far as eroding trust and reputational damage, it depends on the breach's severity and the data's sensitivity. It also depends on the nature of the organization. If a company has touted itself as a secure organization, such as a large bank, it will have more damage.

Retail Insider: Can you quantify reputational damage? Put another way, are any North Face customers saying, "That’s it! From now on, I’ll only shop at Patagonia!" Do people switch brands because of breaches?

Boyes: We don’t know. When companies can hold that kind of commercial impact close to the vest, they do. But even if there is no sign of brand switching, it is still a concern for the communications and brand leaders. They're doing a lot of scenario planning around this. And organizations are putting a lot of resources and time into preparing appropriate responses.

What’s frustrating is that often, as in the case of VF, for example, there’s just no information for consumers to respond to.

Retail Insider: So, companies should be more transparent?

Boyes: Often, they can’t. They don’t know. There's this weird period of ambiguity.

Retail Insider: What is the best messaging?

Boyes: It depends. There are regulations about notifying the Securities & Exchange Commission. Sometimes, breaches turn into full-blown operational issues. Last fall, a breach at MGM resulted in casinos shutting down and people posting all over social media.

The people we work with are trying to get the right sensing mechanisms in place to understand how things are escalating after an incident, what's generating more news coverage, and how things will be expected to grow from there.

It’s tricky. Often, the breach involves a third party, but it’s crucial for companies not to sound as if they are shifting blame. Comms teams need to build muscle so they are ready to work closely with IT, legal, and HR. That includes cyberattacks and the growing threat of malicious content using generative AI.

Retail Insider: Are there generational differences in those concerns?

Boyes: Yes. Boomers are the most worried, with 53% saying they are very or extremely concerned, and it declines with age to 45% for Gen Z.  But it is still a top 6 concern across the board.

Retail Insider: How should marketers and retailers address cybersecurity in their marketing? Are vague “your data is safe with us” messages effective at a moment when more people believe no data is ever safe?

Boyes: Companies have to center the message around what benefit they are delivering to their audience: "Here’s how we’re helping you achieve your goal."

Retail Insider: Apple is doing that well in its iPhone campaigns, which seem to enhance brand value. How is that working for others?

Boyes: In our recent reputation research, we studied “Safer with Google” ads, including the website for consumers. Google does a good job of better explaining the kind of information that customers typically underappreciate. It explains what it does for users, like blocking something like 25 billion spam pages, and how it encrypts user payments.

It also transfers some of the ownership of security issues to users, encouraging them to actively protect their data. It offers easy-to-use tools for keeping accounts private, safe, and secure, as well as security checkups. The company goes way past conventional storytelling, more than Apple, and stood out to us because those videos in the series went above and beyond.