At the height of the holiday shopping season, Target Corp. finds itself grappling to maintain customers’ loyalty in the wake of a breach that exposed data from 40 million debit and credit cards.
Since disclosing the breakdown last week, the second-largest U.S. discount chain has agreed to give some shoppers free credit reporting, assured them they wouldn’t be responsible for fraudulent charges and offered a 10 percent discount on purchases last weekend to regain their trust. In its latest statement, Target said yesterday it’s unveiling a dedicated website for communications to customers.
“They’ve been doing everything that they can,” Robert Passikoff, president of New York consulting firm Brand Keys, said yesterday in an interview. Still, “you’re going to see, at the wrong time of year, people who are moving to other alternatives until some comfort level comes back.”
Target said Dec. 19 that security for the cards may have been breached between Nov. 27 and Dec. 15 as they made purchases in stores. While the chain said it had identified and resolved the issue, the compromise occurred during the most important period of the year for retailers and with shoppers already showing reluctance to spend. The retailer said yesterday it’s aware of “limited incidents” of fake communications claiming to be from Target, prompting it to set up the dedicated breach communication site.
Even before the incident, Target had been struggling to boost sales and earnings. The retailer’s third-quarter profit trailed analysts’ estimates as U.S. shoppers held back and expansion into Canada dragged on earnings, sending net income down 46 percent from a year earlier.
Target fell 0.3 percent to $61.71 yesterday in New York. The shares have gained 4.3 percent this year, trailing the 14 percent advance of Wal-Mart Stores Inc. and the 43 percent increase of the Standard & Poor’s 500 Retailing Index.
Target said Dec. 23 that it has doubled the number of staffers answering inquiries at its call center and has communicated with 17 million customers via e-mail.
It also hosted a call on Dec. 23 for state attorneys general to speak with its general counsel for an update on the breach. Representatives from most states participated in that call, Target said yesterday.
Massachusetts is among states probing the security breakdown, and the retailer is already facing almost two dozen lawsuits, mostly from customers accusing the company of failing to safeguard their information.
Target also has agreed with New York’s attorney general to provide a year of free credit monitoring to New York victims of the breach.
Security is one of the most important elements of brand loyalty, Passikoff said in a telephone interview yesterday.
“Although people take it for granted, when it falls apart, it becomes a gaping hole, and that’s what happened to them,” he said.
Molly Snyder, a Target spokeswoman, said yesterday in an e-mail that “our priority continues to be the security of our guests and we are working around the clock to address this issue.”
Target has plenty of company in its quest to attract shoppers as retailers jockey for business in what’s expected to be a tepid holiday season. U.S. store visits fell 21 percent in the week to Dec. 22, according to ShopperTrak. The Chicago research firm has predicted a 2.4 percent sales gain for this holiday season, which would be the smallest since 2009.
To lure reluctant shoppers, retailers have ratcheted up discounts to the highest level since 2008, according to Craig Johnson, president of Customer Growth Partners in New Canaan, Connecticut. Even with its 10 percent discount, the number of transactions at Target slipped 3 percent to 4 percent compared with the final weekend before Christmas last year, according to Johnson’s firm.
The breach also has shown that security in the U.S. is weaker than in some other countries that now use credit cards with embedded chips that are more secure than magnetic strips to store account data, according to Dan Kaminsky, co-founder and chief scientist at White Ops, a cybersecurity firm in New York. The U.S. payments industry has said it will replace magnetic strips by 2020, a deadline that could now be accelerated in the aftermath of the Target breach, Kaminsky said last week.
While card-swiping devices have been hacked in the past, the incidents typically occurred at a single machine or store, not chain-wide, which is why this breach is troubling, Kaminsky said. Target said account numbers, expiration dates, cardholder names and credit verification value, or CVV, had been compromised. That kind of data could be used to make counterfeit credit cards, Kaminsky said.
The data thieves also stole encrypted personal identification numbers, or PINs, according to a senior payments executive familiar with the situation, Reuters reported yesterday. One major bank is concerned the thieves could break the encryption and make fraudulent withdrawals from bank accounts, the executive said.
“To date, there is no evidence that unencrypted PIN data has been compromised,” based on the company’s communications with financial institutions, Target’s Snyder said in an e-mail.
Given the scope of the Target breakdown, the retailer’s efforts so far have been “anemic” and “misplaced,” said Rob Frankel, a Los Angeles-based brand consultant.
“They could have put their foot down and said we’re going to the European-style credit card for our stuff because it’s a lot more secure, and we’re proud to be the first ones doing it even though it’s more expensive,” Frankel said yesterday in a telephone interview.
The company said it’s investigating the breach with the U.S. Justice Department and the Secret Service, which asked it not to share details of the probe. U.S. Senator Richard Blumenthal, a Democrat from Connecticut, also has urged the Federal Trade Commission to probe Target’s data-security practices after the breakdown.
The retailer’s customers have been affected in other ways, too. JPMorgan Chase & Co., the biggest U.S. bank, had placed spending and withdrawal limits on 2 million customers who used debit cards at Target. The bank had set limits of $100 in cash withdrawals and $300 in purchases and on Dec. 23 lifted those to $250 in withdrawals and $1,000 in purchases.