While slumping retailers like J.C. Penney and Sears grapple with reversing their underperforming sales, Target is now confronted with a different kind of turnaround challenge: regaining customer confidence lost as a result of a much publicized security breach.
Target analysts recently administered a series of surveys that purportedly showed that customer trust has ebbed to the lowest point in its history. Many company insiders blame the damage to Target’s reputation on certain strategic decisions made by chief executive Gregg Steinhafel in the aftermath of the cyber-attack.
The details about Target’s cyber-attack have trickled into the public eye like a slow leak. Hackers broke through Target’s online security system, accessing the personal data–financial and otherwise–of more than seventy million shoppers. The credit and debit card information of more than forty million people is now considered compromised.
Analysts predict that at least 15 percent of the credit cards could incur fraudulent charges, averaging as much as a few hundred dollars in illicit charges per card. The debacle could ultimately cost Target several billion dollars in total, with an estimated $1.1 billion in repayments to banks for unauthorized transactions.
Also, adding to these costs will be expenses associated with impending litigation. Currently, there are nearly seventy-class actions suits alleging that it failed to take adequate steps to ensure the safety of its customers. Tina Wolfson, an attorney at Ahdoot & Wolfson P.C., who is the lead attorney on one of the suits, said that Target’s failure “to maintain reasonable security procedures, and delays in notifying customers, will put her clients at risk for identity theft for years.” She continued, “This could be the biggest case I’ve seen in number of people affected.”
But the most pressing problem for Target’s management is still figuring out how to assuage the anxieties of shoppers wary of its security protocols. Many attribute Target’s difficulties to crucial missteps taken under Steinhafel’s direction. When the news about the cyber-breach first became public, there was some confusion regarding the scope of the customers affected. Target officials immediately knew at least forty million shoppers had their financial information fully accessed, and then subsequently discovered another seventy million may have been partially compromised. Steinhafel insisted reporting the sum of those two numbers–110 million–in order to avoid any suspicion that the company was less than forthcoming about the problem.
Chief Marketing Officer Jeffrey Jones considered that decision a fatal mistake, observing that the general public “keeps hearing that equals one third of all Americans.” He added plaintively, “That’s hammering us.”
Target executives have considered a wide array of responses to the security breach, including offering all its customers free credit monitoring and identity theft insurance. And for the last weekend prior to Christmas, it offered an additional 10 percent discount on all products in all of its stores. However, none of these strategies could stanch the bleeding. John Mulligan, Target’s Chief Financial Officer, said, “No amount of traffic recouped the loss to the bottom-line for that.”
Investigators have made two revelations that are particularly disturbing for the industry at large. One, the code used to trespass into Target’s storehouse of customer data is highly sophisticated, using a specially designed software virus undetectable by existing anti-virus measures. The offending code was somehow injected into Target’s portal that accepts online payments for products; however, it is not yet precisely known how this was accomplished or how the code was so effectively hidden from detection. It has been reported that there is evidence some of the code was written by Russian programmers but, so far, no comment has been made about the attack potentially being a state coordinated act of espionage. In collaboration with the private cyber-security firm, iSight Partners Inc., the U.S. Department of Homeland Security (DHS) is conducting an investigation of the matter.
According to a report issued by iSight Partners, the “intrusion operator displayed innovation and a high degree of skill.” Tiffany Jones, a senior vice president at iSight Partners, added, “What’s really unique about this one is it’s the first time we’ve seen the attack method at this scale. It conceals all the data transfers. It makes it really hard to detect in the first place.”
Also, there is gathering evidence that the attack on Target was not an isolated incident but, rather, part of a sweeping salvo perpetrated against multiple retailers. At least at the time of the publication of this article, DHS officials have declined to expand upon this revelation. Over the holiday shopping season, Neiman Marcus also suffered a major breach of its customer data. Karen Katz, chief executive at the Neiman Marcus Group, has said that there is no dispositive evidence that their attack is related to the one directed against Target. She declined to provide specific information about the scope of the breach.
Steinhafel still stands by his decisions and remains optimistic about Target’s overall outlook. He said, “Target won’t be defined by the breach, but how we handle the breach.”
Some conjecture that the Target case will likely expand into a new wave of consumer litigation. Paula Rosenblum, a retail technology analyst at RSR Research, said, “I’m not sure if it’s because of the NSA disclosures or what but I think we are hitting some kind of tipping point. The consumers are more unforgiving and the lawyers are more hungry.”