Data breach creates PR headache for Target

Target is known for its bright red bullseye logo. But some of its customers are "seeing red" over the company's response to a security breach.

Since security blogger Brian Krebs broke the news of that the payment data of as many as 40 million Target customers was compromised between Nov. 27 and Dec. 15, the website for Target's REDcard crashed several times.

• MPR News: Beware: On a smaller scale, breaches happen every day
• Marketplace: Why Target shoppers shouldn't stress about hack
• FTC: Are you affected by the recent Target hack?

After Target confirmed the security breach on Thursday, many customers couldn't access their account information to check for phony charges on their credit or debit cards. Its customer service phone line also was jammed.

That drew the ire of customers who ranted on the company's Facebook page and elsewhere, creating a public relations nightmare for the retailer during a crucial week for shoppers.

It's not clear how many customers could see fraudulent charges on their debit or credit cards. But plenty of shoppers worry they might. Some say Target is not doing enough to assuage customers' fears over the security breach.

"You don't want to think that every vehicle you turn to try to get some more information is basically a busy signal or a Facebook page with a lot of people complaining or a written statement from someone," said Karen Kessler, a corporate damage control expert based in New Jersey.

Kessler said Target's chief executive -- not low-level spokespeople -- should be out front showing sympathy to customers who are worried. She also said news of the security breach should have originated from the company.

Greg Scanlan, a loyal Target customer, agrees. He wonders what held Target back in disclosing the data theft.

"If they've known that for the last however many weeks and didn't let customers know or credit card companies, that's really problematic," said Scanlan, of St. Paul. "That would be part of 'what the heck are they doing?'"

That question is especially relevant for Scanlan since he shopped at the Roseville Target during the problem weeks. This week, he noticed phony charges on his credit card bill. He's not sure yet whether the two events are connected, but the timing suggests it.

Target spokesperson Molly Snyder said the company acted swiftly to notify law enforcement of the data theft and alert the public. But she would not explain delay between the company's discovery and its announcement.

People familiar with data security systems seem much more willing to cut Target slack for waiting to go public about the breach.

Joel Hernandez, who has worked as an IT executive at major Twin Cities-based companies like the payroll processing firm Ceridian, suspects Target delayed its communications because the security breach likely is not going to result in millions of unresolved fraudulent transactions. Hernandez predicts only thousands of such charges because the hackers won't want to draw a lot of attention to themselves.

"You statistically are more likely to get struck by lightning than have that account used," he said.

Snyder said only a fraction of the 40 million customers in question will have an actual problem. That's one reason why the company is discouraging customers from cancelling their cards.

Meanwhile, Snyder said the Minnesota-based company is beefing up its customer service staffing to help people navigate the issue -- and break through the busy signals.

But news of the breach comes just before one of the busiest shopping weekends of the year, and it's unclear if those efforts will placate jittery shoppers at a critical time.

Still, Scanlan will probably keep shopping at Target, even though he believes his credit card information was intercepted from a transaction there.

"I'm a Target shopper," he said. "I'm not going to switch to Walmart."