Target Announces a “We’ve Been Breached” Christmas SaleWritten by Evan Schuman
Data breaches can happen to anyone so I have no desire to give Target a hard time for having been successfully attacked by cyberthieves. But when a retailer tries to take a situation where it was unable to protect its customer information and turn it into a means of getting those victims to give you more money, that’s pushing it.
And push it is precisely what Target CEO Gregg Steinhafel did Friday (Dec. 20) when he announced a special Data Breach Sale where he encouraged people to come back to Target, spend more money and give up more payment and he’d offer 10 percent off on Dec. 21 and Dec. 22. In other words, he’s offering to do exactly what Target would typically do near the end of a critical holiday sales period.
If this is indeed apology money, why not make it a clean refund to impacted shoppers, which Target said is at least 40 million people? Instead of a refund, he is asking people to pay a mere 90 percent of the sticker price. Is this discount just for those 40 million victims? No, it’s offered to everyone anywhere. What is the CEO’s stated rationale for offering the discount universally? He said it was in the “spirit” of “we’re in this together.”
Yeah, I’m sure that those 40 million potential fraud victims feel like they’re in this with non-Target shoppers and the non-impacted Target.com shoppers and especially Target shoppers who just happened to not buy from the stores on the days the thieves were siphoning the data.
Note to Target: When you screw up and fail to protect tens of millions of your customers, trying to use that screwup as an upsell opportunity is not going to make customers trust you more.
A few other unsolicited tips for handling the breach aftermath:
If it’s indeed been both identified and eliminated, why not get specific? No need to go chapter and verse on every keystroke used, but a healthy heaping of details would go a long way to convincing people that you’ve truly plugged the hole. The bad guys certainly already know and, if you’ve truly plugged the hole, there’s no security risk with telling others. Hold back a few details if you must, but by saying “We’ve figured it all out and our system is now fine. Just fine. Nothing to see here. Just go back to giving us your money,” you’re really giving people a lot of reason to be even more suspicious.
Rant: Having “no indication” of any PIN impact is certainly different from saying “We are now convinced that the thieves did not access any PINs.” No indication simply means they don’t know yet. So, no, having “no indication” yet does not that the debit cards referenced still have that additional layer of protection. And having “no indication” yet also does not mean that “someone cannot visit an ATM with a fraudulent card and withdraw cash.” It’s not known yet.
The point is that precision in these statements is critical if you’re trying to rebuild trust.
That’s a fine and appreciated clarification. Where, I wonder, would people have gotten the false impression that the 3-digit code visible on the back of payment cards had been taken? That bit of incorrect data was in the original statement that Target put out Thursday. Someone wrote in parenthesis in the Target statement that CVV meant the three digits on the back of the card. It was up for several hours before it was magically edited, making the parenthetical statement gone.
These statements are rushed out and an error like that happens. But to then, the very next day, stress that something was not taken without admitting that Target itself had said it the prior day, that take guts.