When it comes to data security breaches, it’s been a tough stretch for retailers. Michaels, Target and Neiman Marcus- all recent victims of sizable breaches in which the personal and/or credit and debit card information of tens of millions of customers was compromised.
So who handled it best from a PR standpoint? Here are the three breaches in order of occurrence:
Target
Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores: Issue identified and resolved http://t.co/7Q13ZtK5cc
— Target (@Target) December 19, 2013
The massive retailer had a credit and debit card breach involving more than 70 million customers. Yes, it was right during the holiday shopping season, which didn’t help the public relations effort. But instead of getting out ahead of the story, the company waited far too long: rumors of the breach first surfaced on December 12, yet the company’s official statement wasn’t released until December 19:
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
From a PR lens, Target could certainly have handled the situation better by getting out ahead of the issue instead of waiting several days to make an official statement. The company’s downstream responses are nice but don’t seem entirely satisfactory: offering free credit monitoring and investing $5 million in a cybersecurity coalition mostly focused on educating customers about email phishing scams. But once Target decided to come forward, it has been extremely active in communicating details and information. The company developed a web page specifically devoted to providing information, issued a press release, posted a letter from the CEO, distributed multiple social media messages, and (probably too little too late), set Steinhafel up for an interview with CBS in mid-January.
Neiman Marcus
We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores.
— Neiman Marcus (@neimanmarcus) January 11, 2014
Perhaps because it was just on the heels of the Target breach, the Neiman Marcus breach went comparatively under the radar. But the company certainly took the PR approach of acknowledging the issue and working hard to get back to normal as fast as possible. However, Neiman Marcus made the same mistake that Target did in waiting far too long to disclose the potential problem: the company first knew about the issue in mid-December, made some rumblings on New Year’s Day, but only confirmed that they were investigating a breach when reporter Brian Krebs called on January 14 after hearing that multiple credit card breaches were tracing back to the high-end retailer. Krebs published an article about the breach that same day.
However, it wasn’t until January 25 when the company finally confirmed that customer information had been compromised via a letter from CEO Karen Katz:
“We have taken steps to notify those affected customers for whom we have contact information. We aim to protect your personal and financial information. We want you always to feel confident shopping at Neiman Marcus, and your trust in us is our absolute priority.”
That’s about it. The company webpage about the breach (same link as to the CEO letter) is minimal and tough to find. No social media except for two tweets on January 11 confirming the possibility of a breach. No press release – company spokesperson Ginger Reeder provided statements as necessary by email. Like Target, the company did offer its affected customers a free credit card monitoring service. In the shadow of big Target taking so much heat, maybe it wasn’t a bad strategy in the end. If I were a customer seeking information, I would expect more active disclosure from a company in order to keep my trust.
Michaels
On January 25, Michaels reported that it was investigating a possible security breach. Nothing was confirmed yet, but with both the Target and Neiman Marcus breaches fresh in mind (and the company’s firsthand experience with another serious breach in 2011), they jumped out ahead to alert the media about the potential.
Home decor and crafts shop Michaels is investigating a possible data security breach: http://t.co/BJjKF8b4OI
— The Associated Press (@AP) January 25, 2014
Michaels confirmed the breach on January 28 with a press release and letter from CEO Chuck Rubin, “We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack.”
Michaels Stores confirms payment cards compromised in breach | http://t.co/7Me9EnENNS
— SCMagazine (@SCMagazine) January 28, 2014
Micheals homepage has an easily spotted banner linking to more information about the breach on its homepage. Click through, and you’ll find the letter from Rubin, an FAQ section, information about obtaining a free credit report, and a link to a PDF (!) of the company’s January 25 press release. The company did not communicate about the breach through its social media channels.
So, Who Handled it Best?
It’s a tough choice given that the Michaels and Neiman Marcus breaches happened after the Target breach. News media and consumers were likely a bit fatigued of the retail security data breach topic, making it less likely for these stories to spread as far as the Target story did.
If I had to choose one, I would go with the approach taken by Micheals. The company’s public relations response was proactive, straightforward, and helped them get out ahead of media and public speculation. While I’m sure there was a conscious decision about this, I find it odd for a company’s social media channels to be operating as if nothing was amiss on the very day the breach was announced, “Come decorate peace signs!” Neiman Marcus could certainly have done more to provide information, but the company did at least acknowledge the potential of a breach through Twitter. Target gets the prize for the most comprehensive response program. It just came way too late in the process when the customer trust damage was already in motion.
A takeaway from these three breaches is that every major retailer MUST have a crisis communications plan in place for a similar scenario. It’s just a fact of doing business in this interconnected world that many smart, dedicated and malicious people spend countless hours looking for ways to access the financial and personal information of others.