|Image courtesy of JeepersMedia|
If so, then you know exactly what I mean when I say that Target failed with its post-incidence communication.
On December 19, the world found out through the media that hackers had "unauthorized access" to payment card data of 40 million customers who had shopped at Target brick-and-mortar stores in the U.S. between November 27 and December 15.
My first thought was: "Why did I hear about this from the media? Why didn't they contact me directly?"
You see, I am (or was) a Target REDcard debit card holder. They know me. They can communicate with me about sales, promotions, products, and anything else they want to communicate with me about. THIS would have been a thing to communicate to me! Directly.
After the announcement in the media, they put the onus on you to go find information about what happened and how to respond/react. I went to the Target website to see if there was any information there. Yes, of course; there was a banner across the top of their site that, when clicked on, led to a page with details about the hack.
Great! So they had time to talk to the media. They had time to throw up a web page that included details (that weren't all that immediately helpful) that I'm sure had to be blessed by lawyers and executives. And yet, they had no time to send an email to customers on that day (or sooner).
By the way, that web page contained no details about how to cancel your card or what to do with your card - but it gave lots of options for how you can keep tabs on your credit and identity. I appreciate that, but especially if you have a debit card, you'll want to make sure that the connection to your bank account is severed. I wanted to be able to just cancel my card from within the account management page on their site. No can do. There was a phone number to call if you had questions, concerns, or had fraudulent activity on your card. Good luck getting through on that phone number!
I posted a link to that page on my Facebook page and added this note:
If you shopped at Target in the US in the last three weeks, you should read this.
They put the onus on you to make sure you're not a victim of identity theft, but there are two things they don't do themselves, which I think they should have done immediately: (1) cancel and reissue all Target credit/debit cards, and (2) provide information on this page (the link below) on how to cancel your card and/or get a new one. This is something that could bite you in the ass down the road, not necessarily tomorrow, so by retiring at least those Target credit/debit card numbers, they're off the market.
Whether or not you're a fan of Customer Effort Score, this is a huge fail with regards to customer effort. It is now several days later, and I still cannot get through their phone lines to talk to a person; their customer service line is perpetually busy. (What if I'd had fraudulent activity on my account? I couldn't reach a live person if I wanted to.) Someone told me that they had hired extra people just to man the phone lines through this crisis, but clearly that wasn't enough.
I think they could have saved their customers a lot of heartache and themselves a bit of cash (spent to hire additional customer service reps) by canceling any and all Target REDcard accounts that were used during this time period. Why wouldn't they do this? Well, too much work for them. And FOLO - fear of losing out. Or FOLC - fear of losing customers. I think they'd lose far less customers if they had done that than causing anxiety for all those folks who have yet to be able to call in to inquire about or cancel their REDcards.
I digress. Back to the communication issue.
This is a problem. Companies should talk to customers, not to the media. Customers first, media second. Look at what Beyonce did. Companies need to take a page out of Beyonce's playbook and communicate with their customers, not at them through some other medium:
"I didn’t want to release my music the way I’ve done it. I am bored with that. I feel like I am able to speak directly to my fans."
Stop doing what you've always done; it's a new world out there. Customers interact with you differently, and customers want to hear from you - not from the media. Relationships are built on trust; they are broken when you break that trust.
And for Pete's sake, put some substance into the message. The webpage content was a mile long, but it was all about how to protect your identity. But guess what, Target? I trusted you to offer secure payment options and to protect my identity. I trusted you to make sure that my transactions with you would always be safe. You failed. So don't make me work so hard to resolve your screw-up.
I realize that those without REDcards would need to hear about this incidence somehow, but I bet many had shopped at Target previously, and I bet Target can crosscheck their credit card numbers with previous purchases with contact information somehow. They were able to figure out that an 18-year-old was pregnant before her dad did, right? Remember that story, in which the author told us: Target assigns every customer a Guest ID number, tied to their credit card, name, or email address that becomes a bucket that stores a history of everything they’ve bought and any demographic information Target has collected from them or bought from other sources. Yup. I think they can figure out how to contact you. And if they don't have your contact information, i.e., if you're not a Target cardholder, they could have worked with your issuing bank.
They took four days (December 15 was the last day of unauthorized access; December 19 was the day the media reported the issue.) to announce the issue. They had four days to run the data. They had time to figure out who should be contacted by email. Why did it take so long? Never mind the fact that the breach occurred over a period of three weeks. How could it go on for so long, unnoticed?
So let's continue through the chronology.
On December 20, I received an email from Target about the incident. Basically, it was the same communication that was on the aforementioned webpage.
On December 21, I received an email from Target's CEO that basically said the same thing.
What we have failed to hear up to this point is an apology. Instead, what Target has done is to offer customers a 10% discount ("same as our employees") to entice you to come in and shop. Or to add insult to injury. I've seen some comments on Facebook by people who have said not to blame, or be mad at, Target. Who should customers be mad at? Target did not protect them. No, Target wasn't the hacker, but they should be doing everything possible to protect customers. Again, why did it take three weeks for them to discover this breach?
Last night, Target sent out another email, which outlined the following:
- You do not need to call us unless you found charges on your account that you didn’t make.
- You will not be held liable for any fraudulent charges.
- We have made changes to our REDcard fraud detection and authorization procedures to further protect you.
- We are offering free credit monitoring for one year to every single person who was impacted by this crime. We will give you more information about that soon.
Target's not the first retailer or company to experience a security/data breach, and it's likely not the last, unfortunately. But there are lessons to be learned here, for sure. The key takeaways today are:
- Target is a B2C (business to customer) business, not a B2M2C (business to media to customer) business. Cut out the middle man. Talk to your customers. Directly to and with your customers.
- Make a mistake? Issue an apology.
- Have a security breach? Take swift action. Four days is not swift; neither is three weeks.
- When it comes to this type of issue - or service, in general - reduce your customers' effort in whatever way you can.
What do you think?
Trust takes years to build, seconds to break, and forever to repair. -Unknown