This message and video also appears in A Bullseye View “Perspectives,” a forum at Target's online magazine for Target’s top executives to share their point of view on everything from industry trends to best business practices. Here, CEO Gregg Steinhafel discusses Target’s response in the wake of the data breach.
Over the last few days, I’ve been asked about the decisions behind Target’s response to the hacking of our guests’ personal data. Some have emailed me to applaud our choice to let our guests know what happened. Others have suggested that our disclosure of certain details has allowed the data breach to be overly exaggerated.
From the beginning of this incident, a clear expectation was established for our team—provide accurate, actionable and timely information. That is an expectation that can be challenging in a situation where the facts change as the investigation into what happened unfolds. Nonetheless, Target has succeeded for more than 50 years because we put our guests first and we aren’t about to stop now.
As everyone knows, during the holidays, cybercriminals stole the payment card information of roughly 40 million Target guests by infecting our point-of-sale system with malware.
A few weeks into the investigation, our executive team was informed that as many as 70 million additional pieces of guest information had also been hacked. This data included individual names, phone numbers, addresses and email addresses. When investigators reached out, they did not know definitively if the information had been stolen or simply viewed during the breach.
Regardless of the specifics, we believed it was important to alert the public. Late on the evening of January 9, members of our leadership team gathered around a conference table at our Minneapolis headquarters and meticulously drafted two separate press releases—one disclosing that the information had been viewed by hackers and another detailing that it had been stolen from our system.
Around 10 pm, we received word that final confirmation would not come for several hours. We went home to try to catch some much-needed sleep—with our phones on max volume next to our beds.
Late into the night, we received official word that our guests’ personal information had indeed been stolen. A few hours later, we issued a press release sharing what we had learned. One thing I have come to appreciate is that operating with full transparency on a short timeline comes with some risk. In this case, the number of people affected was likely to be exaggerated and misunderstood.
For instance, a number of those 70 million entries were duplicative; an example, John J. Doe, John Doe and J. Doe. Three different people or the same person? Moreover, many of the entries were incomplete, containing, for instance, just a first name, an invalid email address or a phone number without an area code. And some of the data was old and unusable, such as a previous home address, an old e-mail or a disconnected phone number.
Also lost in much of the discussion is the overlap between the guests with hacked credit card data and those with hacked personal information. We knew many reports would simply, and incorrectly, combine the 40 million and 70 million figures to arrive at 110 million total affected guests. And sure enough, many did, making the eye-catching claim that over a third of all Americans had been impacted by the breach.
These were serious risks for how we might be seen by the public. But slice the numbers any way you wish, any number was unacceptable.
Looking back on that decision, I still believe it was the right thing to do. Put simply, our guests come first and we acted with a principle of transparency. In the weeks ahead, we hope to understand more about how this attack happened. And we will use what we learn to inform our guests, make Target a safer place to shop and to drive change across the broader retail industry. Because I continue to believe that Target will not be defined by the breach, but how we handle it.
Gregg Steinhafel Chairman, President and CEO, Target
back to tags