The CEO of Target Corp., Gregg Steinhafel, issued an apology today for the compromise of 40 million payment card accounts of consumers who shopped in U.S. Target stores from Nov. 27 to Dec. 15 and offered a discount this weekend for shoppers at its bricks-and-mortar stores. The retail chain confirmed the data breach yesterday. Consumers who shopped at Target.com were not affected, it says.
“The issue has been identified and eliminated,” Steinhafel said in a statement. “We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.”
Target disseminated the apology through Facebook and Twitter. Those online social networks have lit up the past two days with Target shoppers blasting the company about the data breach and their inability to get through to Target by the phone or through customer service links on Target.com. Typical of the complaints was this one on Facebook: “ARE YOU KIDDING ME!!! After 48 minutes on hold with Target, suddenly a busy signal and my call was dropped. ARE YOU KIDDING? This is completely unacceptable.”
The Target CEO seemed to be addressing that frustration when he said in his statement, “We understand it’s been difficult for some guests to reach us via our website and call center. We apologize and want you to understand that we are experiencing unprecedented call volume. Our Target teams are working continuously to build capacity and meet our guests’ needs.”
Steinhafel said Target would offer 10% off Saturday and Sunday in its U.S. stores, where the breach occurred. The retailer also said it would offer free credit-monitoring services to affected shoppers. “We will be in touch with those impacted by this issue soon on how and where to access the service,” Steinhafel said.
Target disclosed Thursday that thieves had gained access to 40 million credit and debit card numbers, along with their associated expiration dates and a security code known as the Card Verification Value embedded in those cards’ magnetic stripes.
However, the impact on online retailers may be limited. That’s because the thieves did not get the printed 3- or 4-digit security code on the back of the card that many online retailers require before accepting an order, says Larry De Palma, president and CEO of TDG-Phenix Inc., a payments consulting firm. “There should be no risk to online retailers due to the fact that CVV is on the mag strip (the stolen data) and CVV2 is what the e-commerce retailer uses to provide security. Two different values,” De Palma says.
In addition, he says, web retailers that compare the billing address the shopper enters with that of the card number will be able to detect instances when a criminal who does not have the legitimate cardholder’s address is trying to use the card.
On Monday, Dec. 23, Target issued another statement, confirming press reports that it is working with the U.S. Secret Service and the Department of Justice “on the ongoing investigation into the malware that affected Target’s point-of-sale system in our U.S. stores.” Malware is malicious software that criminals often use to acquire confidential data.
The retailer also said it had doubled the number of agents in its call center to handle the high volume of calls from concerned consumers. It also posted on online social networks instructions on how holders of Target’s REDcard, a co-branded Visa credit card, can set up automated alerts about suspicious activity on their accounts.