Retailers Are Finding That Data Vulnerability Can Undo Years of Brand Equity

How to bolster defenses and clean up the PR mess

Data breaches, as we have all learned, can be #EpicFails with far-reaching and destructive implications for brands. Once sensitive consumer information—payment-card data, home addresses, phone numbers—are stolen, the ramifications can include federal investigations, appearances by company execs before congressional committees, class-action lawsuits, and months of scathing headlines, all of which can precipitate a major loss of consumer trust.

“Big companies spend millions, billions of dollars building their brands over 20, 30, 40, 50, 100 years,” says Eric Chiu, president and co-founder of cloud security automation firm HyTrust. “If something bad happens, like the breach at Target, all that can be gone in one fell swoop.”

First and foremost, companies should take all possible steps to safeguard sensitive data. An ounce of prevention (translation: millions of dollars in technology upgrades and IT hires) can outweigh a pound of cure (many more millions of dollars and months of PR, social and paid-content spinning as a brand’s image threatens to go down the tubes).

Once breached, the familiar tenets of crisis communications—rapid response, transparency, opening multiple lines of dialogue with the public, press, shareholders and government—apply. However, there are some key differences. The issues surrounding cyber crimes can be complex and confusing, the protocols for public responses are ill-defined, and the news cycle can be long lasting. All this makes image management and restoration tricky. Most often, experts say, breached companies—even those that prepared beforehand—find themselves improvising as they go along, forced to respond as each new revelation unfolds.

Part of the problem is that the public has grown irritable with breaches and views corporate responses as just so much self-serving spin. A recent HyTrust survey found that almost 73 percent of 2,000 respondents believe organizations do not care about keeping their private data secure. And the public trust is likely to be rattled even further, as cyber crimes become even more common.

According to Risk Based Security and the Open Security Foundation, data-loss incidents in 2013 tripled year over year to 2,164, exposing more than 800 million records of one kind or another. More than 70 percent of these incidents involved outside attackers, with 25 percent of losses caused by insiders, usually through accidents or human error. (The business sector accounted for 53 percent of all incidents and nearly 75 percent of the records exposed.)

Given this trend and the fact that hackers have grown more brazen and sophisticated, companies of all types and sizes should view breaches “as an inevitability, and take measures before the crisis,” says Renée Richardson Gosline, assistant marketing professor at MIT’s Sloan School of Management. This holds especially true for big retailers, increasingly targeted for their rich stores of customer information gleaned from billions of annual transactions.

Retailers = Targets
Crooks really hit the bull’s-eye with Target. At the height of the 2013 holiday season, hackers accessed payment-card data and personal information (names, addresses, emails and phone numbers) of 110 million customers. Target said costs associated with the cyber invasion totaled $61 million in its fiscal fourth quarter, contributing to a 46 percent decline in net income to $520 million (81 cents per share) versus $961 million ($1.47 per share) the previous year.

Target is not alone. The credit cards of at least 350,000 Neiman Marcus customers were breached from July though October of last year. (It initially said 1.1 million cards might have been compromised.) The luxury retailer estimates legal fees and other costs related to the theft amount to $4.1 million so far. (It swung to a fiscal Q2 loss of $68 million versus a profit of $40 million the prior year.)

There’s more. Michaels Stores in January reported possible fraudulent activity on payment cards used at some of its stores, though the level of theft, if any, was unclear. In February, Sears said it was investigating whether its systems had been breached (none’s been detected so far). A few weeks ago, Sally Beauty Supply disclosed a cyber attack that it later said affected fewer than 25,000 customers.(Reps from those companies either declined to make executives available for comment or did not respond to Adweek’s queries.)

The damage that can be caused by these snafus cannot be overstated. Some experts say data breaches even have as much potential for harming brands as the BP and Exxon Valdez oil spills or the deadly Tylenol capsule poisoning. “Breaches hit pocketbooks, reputations and credit ratings—this is deep pain” that can linger in consumers’ minds, says Allan Steinmetz, CEO at Inward Strategic Consulting. He advises breached companies “to bend over backwards and give consumers confidence that the problem has been solved.”

During its Tylenol travails, Johnson & Johnson did just that. As part of an aggressive brand-saving push, the company, readers will surely recall, yanked bottles off shelves and warned consumers not to use any they had on hand. The company exchanged capsules for solid pills and ultimately reissued the product in safer packaging. It remains as perhaps the textbook example of crisis management in corporate history.

But the Tylenol situation is not entirely analogous to those companies now facing cyber-theft meltdowns. “The main problem with data breaches is that we don’t know how to solve the problem,” says risk communications expert Peter Sandman. “And companies are resisting some of the partial solutions that are readily available.”

Indeed, breached companies are often their own worst enemies, which makes staging a comeback (or preventing problems in the first place) that much harder. Says Sandman: “We can’t trust companies to prevent breaches; we can’t trust them to take all possible steps to try; we can’t even trust them to take some reasonable but expensive steps that have been adopted elsewhere but are still being extensively debated here.” 

Illustration: Noma Bar

Ounce of Prevention
The fact is, there are some companies that have already done themselves damage long before their computer systems are hacked—in fact, they even court disaster. The culprits include outdated technology, scant IT security and no process in place to deal with breaches once they happen.

The first step is prevention, according to the experts. If companies move to safeguard data, not only can they lower the risk of a breach, but they might also find themselves in a stronger position to defend their brand should they become targets for cyber crime.

It’s always better, they say, to do something—and be able to communicate those steps later, if need be—than stand by and do nothing. And yet, nothing, or next to nothing, is exactly what many companies wind up doing until it’s too late. “Security is almost always trailing the actual vulnerability,” says Kevin O’Brien, product marketing director at security firm CloudLock. Owing to the high cost of upgrading security, internal politics and corporate ennui, “you just don’t see many companies moving away from legacy servers—15-20-year-old technology—that create the opportunity for a breach,” he says.

One common suggestion is for companies to stop storing so much data on their own equipment. Since “organizations on the consumer side are not in the business of data security,” it might behoove them to store sensitive information with services that are more adept at safety, O’Brien says.

Moving data from company servers to cloud-based services like Google Apps, Salesforce and Office 365 is logical because “as far as we know, there’s never been a physical breach at any of them,” O’Brien points out.

Still, cloud storage is no panacea. In fact, it concentrates risk in a single location—creating an “eggs in one basket” situation, says HyTrust’s Chiu. Companies might consider simpler measures, such as instituting a “two-man rule” to ensure that sensitive data can only be accessed or changed when a pair of authorized staffers take action. Role-based monitoring—watching what staffers with “admin” privileges actually do versus what they’re supposed to do—can likewise prove helpful. Data encryption, preferably at the moment cards are swiped at checkout, is also key, “so if someone steals data, it’s useless to them,” says Chiu.

Retailers are already moving in that direction, as the switch begins from magnetic-strip payment-card systems—the current U.S. standard, and highly insecure—to microchips that encrypt data at the point of sale. In such a system, banks can also assign PIN numbers to provide extra layers of security.

By some estimates, rolling out chip-and-PIN nationwide could cost $8 billion or more, as some 1.1 billion payment cards would have to be upgraded, along with 15 million card terminals and hundreds of thousands of ATMs. (The expense is one reason change has come so slowly, though Visa and MasterCard are pushing for stores and banks to adopt chip-and-PIN by October 2015.)

The Right Response
Taking any of these measures might make handling consumer data somewhat more secure. The U.K. Cards Association reports a 70 percent decline in fraud since the adoption of chip cards nearly a decade ago. Target’s Canadian stores, which use chips, were not part of its breach.

If nothing else, getting proactive allows merchants to say: “We tried our best. Here are the steps we took to safeguard your information.” Still, no one can guarantee data will never be breached. In fact, as cyber theft is a near certainty, companies “should have a standing group or committee ready to go” to deal with the fallout once a breach occurs, says Inward Strategic’s Steinmetz.

And that group had better be prepared for an all-out war.

“In a reputational crisis such as a data breach, what’s mainly at stake is an organization’s negative reputation—how much it’s hated, not how much it’s loved,” warns communications consultant Sandman. So the focus must shift “from increasing affection to reducing outrage.”

As noted, several large companies are currently living this nightmare, none more than Target, whose CEO, Gregg Steinhafel, told The Wall Street Journal in February: “Target won’t be defined by the breach, but by how we handle the breach.”

Those words might prove prophetic, as the company struggles to salvage its public image.

“I bleed for these guys at Target,” says Terrance Clarke, founder and managing partner of Clarke Communication Group, who helped manage J&J’s initial response to the Tylenol firestorm in the ’80s. “The steps they took were highly commendable—not only creative, but magnanimous,” he says.

Target’s response includes:

• Steinhafel’s mea culpa video, plus full-page ads in newspapers, scripts for call-center and store employees, a detailed online information hub about the breach and a toll-free hotline. (Target also cancelled a feel-good Winter Olympics-themed campaign.)

• Steinhafel revealing that hackers accessed various kinds of information for as many as 110 million customers, rather than only disclosing that 40 million card numbers were stolen, as his staff recommended.

• A 10 percent discount at Target’s 1,800 U.S. stores the weekend before Christmas, plus a year of free credit monitoring and identity-theft insurance to Target customers.

• A vow to convert to chip-card terminals by early 2015, six months ahead of schedule.

Neiman Marcus has taken similar steps, issuing an apology from CEO Karen Katz, offering a year of free credit monitoring to those who shopped at the store with a payment card and dedicating a portion of the company’s site to information about its breach.

Experts applaud these moves and suggest that companies hit by cyber crime in the future adopt similar procedures. But, there’s a catch: The fallout from data breaches can keep the spin cycle in high gear and trip up companies even as they strive to be good corporate citizens.

In March, three months after Target disclosed that hackers gained access to its network—reportedly by stealing the credentials of a third-party vendor—the brand was battered by a damning story from Bloomberg Businessweek. According to Bloomberg, on Nov. 30 and Dec. 2, 2013, Target’s malware- detection software issued alerts that were passed on by security monitors in India to company execs in the U.S., who, apparently, did not respond. (For its part, Target has said that federal officials informed the company of the incursion on Dec. 12 and that it completely repelled the attack by Dec. 18, disclosing the breach to the world the next day.)

Target, forced to play defense, issued a statement that said: “After these criminals entered our network, a small amount of their activity was logged and surfaced to our team.” It continued: “The team determined that it did not warrant immediate follow-up. With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different.”

MIT’s Gosline says, “The narrative in the press makes it look like they’d hoped it would blow over and not be a big deal. Consumers may understand the instinct, but they will conclude that’s not the way to handle a crisis.”

Adds Steinmetz: “This takes them two steps backwards after taking one step forward.”

Also in March, Target conceded in a filing with the U.S. Securities and Exchange Commission: “It is possible that we will identify additional information that was accessed or stolen, which could materially worsen the losses and reputational damage we have experienced.”

The one-two punch of the Bloomberg story and SEC filing has Target reeling once again. “The longer the story keeps getting worse, the tougher it will be for Target to get past it,” says Sandman. Suggesting that for many of those companies getting snagged up in this crisis, there seems to be no end to the fallout of the data breach #EpicFail.