Every week it seems, another major U.S. retailer says it's been hacked. Today, Staples said it was investigating a potential credit-card breach. Two weeks earlier it was Kmart. Three weeks earlier it was Supervalu and Albertsons. A month ago it was Home Depot. The list is longer than the checkout line at Target, which was breached late last year.
What may not be apparent amid the deluge of bad news is who's not on the list. While scores of household names have fallen victim to hackers, some pillars of U.S. retail have managed to stay out of the headlines. So far.
At a time when it may seem like there are few safe places to shop, the threat may not be as out-of-control as it appears. According to data compiled by Bloomberg and a database of breaches maintained by the Privacy Rights Clearinghouse, eight of the ten biggest public U.S. retailers, when ranked by revenue, have not disclosed major consumer breaches this decade. And we're not counting those instances when a few hundred customers were affected or a crook accessed a customer's account using a password stolen from another site. People, let's not make it easy for them.
None of this is meant to minimize the risk. Hackers have stolen information on hundreds of millions of people. And there is an important caveat here: Just because a company hasn't announced a breach doesn't mean it hasn't been hacked. Large organizations have many points of ingress, and advanced attacks are difficult to detect. Just ask JPMorgan.
But what the list below does show is that, based on what we know through mandatory disclosures required for companies that have had credit-card and other consumer data stolen from them, the retail-hacking spree hasn't yet claimed some of the most prized targets. And no, we're not painting a big ol' target on the backs of these retailers that doesn't already exist.
"It's a positive message -- that figure does reflect the fact that major retailers are really taking to heart the risks of security breaches and incorporating best practices into their operations and effectively mitigating some of these risks," said Reece Hirsch, partner with the Morgan, Lewis & Bockius law firm, who co-leads the privacy and cyber-security practice. "No organization is immune, particularly from a sophisticated attack, but organizations that take breach-response and data security seriously do see real benefits from those efforts."
Here are the 10 biggest U.S. retailers and the ones that have reported major breaches (in blue). Of course, this list could all change tomorrow.