Schafer: Target's response to data theft was too slow, too cautious

Among the things still unknown about the loss of customer data at Target, one of the most puzzling is Target's Dec. 18 news release.

It came out well before dawn that Wednesday, the same day a well-regarded data security blogger posted that an investigation was underway at Target of a potentially massive loss of data from customer debit and credit cards.

But Target didn't say anything about that investigation in its release that morning. The company statement was pure marketing communications, in which it declared a great holiday season was underway. It included a quote from Gregg Steinhafel, Target's chairman and CEO: "We are pleased with Target's holiday performance, from guest experience and engagement to overall results both in-store and online."

Whoever wrote that release and punched the send button probably didn't know that millions of customer accounts had just been compromised.

Steinhafel certainly did.

We know this because it's what he told the cable news channel CNBC. He got the call on the security breach three days earlier, on Sunday morning, Dec. 15.

Really? Target was investigating a huge security breach and its message to the public was that its CEO was pleased with how things were going? Isn't a consumer-focused company like Target run by marketing executives who should know better?

Decades of great marketing went into creating Target's solid brand, but the heart of what makes a brand like Target really valuable is trust. That takes more than marketing. It takes being smart at the nuts-and-bolts of operations and fair in pricing. A long history of being both is why Target has its solid brand.

Then there's transparency.

Since confirming news of the cyberattack, Target has been engaging the public to some degree. Depending on how you count them, there have been at least a half-dozen updates via statements along with e-mails to Target customers.

Target has repeatedly apologized. To its credit, the company granted a 10 percent discount for all merchandise for two days and has offered any Target customer who shopped in one of its U.S. stores a year of free credit monitoring and identity theft protection.

But in many ways, the company has been a half-beat slow from the start.

Target later explained the delay by saying the company wanted to be well prepared for the crush of inquiries. Still, that's a long wait before you tell your customers that their cards may have been compromised.

A more fundamental problem is that people don't trust e-mails and statements posted to websites as much as they trust people. And what's been mostly absent in the early weeks of the crisis is a human face of the company.

No senior executive would be eager to meet with reporters or jump in front of a live TV camera after this kind of news breaks. In a fluid situation, there's plenty of risk of later looking very wrong. Saying "I don't know" over and over doesn't exactly inspire confidence and trust, either.

That was needed, however, and not just once. It would have helped even if the message on Dec. 16 was simply, "We are sorry. I can assure you that we have plugged the leak. I'll let you know more when we know more."

Almost a month after the data breach became public, Target's CEO Gregg Steinhafel finally discussed it in front of a TV camera, speaking at length on CNBC on Monday.

He had several strong moments; perhaps his best was when he said, "There is zero liability for the guest. Zero. I mean, we are responsible. We're accountable for all of it."

He gave the impression of having been particularly well-drilled for this interview and showed the savvy politician's knack for gently knocking aside a question and really sticking to his prepared points.

It would have been an Emmy-quality TV performance had it only come three weeks earlier.

The choice of appearing only on CNBC was baffling as well. A Target spokesman pointed out that it chose CNBC in part to get snippets of the interview broadcast on other, more widely watched NBC-affiliated programs. But CNBC is a cable channel for investors, leaving the impression to some that Target valued them over customers.

It's more likely that deciding to let the CEO appear only on a financial cable TV show is just another version of playing it safe, much like taking four days to prepare before publicly confirming a security breach.

It doesn't seem like it's the right time for Target to play anything safe.

lee.schafer@startribune.com • 612-673-4302