retail news in context, analysis with attitude

Target Corp. said Friday that the number of customers who had personal information stolen by hackers in November and December 2013 was actually between 70 million and 110 million, not 40 million as the company originally had reported. In addition, Target said, the depth of the penetration was far worse than originally disclosed. Instead of it just being names, card numbers, security codes and expiration dates being accessed by hackers, it apparently also was mailing addresses and email addresses … and may also have affected customers who did not shop at Target during the November-December dates.

The New York Times reports that "the effect of the data theft has reached far beyond one of the nation’s largest retailers. Major credit card companies and banks have been issuing warnings about potential fraud to their customers and providing them with new cards and account numbers as a precaution. Some banks have limited cash withdrawals. As banks and companies continue to monitor customers’ accounts for suspicious activity, the Secret Service and the Justice Department have opened an investigation."

According to the Times story, "Fraud experts said the information stolen from Target’s systems quickly flooded the black market. On Dec. 11, shortly after hackers first breached Target, Easy Solutions, a company that tracks fraud, noticed a 10 to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every bank and credit union … Security experts say that clever hackers could potentially piece together customers’ stolen information for identity theft or for use in a so-called spear phishing attack, in which hackers send a highly tailored email to victims asking them to click on a link or download an attachment that, once opened, gives hackers a foothold into their computers and employers’ networks."

As the extent of the Target breach got worse, the Associated Press over the weekend reported that "luxury merchant Neiman Marcus says thieves may have stolen customers’ credit card and debit card information and made unauthorized charges over the holiday season … Neiman Marcus’s spokeswoman Ginger Reeder said in an email that its credit card processor notified the retailer in mid-December about potentially unauthorized payment card activity. On Jan. 1, a forensics firm confirmed evidence that the upscale retailer was a victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result."

Yesterday, CNBC quoted Target chairman/CEO Gregg Steinhafel as trying to reassure consumers that his stores are safe to shop. "We are in the middle of a criminal investigation as you can appreciate and we can only share so much. ... We are not going to rest until we understand what happened and how that happened," he says. "Clearly we are accountable and we are responsible—but we are going to come out at the end of this a better company and we are going to make significant changes."
KC's View:
This story just keeps getting worse and worse, and columns are beginning to appear in the media about the extent to which retailers where such breaches take place should be fined. And it seems likely that there are going to be hearings somewhere that will focus not just on Target but also on the broader issue of customer financial security.

I may be wrong about this, but I think that the retail industry needs to prepare itself for a regulatory and pubic relations storm. And the one thing it should not do is go into a defensive crouch … because that won't play well. Target already is getting grief for waiting just a few days before informing customers of the breach; the defense is that it needed to prepare call centers that could handle the inevitable onslaught of consumer queries, but even a brief delay is perceived by some as having a "CYA" taint.

These days, even the perception that a company is being less than transparent can be damaging.