Information about as many as 110 million shoppers who swiped their credit and debit cards at a Target store in the holiday season may have been stolen. Jeff Chiu/Associated Press
With clients over the years like Michael R. Milken (securities fraud), Dominique Strauss-Kahn (rape allegations), Jack Abramoff (bribery) and the Sizzler restaurant chain (salmonella), Marina Ein is well versed in the art and science of crisis public relations.
So she has been watching the unfolding disclosures involving the vast security breach at Target with interest — both for professional reasons (some of her clients at Ein Communications are shopping centers) and as a customer (she and her husband happened to shop at a Target in Naples, Fla., during the period when customer credit and debit card data was stolen.)
So far, she, like many others in the crisis communications business, think Target is doing a commendable job of showing transparency and contrition in a bad situation. But there are signs that the company may have a ways to go before it can regain the trust of its customers.
On Friday, Target executives said that the breach was far worse than previously disclosed. After further investigation, the company said, it now believes that as many as 110 million of its customers’ credit and debit card data may have been stolen, nearly three times the 40 million it initially estimated last month. The company also said that a wider array of information was stolen than previously believed, including addresses (both mailing and email) and phone numbers.
The announcement was the second time that Target has publicly revised its initial damage assessment. Two weeks ago it said that contrary to earlier statements, the company now believed that encrypted PIN data was taken too.
As clear evidence that the drip, drip of disclosures may be unnerving shoppers, the company on Thursday acknowledged that its sales had been slipping since the initial announcement of the security breach on Dec. 19. What started out as a promising fourth quarter, with “stronger than expected sales” turned into a dismal one, most likely down 2.5 percent from the fourth quarter of 2012, executives said. That would be bad news at any time, but it is particularly distressing given that the fiscal fourth quarter, which encompasses holiday shopping, is the most important quarter of the year for retailers.
Experts in both corporate security matters and damage control say Target has been doing what is expected of a company in an age where people expect instant communication and answers.
“The first rule in crisis management is to get the story out as quickly as possible and to be as transparent as possible in order to regain the public trust of whatever audience you’re dealing with,” said Ms. Ein, the president and chief executive of Ein Communications, which is based in Washington. “In Target’s situation, that was obviously an enormous customer base.”
The problem is that fast disclosures are by necessity incomplete disclosures so some customers can feel uneasy, like they are never getting the complete picture. Target, said Ms. Ein, has “to be in a continuous conversation with this very important audience.”
By most assessments, the company has conveyed sensitivity, offering credit monitoring services for a year and reaching out to affected customers directly. The chief executive, Gregg W. Steinhafel, has been front and center facing the public with apologies. There have been no cringe-worthy moments like the time the chief executive of BP went sailing on his yacht in the early days of the Deepwater Horizon oil spill.
Still Target’s weakening sales figures suggest more work to be done.
“I think they’ve already lost the trust of many individuals,” said Hemu Nigam, the chief executive of SSP Blue, a security consulting company that also does corporate reputation development. “But people are always willing to listen. You have to prove to them that you care, that you’ve acknowledged what went wrong, that you could have done more and that you are doing more.”
He says he believes that Target has accomplished the first two requirements on that list, but needs to focus on the other two to reassure shoppers that whatever security problems it had are being corrected and to explain the steps that are being taken to prevent them from happening again — in short, to make them feel that it’s safe to shop at Target.
“At this point they’re really in that stage of having to showcase what they’re doing to go forward,” he said.
Some consumer and privacy activists say they think the company has not gone far enough in counseling customers. “People tend to be frightened about this, and I think they could have been more forthcoming in terms of giving appropriate advice to consumers about how to handle it,” said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, a nonprofit consumer education and support organization. “Particularly with respect to debit cards.”
Mimi Edwards, a Target devotee in Miami (“it makes shopping for batteries fun”), has been satisfied so far. She has been watching her American Express statements for suspicious charges since she learned that she could be among the consumers whose data could have been stolen. But she said she was largely unconcerned.
“They were upfront and honest about it,” she said, adding that she has continued to shop at Target since the disclosure. “We live in a world where these things are going to happen,” she said. “We shop almost exclusively with credit cards and debit cards, and it’s kind of part of the territory.”
Kenneth K. Dort, a partner in the intellectual property practice at Drinker Biddell & Reath, who has handled dozens of corporate security breach cases, says he has a hard time criticizing anything that Target has done so far. “I tell my clients in these situations, ‘Don’t hide anything. Just be out there. Tell them what’s going on, where you’re going to go and what you’re going to do.’ ”
But he noted the risks were still substantial for a company that has enjoyed an enormously favorable reputation among shoppers for both its prices and its style.
No matter how well the company handles it, he noted, “It’s just a lot of bad P.R.”