#PRWin – Target’s Hittin’ Bullseyes Like a Boss
WARNING: The following guide provides Anti–PR advice. It’ll show you how NOT to do PR, which has been ruined after decades of misuse. Anti–PR is Kick-ass, Unrelenting Media Story-telling Influencer-Wrangling extraordinaire deliverables to garner favor in the court of public opinion.
Just on its own, a customer data breach is already a disaster. The repercussions run far and wide, from the integrity of a business’s reputation to the financial security of its customers, just to name a few.
Target was the “ahem” target of a cyberattack in 2013 in the form of an unauthorized access to U.S. store customers’ credit card data that ranged from November 27 to December 15, 2013. Approximately 40 million customers’ debit and credit card accounts were possibly affected.1 I remember it well—we covered many of those stories and how it applied to several of our clients’ businesses and customers.
The seeds of a major public relations disaster (not to mention legal ones) were planted. A data breach of any size is a major issue, the least of which calls into question the integrity of a business’s data security practices. But the scale of this one breach, potentially affecting literally millions of people, could make or break the retail chain for years to come.
The retail giant made their knowledge of the breach public four days later via (you guessed it) in a press release they published on their website. While there was some criticism about the four days between the incident and the public acknowledgement, (which Target’s Chairman and CEO Chairman and CEO Gregg Steinhafel would later address in a video interview) Target did in fact do the right thing right out the gate – they recognized the breach in plain terms, right in the title, “Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores” (read that entire press release here).
Keeping in mind that the U.S. government requires that companies disclose data breaches, Target still didn’t make an attempt to beat around the bush. No corporate double-speak to try to minimize the damage. No bullsh!t. Right in the press release’s first line.
The body of the press release did an excellent job of laying out the event in plain and simple terms of what happened “…unauthorized access to payment card data…” and immediately followed with, “Target is working closely with law enforcement and financial institutions and has identified and resolved the issue.”
The most critical pieces of information are given in two sentences: 1) problem 2) solution.
Of course, that wasn’t simply the end of it – as Target may have resolved their internal problem which (as any stakeholder in Target would be relieved to read), what Target customer, especially the ones who had their data stolen, where going to be satisfied with them patching and sealing whatever hole they had in their cybersecurity.
And that’s where one press release was an excellent start of the “healing process” but far short of a full-on cure.
About addressing the problem in plain terms again – the release outlined the scale and specifics of who could be affected and gave details as to what actions they were taking to solve their customers’ potential issues.
That’s a great start and Target wisely kept the issue front and center. They quickly followed up with another Press Release, this one from the CEO Gregg Steinhafel, which breaks down in succinct, matter-of-fact terms exactly what happened and what Target was doing to ensure their customers’ debit and credit card data were safe (i.e., solving the problem), which included offering free credit monitoring services (another very smart move).
Regards of any possible error on Target’s part in protecting data, they did what so many other companies don’t – they owned the problem – and then laid out their solutions to fix it.
There are multiple instances of companies handling crises in the exact opposite way – blaming business partners, vendors – sometimes even their own customers. Then they compose releases that are meant to minimize or disguise the true scope of the problem with corporate jargon and “double speak”. Target did not go there.
And to really put Target’s problem and subsequent handling in sharp focus, during Mr. Steinhafel’s testimony before the U.S. Senate he was asked if he could have utilized better security practices when managing their vendors. In stride with their corporate communications, Steinhafel, gave a simple, honest, clear response – “Yes”.2 (One word can do more to help you’re your company reputation in the long run than a long-winding answer about why the problem isn’t your fault.)
This is how a reputation campaign is done. Regardless of how their sales figures or stock value might have been affected, Target hit its targets! Right outta the gate.
Business data breaches have a lot of victims – the business, the security company providing the protection, the data of so many customers. Rather than play victim “We didn’t do anything, THEY did it!” Target took it head on – full responsibility. 3 Mr. Steinhafel resigned then as chairman the following year, holding himself personally accountable for the breach, but not before he taken numerous steps to shore up security and keep customer data safe.
Despite all the right image management moves, Target took hits, including paying an $18.5 million-dollar multistate settlement, and drop in sales and stock value.
But fast forward about a year later, the retail chain was showing signs of recovery: In its second-quarter 2014 earnings report, Target’s revenues slightly increased by 1.7 percent since the same quarter one year prior. Digital sales jumped more than 30 percent.4
Target used Anti-PR as it was intended – to engage with the public, provide real news (albeit bad) and provided multiple, detailed solutions that over time, would rebuild the public’s confidence.
Huffington Post, “Target Hacked: Retailer Confirms ‘Unauthorized Access’ Of Credit Card Data.” 19 December 2013, huffpost.com/entry/target-hacked-customer-credit-card-data-accessed_n_4471672.
Roman, Jeffrey. “Breach Aftermath: Target CEO Steps Down.” Data Breach Today, 5 May 2014, databreachtoday.com/breach-aftermath-target-ceo-steps-down-a-6811.
McCoy, Kevin. “Target to pay $18.5M for 2013 data breach that affected 41 million consumers.” USA Today, 23 May 2017, usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/.
Morad, Renee. “Target Makes a Comeback One Year After Security Breach.” LifeLock, viewed 16 December 2020, lifelock.com/learn-data-breaches-target-makes-comeback-almost-year-security-breach.html.