And the Award for Corporate #PRFail of the Year Goes to…


If we hadn’t been busy spending our holidays doing everything but shopping at Target, then we would have covered this story a little more aggressively. As is, we can reflect on its status as the worst crisis comms case of 2013.

The retailer’s big failure doesn’t lie in the breach itself; as Snapchat CEO Evan Spiegel told us today, that kind of thing can happen to anyone. It’s more in the way they chose to address it.

In Forbes‘ words, the company “played down the fact that its customers most needed to hear” by failing to tell everyone that the security of their personal finances remained uncertain. In fact, the company pushed that crucial fact into the FAQ section of its 1,500 word response, writing:

“The issue occurred between Nov. 27 and Dec. 15 and guests should continue to monitor their accounts.”

Could have mentioned that a little earlier, no? We understand that Target wanted to write “please keep shopping, there’s nothing to see here”, but this failure to tell the whole story constitutes a breach of trust.

See, the company initially claimed that the window ended on December 6th and almost denied that shoppers’ PIN numbers had been stolen with a statement TIME labeled “PR doublespeak“. The key weasel words were “encrypted” and “compromised”, but the truth inevitably came out, because it was the only part of the story of any interest to the people affected! Retractions followed.

Target’s only real job was to (honestly) tell customers and shareholders that everyone who’d used a card to buy something at their stores was safe, and they failed in spectacular  fashion. This may have been because they wanted to be sure that such a claim was 100% accurate before making it, but their response was vague on every front: how the breach occurred, when the breach occurred, how shoppers were affected and whether they could continue visiting the store worry-free.

Three weeks later, the bad news just keeps coming: first the lawsuits started, then we heard that the stolen cards were fetching “a premium” on the black market and that certain banks limited the sorts of transactions available to affected customers. (It’s worth noting that Chase recommending replacing all cards involved in the breach while Target said the opposite.)

The result of all these mistakes? Target went from being a victim of fraud to an offender which intentionally misled customers by omitting key info. In terms of public perception, the company recently dropped below prime competitor Walmart for the first time.

What should Target have done?

  • Announce the security breach before any blogs could break it
  • Admit that all the facts weren’t yet known
  • Avoid making claims that everything was just groovy and update statements as more information came in

They didn’t do any of that, of course. They went into full-on spin mode, and the rest is not yet history. At least we have lessons to learn, right?