Target Announces a “We’ve Been Breached” Christmas Sale

Written by Evan Schuman
December 21st, 2013
Data breaches can happen to anyone so I have no desire to give Target a hard time for having been successfully attacked by cyberthieves. But when a retailer tries to take a situation where it was unable to protect its customer information and turn it into a means of getting those victims to give you more money, that's pushing it.

And push it is precisely what Target CEO Gregg Steinhafel did Friday (Dec. 20) when he announced a special Data Breach Sale where he encouraged people to come back to Target, spend more money and give up more payment and he'd offer 10 percent off on Dec. 21 and Dec. 22. In other words, he's offering to do exactly what Target would typically do near the end of a critical holiday sales period.

If this is indeed apology money, why not make it a clean refund to impacted shoppers, which Target said is at least 40 million people? Instead of a refund, he is asking people to pay a mere 90 percent of the sticker price. Is this discount just for those 40 million victims? No, it's offered to everyone anywhere. What is the CEO's stated rationale for offering the discount universally? He said it was in the "spirit" of "we're in this together."

Yeah, I'm sure that those 40 million potential fraud victims feel like they're in this with non-Target shoppers and the non-impacted shoppers and especially Target shoppers who just happened to not buy from the stores on the days the thieves were siphoning the data.

Note to Target: When you screw up and fail to protect tens of millions of your customers, trying to use that screwup as an upsell opportunity is not going to make customers trust you more.

A few other unsolicited tips for handling the breach aftermath:

  • Target, when you announce "the issue has been identified and eliminated" and then offer zero details to back up either claim, you're pretty much saying "Trust me." That's exactly what those 40 million did when they used their payment cards in your stores, so you'll forgive them if they're hesitant right now to do it again.

    If it's indeed been both identified and eliminated, why not get specific? No need to go chapter and verse on every keystroke used, but a healthy heaping of details would go a long way to convincing people that you've truly plugged the hole. The bad guys certainly already know and, if you've truly plugged the hole, there's no security risk with telling others. Hold back a few details if you must, but by saying "We've figured it all out and our system is now fine. Just fine. Nothing to see here. Just go back to giving us your money," you're really giving people a lot of reason to be even more suspicious.

  • Target announced that it would be sending E-mails to impacted shoppers this weekend. But Target marketing never misses an opportunity to leverage a disaster. The statement said it would contact "those guests whose E-mails we have," which is a subtle plea for more shoppers to give you their E-mail addresses. Subtle, but nice try, guys.

  • "At this time, there is no indication that there has been any impact to PIN numbers. What this means is their bank PIN debit card or Target debit card still has this additional layer of protection. It also means that someone cannot visit an ATM with a fraudulent card and withdraw cash." This raises a rant, above and beyond the fact that saying "PIN numbers" is repetitive and that Target should know better.

    Rant: Having "no indication" of any PIN impact is certainly different from saying "We are now convinced that the thieves did not access any PINs." No indication simply means they don't know yet. So, no, having "no indication" yet does not that the debit cards referenced still have that additional layer of protection. And having "no indication" yet also does not mean that "someone cannot visit an ATM with a fraudulent card and withdraw cash." It's not known yet.

    The point is that precision in these statements is critical if you're trying to rebuild trust.

  • The CVV claim is truly a textbook example of chutzpa. Friday's statement said "The CVV data that may have been impacted was data in the magnetic strip and NOT the three or four-digit code visible on the card that guests use that would allow someone to make an online purchase." (In the statement, Target put "not" in all upper-case.)

    That's a fine and appreciated clarification. Where, I wonder, would people have gotten the false impression that the 3-digit code visible on the back of payment cards had been taken? That bit of incorrect data was in the original statement that Target put out Thursday. Someone wrote in parenthesis in the Target statement that CVV meant the three digits on the back of the card. It was up for several hours before it was magically edited, making the parenthetical statement gone.

    These statements are rushed out and an error like that happens. But to then, the very next day, stress that something was not taken without admitting that Target itself had said it the prior day, that take guts.