At the height of the holiday shopping season, Target finds itself grappling to maintain customers’ loyalty in the wake of a breach that exposed data from 40 million debit and credit cards.
Since disclosing the breakdown last week, the second- largest U.S. discount chain has agreed to give some shoppers free credit reporting, assured them they wouldn’t be responsible for fraudulent charges and offered a 10 percent discount on purchases last weekend to regain their trust.
“They’ve been doing everything that they can,” Robert Passikoff, president of New York consulting firm Brand Keys, said Tuesday in an interview. Still, “you’re going to see, at the wrong time of year, people who are moving to other alternatives until some comfort level comes back.”
Target said Dec. 19 that security for the cards may have been breached between Nov. 27 and Dec. 15 as customers made purchases in stores. While the chain said it had identified and resolved the issue, the compromise occurred during the most important period of the year for retailers and with shoppers already showing reluctance to spend.
Even before the incident, Target had been struggling to boost sales and earnings. The retailer’s third-quarter profit trailed analysts’ estimates as U.S. shoppers held back and expansion into Canada dragged on earnings, sending net income down 46 percent from a year earlier.
Target fell 0.4 percent to $61.65 at 12:13 p.m. in New York. The shares gained 4.6 percent this year through Monday, trailing the 14 percent advance of Walmart Stores Inc. and the 43 percent increase of the Standard & Poor’s 500 Retailing Index.
Target said Monday that it has doubled the number of staffers answering inquiries at its call center and has communicated with 17 million customers via e-mail.
It also invited state attorneys general to meet with its general counsel Monday for an update on the breach. Massachusetts is among states probing the security breakdown, and the retailer is already facing a lawsuit from at least one customer, a California resident who seeks to represent a class of other customers.
The retailer also has agreed with New York’s attorney general to provide a year of free credit monitoring to New York victims of the breach.
Security is one of the most important elements of brand loyalty, Passikoff said in a telephone interview Tuesday.
“Although people take it for granted, when it falls apart, it becomes a gaping hole, and that’s what happened to them,” he said.
Molly Snyder, a Target spokeswoman, didn’t immediately respond to phone and e-mail requests for comment.
Target has plenty of company in its quest to attract shoppers as retailers jockey for business in what’s expected to be a tepid holiday season. U.S. store visits fell 21 percent in the week to Dec. 22, according to ShopperTrak. The Chicago research firm has predicted a 2.4 percent sales gain for this holiday season, which would be the smallest since 2009.
To lure reluctant shoppers, retailers have ratcheted up discounts to the highest level since 2008, according to Craig Johnson, president of Customer Growth Partners in New Canaan, Connecticut. Even with its 10 percent discount, the number of transactions at Target slipped 3 percent to 4 percent compared with the final weekend before Christmas last year, according to Johnson’s firm.
The breach also has shown that security in the U.S. is weaker than in some other countries that now use credit cards with embedded chips that are more secure than magnetic strips to store account data, according to Dan Kaminsky, co-founder and chief scientist at White Ops, a cybersecurity firm in New York. The U.S. payments industry has said it will replace magnetic strips by 2020, a deadline that could now be accelerated in the aftermath of the Target breach, Kaminsky said last week.
While card-swiping devices have been hacked in the past, the incidents typically occurred at a single machine or store, not chain-wide, which is why this breach is troubling, Kaminsky said.
Target said account numbers, expiration dates, cardholder names and credit verification value, or CVV, had been compromised. That kind of data could be used to make counterfeit credit cards, Kaminsky said.