Target Corp. tried Friday to head off the continuing crisis over its giant data breach and customer service struggles with a CEO apology and a discount.
The nation’s No. 2 discount retailer said shoppers in Target’s U.S. stores will get the same 10 percent discount that employees normally receive this Saturday and Sunday. The company also is offering one year of free credit monitoring for the 40 million customers whose credit or debit card information was exposed during one of the largest known U.S. data breaches.
“We take this crime seriously,” CEO Gregg Steinhafel said in a statement. “It was a crime against Target, our team members, and most importantly, our guests.”
Steinhafel’s apology for the theft and ensuing communications breakdown came as worried customers continued to overwhelm the Minneapolis-based retailer’s phone systems and the portion of its website dedicated to its Redcard operations. Meanwhile, some financial service executives expressed their own frustrations with how Target is handling the mess.
“Our guests’ trust is our top priority at Target and we are committed to making this right,” Steinhafel said. “We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud.”
He reiterated that cardholders won’t be held financially responsible for any fraud within their accounts.
Target was still working Friday to meet the “unprecedented” call volume and said it has quadrupled the capacity of its online Redcard account management site. It has also begun notifying shoppers who bought merchandise in its U.S. stores between Nov. 27 and Dec. 15, the period of the breach.
It’s not clear how far the company’s gestures will go to quell the rising anger over the security breach, which remains under investigation by the Secret Service and Target’s own team.
Target shopper Ted Benjamin said the discount offer felt hollow. Benjamin, a retired grocery store worker in Elk Grove, Calif., said he’s tried in vain for two days to get through to someone to close his Redcard debit card. He couldn’t do it online, or at a store, he said.
“I don’t need a 10 percent discount,” he said. “What I need is to protect myself from thousands of dollars that could be fraudulently claimed. It’s Christmas. That’s all they’re trying to do is keep the business up.”
Akshay Rao, marketing professor at the U’s Carlson School of Management, also felt that Target’s moves didn’t hit the mark. “I think those are weak signals,” Rao said. “Ten percent off is a promotion to get you to come into the store and buy stuff.”
A more appropriate response would have been to tell people the company would pay them double whatever money might be taken from their accounts as the result of fraud, he said.
As Target battles to keep customers’ goodwill, the stolen credit and debit card information has apparently been actively trading on the underground market.
“[Accounts] have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card,” security expert Brian Krebs wrote Friday on his blog, KrebsOnSecurity.com.
Krebs, who was the first to reveal the data breach on Wednesday, said the cards pose a heightened challenge for banks because they included locations and ZIP codes. That information allows people buying the hacked card numbers to make counterfeit cards and use them only in the states where the cards were issued, thus averting systems that help banks detect unusual activity.
Daniel Ingevaldson, chief technology officer at Easy Solutions Inc., an antifraud company in Miami that works with banks, said he was monitoring international black market forums online that cater to stolen cards. He noticed a “huge spike” in card volume around Dec. 11, and later found out it was linked to Target. The crooks peddling the cards on the underground forums were “having a party” as a result of the breach, he said.
“They were quoting how much money they were making … $10,000 a day.”
The market value of the data stolen from Target has been diminished now that word is out about the cyberattack. “There’s a half life on these,” Ingevaldson said.
Nonetheless, the theft will certainly be costly for card-issuing banks and credit unions, since cards cost $4-$5 a piece to replace.
“Target makes this big mistake, this big hole on 40 million accounts, and a whole bunch of this cost falls on the banks,” said Bill Cooper, chairman and CEO of Wayzata-based TCF Financial Corp. “We’re working with Target, not very successfully, on what cards were compromised.”
Kelly McDonough, CEO of First Alliance Credit Union in Rochester, said the credit union hasn’t detected any fraud related to the Target breach, but is being proactive and ordering new cards for all its members who could be affected. Those who want cards canceled immediately can do that, she added.
New cards typically take five to seven business days to arrive, but because of the holidays could take up to 14 days, she said.
“It’s terrible. People are so stressed,” McDonough said.
McDonough said she has a half-dozen employees working on the project and still more devoted to the incoming phone calls about Target.
“I wish we could bill Target for this,” McDonough said. “The reality is … my organization is too small to hire lawyers to fight to reclaim these costs from Target.”
One lawsuit has already been filed. Shopper Jennifer Kirk sued Target Thursday, accusing the company of negligence and unfair business practices, among other things, in exposing her information to potential thieves. The lawsuit was filed in federal court and seeks class action status.
Al Pascual, security risk and fraud analyst at Javelin Strategy & Research, said he’s skeptical such actions will accomplish much. He said that depending on how the stolen information is used, either the card-issuing banks or the merchants accepting the fraudulent transactions will probably get stuck for the losses.
“Even though it’s Target that was breached,” Pascual said, “it’s everyone else that pays the price.”