Target's 'We've Been Breached' Sale is a Little Cynicism for the Holidays

A sale, right before Christmas? What an extraordinary step for a retailer to take! And that hefty 10% off is available to everyone. Target's millions of breach victims must be feeling very special.

By Evan Schuman
Mon, December 23, 2013

Computerworld — Data breaches can happen to anyone. One just happened to Target, which announced that data involving some 40 million credit cards had been accessed. What really matters is how a company handles a breach.

[ 10 Mistakes Companies Make After a Data Breach ]

[ Worst Data Breaches of 2013 (Part 3) ]

Overall, Target seems to have handled things as well as most other companies in the same tough spot. That said, it has nonetheless taken a serious breach and cynically tried to turn it into an opportunity for profit. It's not the first company to do this, but let's hope it's the last.

On Friday, Target CEO Gregg Steinhafel announced a "Data Breach Sale," encouraging people to come back to Target, spend more money and give up more payment information. There are two things that make me call this cynical. First, a 10%-off sale, running on Dec. 21 and Dec. 22 (the Saturday and Sunday before Christmas), seems like something a savvy retailer like Target might have already planned to do, with or without a headline-grabbing data breach. Second, what does this do for the actual victims of the breach? They get the privilege of paying a mere 90% of the marked price if they shopped at Target this weekend, but so did everyone else.

Steinhafel's rationale? He said the universal discount was in the "spirit" of "we're in this together."

Keeping Christmas merry for Chase

When credit or debit card numbers are accessed by thieves, the typical procedure, for quite a few years, has been to shut down the affected cards and immediately issue new ones to the cardholders. Thieves know that once a breach has been discovered, they may have as little as an hour before the card data becomes worthless. That's why they use lots of accomplices to make simultaneous purchases and withdrawals, so they can monetize the stolen data while it's still worth something.

But that standard procedure has been radically modified in the case of the Target breach. JPMorgan Chase on Saturday announced that it would limit affected Chase debit cardholders to $100 in cash withdrawals and $300 in total purchases per day. Why limit the cards instead of shutting them down? It's all about the calendar.

Bankers know that for retailers (and by extension, for bankers themselves), any day in December is generally worth far more than any day in March or June. If Chase took the normal path of shutting down those millions of affected cards, the cardholders would have to finish up their Christmas shopping using other payment methods, as they wait anywhere from two days to a week for the replacement card to arrive. Does Chase want to be shut out from its share of so many last-minute holiday purchases? Apparently not, and so it decided to allow some purchasing to go ahead, while putting a limit on the absolute total loss it could suffer through fraud.

Continue Reading

Originally published on www.computerworld.com. Click here to read the original story.
Our Commenting Policies