boston.com Business your connection to The Boston Globe

Data thieves target retailers

With a scan of your index finger, some supermarkets memorize what kind of toilet paper or cereals you buy. They share that information with suppliers who offer coupons so you’ll purchase more of their products next time.

Other merchants collect your driver’s license number when you make a return. They share that information with a company that keeps track of your returns. If you have too many, the store may suspect you’re making fraudulent exchanges and ban you from bringing back merchandise.

Retailers have become huge repositories of personal data in recent years, assembling increasing amounts of information and sharing more of it with others. But in the quest for knowledge, some merchants, like TJX Cos., have become prime targets for thieves looking to pilfer sensitive information and have made their customers more vulnerable to fraud and identity theft. Indeed, some analysts believe that store databases are becoming even more valuable than stealing merchandise.

‘‘The more companies accumulate valuable information about customers, the bigger the prize becomes for people looking to access it,’’ said James Tenser, founder of retail consultancy VSN Strategies in Tucson. ‘‘It’s like a pot of gold at the end of a rainbow.’’

About 75 percent of merchants collect specific details about their customers every time they make a purchase, according to a study by Retail Systems Alert Group, a Newton consulting firm. Forty percent share those transaction details with business partners, such as product manufacturers, up from just 12 percent in 2005.

Once retailers amass data, there are few rules — and no comprehensive federal laws — addressing how they should protect the information. A new standard set up last fall by credit-card companies requires merchants to encrypt data, among other practices. But a recent Visa survey found that only 31 percent of large retailers were in compliance.

Credit-card companies also don’t want retailers to keep customer financial data on file. Once sales transactions clear, typically within a few days, there’s no reason to store customer credit-card numbers. But Retail Systems estimates that about 70 percent of merchants keep customers’ personal data, such as payment information and sales transactions, on file longer than two years.

‘‘Retailers are playing with fire. They are keeping mountains of customer specific data because the technology to store and sift through data is so cheap now,’’ said Brian Kilcourse, chief executive of Retail Systems Alert Group. ‘‘But their security measures are pretty doggone naive.’’

The theft at TJX, the Framingham company that runs more than 2,500 T.J. Maxx, Marshalls, and other stores, highlights how vulnerable customer data can be. The discounter revealed on Jan. 17 that a hacker had broken into its computer system, potentially stealing millions of customer credit- and debit-card numbers and drivers license information dating as far back as 2003.

Thieves have used the card numbers to make fraudulent purchases around the world from Florida to Hong Kong. Banks have reissued hundreds of thousands of cards in what could become the biggest loss of consumer data.

‘‘I feel very violated,’’ said customer Karen Ogden, of Cambridge, who canceled her credit- and debit- cards because of concerns over the TJX security breach. ‘‘It’s really alarming, especially since TJX is so insistent on collecting our information and then they don’t protect it.’’

TJX has said that after the theft it hired General Dynamics Corp. and IBM Corp. to strengthen and secure the company’s computer systems. Asked whether TJX is reconsidering collecting data, such as drivers license numbers, because it was targeted by hackers, company spokeswoman Sherry Lang said, ‘‘It’s a complex issue. Obviously, when something like this happens, it brings focus on this issue. We’re still looking at those kinds of things.’’

Over the past few weeks, banks and customers have filed class action lawsuits against TJX for negligence, as politicians and consumer advocates have called for better protection of personal data. Retail Alert’s survey showed that 14 percent of merchants reported that they suffered a customer data security breach. Just last week, Club Monaco, owned by clothing giant Polo Ralph Lauren, said it was also investigating a possible security breach involving customer credit card numbers.

‘‘We want to try and put a stop to this and make sure consumers don’t get further victimized and defrauded,’’ said Lauren Noether, chief of New Hampshire Attorney General’s consumer protection and antitrust bureau, which is investigating the TJX incident.

For merchants, exhaustive information about customers can fuel effective marketing efforts and merchandise selection. Retailers can track customer purchases to help them better understand shopping habits and offer tailored promotions and other incentives to get consumers to spend more.

TJX, for example, rolled out a new TJX Visa card several years ago that offered 5 percent rewards for any purchases made at its stores, and 1 percent rewards for all other transactions. But the Visa card also allowed TJX to track purchases wherever people shopped with the credit card, not just in its stores.

Merchants are also using sophisticated technology to capture consumer data on the Internet and at cash registers, along with more simple methods of asking customers for phone numbers and zip codes when they check out.

Retailers such as Circuit City, Macy’s, and TJX, use a company called Coremetrics to analyze shopping behavior on their websites, keeping track of what you buy and what items you abandon in the shopping cart. At a merchant’s request, Coremetrics can also collect or receive personally identifiable data, such as your email address. Customers won’t know that information is being collected unless they click through several privacy policies and read the fine print.

Loyalty programs have also helped retailers gather more data by offering discounts in exchange for personal information from their customers. ‘‘You can opt-out, but pay higher prices,’’ said retail consultant Tenser. ‘‘Who wants to do that?’’

Credit-card companies, meanwhile, are helping retailers assemble data, and create loyalty and rewards programs. In 2005, Visa introduced the Visa Incentive Network which is a master database of cardholder names, addresses, and data on individual spending habits to help merchants design direct mail campaigns — sending coupons and catalogues to targeted customers, according to Gwenn Bezard, research director at Boston research firm Aite Group.

At the end of 2006, more than 65 million Visa card accounts were part of the VIN program, an increase of 58 percent from 2005. A Visa spokeswoman said the company doesn’t disclose the number or identity of retailers in the network.

For some merchants, getting consumer data is the first priority, protecting is an afterthought, according to retail consultant Tenser. One reason: penalties for failing to safeguard personal information are rare. After a hacker gained access to more than 1.4 million DSW customer credit- and debit-card and checking account information in 2005, the Federal Trade Commission, as part of a settlement, didn’t fine the company. Instead the commission merely required DSW to implement a comprehensive information security program and obtain audits by an independent third-party security professional.

Noether of the New Hampshire’s Attorney General’s office said companies can do more to protect data but that consumers need to be diligent too.

‘‘Customers ought to be cautious and consider what they are gaining for giving that information, where the information is going and who else is going to have access to it,’’ Noether said. ‘‘It may not be worth what they’re getting in return.’’

Jenn Abelson can be reached at abelson@globe.com.

SEARCH THE ARCHIVES