It only took a month.
Target Corp. first divulged a breach involving 40 million credit- and debit-card accounts on Dec. 19. It later revealed that information on 70 million customers — including names, addresses and phone numbers — had also been hacked.
Customers (and who doesn’t shop at Target?) are understandably outraged. State regulators are investigating. Congress is demanding an inquiry. Lawsuits are piling up. And shareholders are feeling the pain: The company’s stock price has declined about 3 percent since Dec. 18.
Monday, Gregg Steinhafel, Target’s chief executive officer, attempted to make amends in an open letter to customers (the company prefers to call them “guests”). Target plans to form “a coalition to help educate the public on the dangers of consumer scams,” the letter says, and it hopes to “accelerate the conversation — among customers, retailers, the financial community, regulators and others — on adopting newer, more secure technologies that protect consumers.”
Target’s guests seem to have accelerated their education already, thank you, as the store’s U.S. sales were “meaningfully weaker” after the disclosure, according to the company. Nevertheless, Steinhafel is onto something important with the suggestion for better technology.
The most important step U.S. retailers can take in response to this breach (Neiman Marcus Group and several other merchants were also hacked about the same time) would be to speed adoption of encrypted smart-chip credit cards, which are more secure than the antiquated magnetic-stripe cards most Americans use. The U.S. lags behind much of the developed world in adopting the technology, which can significantly reduce counterfeiting scams, the largest kind of credit-card fraud. Card companies and retailers plan to reform fraud liability in ways that will encourage the smart-chip cards, but not until the end of 2015. The sooner that shift can happen, the better.
Other technological reforms to consider are mostly common sense. Retailers should encrypt the data that moves between their cash registers and financial institutions. They should make use of multilayered security procedures, which can help ensure employees don’t accidentally compromise the company’s data. And they should share information about intrusions and threats — especially when it comes to software vulnerabilities and supply-chain risks — with their competitors. The financial-services industry, which has made great strides in beefing up its online defenses, offers a good model.
A few cultural changes might also help. Companies can no longer afford to think of cybersecurity as an issue only for the guys in IT. They should ensure their employees, even low-level ones, are trained to follow best practices when it comes to protecting customers’ information. And responsibility for cybersecurity policy needs to reside with senior executives, as an integral part of a company’s risk management. When a breach occurs, finally, companies should be transparent — and prompt — in informing customers about exactly what went wrong.
Target hasn’t been excessively speedy in responding to this intrusion. It can make up for its tardiness by investigating thoroughly, and ensuring the damage is minimized the next time. Because if there’s one thing all retailers know, it’s that there will be a next time.