Target's credit card security breach affecting 40 million accounts doesn't bode well for the retailer's standing with consumers with what many call the biggest shopping day of the holiday season coming up on Saturday. The company's reputation among shoppers will likely be negatively impacted, putting the $73 billion Minneapolis-based retailer on the offensive with its loyal shoppers.
"There's a level of trust that's diminished and there is perhaps a loss of goodwill," said Daren Orzechowski, a partner at law firm White & Case in New York, who focuses on information technology legal matters, including privacy. The breach "could affect people who choose not to go to those [Target] stores versus a competitor."
As a result, "the real risk, to me, in terms of financial loss is lost sales and lost customer loyalties, which can be sustained [over time]. Somebody can have [their credit card data] stolen and will never go shop there again," said Mr. Orzechowski. He added that most often data breaches are one-time events where data is captured and the hole is fixed, not a continuous open time frame like Target's 19-day window. Target said in a statement that accounts may have been impacted between Nov. 27 -- the day before Thanksgiving -- and Dec. 15.
"We wanted to move swiftly to address the issue. This is a very important holiday week but our focus is on the guests," said Dustee Jenkins, the Target spokeswoman. "We want to reassure people that they can shop at Target."
Target did not reveal what caused the breach or when it was discovered. The company is working with a third-party forensics firm to investigate and has resolved the issue, according to a Target spokeswoman. The breach affects in-store purchases, Target said.
The retailer's Twitter followers were vocal in their unease with the breach. Several said they could not get through via phone to change PIN numbers for Target's branded RedCard credit card. Consumers also showed concern that the breach occurred for nearly three weeks.
"Waiting until your hands were forced to disclose the breach is unconscionable," wrote one Twitter follower, referring to the fact that security expert Brian Krebs broke the news on Wednesday before Target released an official statement Thursday morning. "Now motivated to pay off card & never use again."
Retail consultant Craig Johnson from Customer Growth Partners questioned, like several others, why it took Target so long to release news of the breach, seemingly four days after it was stopped. "Why didn't you tell your customers in those four days?" he said.
"The reaction to it has been very ham-handed," continued Mr. Johnson. "You have to get out in front and communicate. No company is perfect but when an issue arises, when there's a theft or fraud thing….you want your customers to hear about it first from you."
But Mr. Johnson also noted that consumers are so caught up in holiday shopping, they may not be paying attention to the news. "Overall, [the breach] will be a modest impact because most people just generally are not paying attention this time of the year," he said.
One Twitter follower said Thursday afternoon that his Target card was "used to buy lots of gas in Wisconsin. Haven't done xmas shopping yet, need card. Can't get cash, need card."
Another Twitter follower planned to close her Target credit card but couldn't because she said the RedCard site was down on Thursday morning: "Looks like I'll be shopping cash only from now on. This is just too stressful."
Target shares lost 2% in trading Thursday to close at $62.15.