Among the things still unknown about the loss of customer data at Target, one of the most puzzling is Target’s Dec. 18 news release.
It came out well before dawn that Wednesday, the same day a well-regarded data security blogger posted that an investigation was underway at Target of a potentially massive loss of data from customer debit and credit cards.
But Target didn’t say anything about that investigation in its release that morning. The company statement was pure marketing communications, in which it declared a great holiday season was underway. It included a quote from Gregg Steinhafel, Target’s chairman and CEO: “We are pleased with Target’s holiday performance, from guest experience and engagement to overall results both in-store and online.”
Whoever wrote that release and punched the send button probably didn’t know that millions of customer accounts had just been compromised.
Steinhafel certainly did.
We know this because it’s what he told the cable news channel CNBC. He got the call on the security breach three days earlier, on Sunday morning, Dec. 15.
Really? Target was investigating a huge security breach and its message to the public was that its CEO was pleased with how things were going? Isn’t a consumer-focused company like Target run by marketing executives who should know better?
On the Sunday morning when Steinhafel learned of the data breach, Target had a serious security gap, one that Steinhafel said was closed within hours. The following day, Target had a marketing problem, and it’s been a marketing problem ever since.
Decades of great marketing went into creating Target’s solid brand, but the heart of what makes a brand like Target really valuable is trust. That takes more than marketing. It takes being smart at the nuts-and-bolts of operations and fair in pricing. A long history of being both is why Target has its solid brand.
Then there’s transparency.
Since confirming news of the cyberattack, Target has been engaging the public to some degree. Depending on how you count them, there have been at least a half-dozen updates via statements along with e-mails to Target customers.
Target has repeatedly apologized. To its credit, the company granted a 10 percent discount for all merchandise for two days and has offered any Target customer who shopped in one of its U.S. stores a year of free credit monitoring and identity theft protection.
But in many ways, the company has been a half-beat slow from the start.
On Dec. 18, when reporters learned of the security blogger’s post and started calling Target for information, they were pushed off. Target had nothing to say. The next morning, four days after the CEO became aware that millions of consumers had data taken, the company finally issued a release about the data breach.
Target later explained the delay by saying the company wanted to be well prepared for the crush of inquiries. Still, that’s a long wait before you tell your customers that their cards may have been compromised.
A more fundamental problem is that people don’t trust e-mails and statements posted to websites as much as they trust people. And what’s been mostly absent in the early weeks of the crisis is a human face of the company.
No senior executive would be eager to meet with reporters or jump in front of a live TV camera after this kind of news breaks. In a fluid situation, there’s plenty of risk of later looking very wrong. Saying “I don’t know” over and over doesn’t exactly inspire confidence and trust, either.
That was needed, however, and not just once. It would have helped even if the message on Dec. 16 was simply, “We are sorry. I can assure you that we have plugged the leak. I’ll let you know more when we know more.”