Research Insights: Secure Online Holiday Shopping

In “The State of Secure Online Holiday Shopping,” NTT Application Security reports that in a study 1,057 online shoppers over the age of 18, most will remain with a retailer after a data breach, even if it was of their own data. A full 94% said they understood the risks of shopping online, yet only 25% would change retailers after a breach. Findings:

False sense of security –

  • 58% felt their data was protected while shopping online
  • 57% felt secure storing their credit card data on a mobile app
  • 55% felt secure storing their credit card information in a digital wallet
  • 69% relay on their credit card provider to protect them from fraudulent charges

Already Taking Precautions –

  • 63% did not shop online when connected to public Wi-Fi
  • 76% make sure the web site they are shopping on uses a secure connection (https)
  • 51% use two-factor authentication
  • 73% never click on links when offered a dal through an advertisement, email, or social media promotion.

Leaked personal info won’t deter shoppers –

  • 26% have already had their personal info stolen when shopping online
  • 50% admit to trusting a retailer despite the corporation having had a data breach of million sof customers data.


Research Insights:

According to Saryu Nayyar, CEO, Gurucul (she/her):

“Too many online shoppers have a false faith in “security by obscurity.” Even when our data is compromised, we keep going back to the same retailers, because we don’t believe that our individual data will come back to bite us. That’s a bad assumption. If your data is compromised, you have the responsibility to monitor your credit card and identity activity and be prepared to take action if it looks like your information is being used. While we would prefer our vendors not compromising our data at all, it will happen sooner or later, and every single shopper has to be prepared to address those compromises.”


According to Doug Britton, CEO, Haystack Solutions:

“After a data breach, consumers are often faced with difficult challenges of understanding where the failure was, if it was negligent, and what the true impact of the data breach is. This survey provides interesting insights into how individuals appear to accept this risk and express understanding toward retailers. Retailers may be fortunate to receive this perspective, but they need to realize when data is provided to them it becomes their responsibility regardless of what happens. To this end, it is important to ensure they invest in strong cyber and infosec teams. This is a strong demonstration of attention to security. It is critical to find this talent regardless of the labor market. We have the technology to find them, we need to ensure we get them into the fight or risk losing this benevolent consumer perspective.”


According to Bill Lawrence, CISO, SecurityGate:

“Shoppers love convenience, and online shopping went through the roof with pandemic lock-downs. There are regular reports of data breaches at major corporations (see https:// for huge bouncing breach bubbles) but shoppers most likely won’t switch retailers after a breach. Many cite credit card and bank protections. It turns out that the stock market is similarly minded. An article in the Harvard Business Review titled, “Why Data Breaches Don’t Hurt Stock Prices” by Kvochko and Pant finds that, “overall, stock prices during and following the high-profile security data breaches for the in the past several years have decreased slightly or quickly recovered following the breach.” Yes, companies like Target (40MM+ customer credit card data and 70MM+ customer personal information lost in 2013) still had to spend hundreds of millions to clean up the mess, add security measures, and had to defend against multiple lawsuits. But the market and shoppers came back. For the holiday shopper this season, ensure your bank and credit card accounts are protected with two-factor authentication, don’t save credit card information on a store website, and regularly scan your financial statements for fraud or unapproved purchases. If you can’t live without the convenience of automatically filled-in forms to purchase that trinket, storing credit card information in a password manager or web browser is still better than storing it with a company online.  And don’t click links for amazing sales, giveaways, or prizes.”