Crisis Communication Essay

James Harootunian
BA 2196 Section 20/ Professor Miller
Writing Assignment: Crisis Communication
On Dec 18, 2013, the public discovered that Target—America’s second largest retailer—
had experienced a massive data breach that resulted in the theft of personal information from 70
million customers. In addition to personal information such as names and phone numbers, the
breach also resulted in the exposure of 40 million customers’ credit and debit card information.
Sources indicated that the breach took place from Nov 27 to Dec 15th (Clark, 2014). Hackers
entered Target’s network by using access rights given to Fazio Mechanical Services— a
company that managed Target’s HVAC systems. Once inside, they were able to install malware
programs that obtained customer information through the retailer’s point-of-service system
(Vijayan, 2014). Target ineffectively managed its crisis in the following ways: first, by not
addressing the crisis immediately, the company was forced to take a defensive approach once the
breach was discovered; second, the organization failed to provide accurate information and lost
the trust of its customers; third, then-CEO Gregg Steinfield did not address the public with
confidence and sympathy, which resulted in people questioning Target’s positive intentions.
Target’s crisis communication during the 2013 data breach was not successful because it
failed to address the crisis immediately, thus forcing the organization to take on a reactionary
approach once crisis information leaked. Target executives met with the U.S. Justice Department
on Dec 13, 2013 to discuss the potential breach, and the following day the retailer hired a third
party to investigate the hack. On Dec 15, 2013, Target officially discovered that their systems
had been breached and that customer information may have potentially been stolen (Clark,
2014). Customers learned of the data breach when “the story was broken on December 18th by
security blogger Brian Krebs” (Temin, 2013, p. 1). Target publicly addressed the data breach—
four days after the initial discovery—on Dec 19, 2013 (Clark, 2014). In an interview nearly a
month after the incident, CEO Gregg Steinhafel attempted to justify the initial delay by stating
that the four-day period felt like “lightning speed from Target’s perspective” (Quick, 2014, p.1);
however “confused holiday consumers were worried about the safety of their information” (Lee,
2014, p.2). This lapse may be attributed to Target’s desire to be thorough in obtaining
information and confirming the breach, but this led to another source revealing information first
and leaving customers without a timely formal response from the retailer. In his article “Crisis
Management and Communications”, Timothy Combs (2014) advises that organizations should
“provide a response in the first hour after the crisis occurs” (p. 4) and indicates that failing to do
so can be “perceived by the media and public as stonewalling and irresponsible” (Murray, 1992,
p. 4). Target failed to provide a response anywhere near the one-hour window, which resulted in
the organization having to defend itself and answer for its period of silence. As Thomas Lee
explained, “ anytime you are not controlling the release of information, you lose the opportunity
to cast yourself in the role of the hero rather than the villain” (Lee, 2014, p. 2). Customers felt
uneasy and began to question Target’s motives and credibility as opposed to viewing Target as
the victim of computer crime.
Target’s response to its 2013 data breach was ineffective because it provided inaccurate
information to the public and caused consumers to lose trust in organization and its ability to
manage the crisis. During its initial release on Dec 19, 2013, the retailer claimed that customer
PIN numbers were not amongst the information that had been comprised during the data breach.
Then on Dec 27, 2013, “an ongoing investigation by a third-party forensics unit finds that
encrypted debit card PIN information was accessed during the breach” (Clark, 2014, p. 1).
Target believed that consumer PIN’s were still safe, but the organization was forced to retract its
previous claim (Clark, 2014). Target made an assurance to the public that it could not keep and
“there is nothing better to destroy trust than making an assurance one day that you will have to
go back on the next” (Temin, 2013, p. 3). Timothy Combs (2014) stresses in the event of a crisis,
“people want accurate information about what happened and how the event might affect them”
(Combs, p. 4). He also explains that if organizations release inaccurate information, they will be
viewed as incompetent (Combs, 2014). Victims of the data breach needed to know whether or
not their PIN’s had been comprised so that they could protect themselves from fraudulent use of
their accounts. Customer’s wanted answers and Target provided them with information that had
yet to be confirmed through the investigation. Target could have chose to “admit the things that
they did not yet know, and plan for the worst case” (Temin, 2013, p. 2), but instead the
organization decided to provide inaccurate information in an attempt to reassure customers. This
resulted in customers viewing Target as incompetent, leaving the retailer with a tarnished
reputation.
Target’s attempt to repair its reputation during its 2013 data breach failed because thenCEO Gregg Steinhafel did not address the public in a confident and sympathetic manner, thus
causing people to doubt Target’s positive intentions. In the days following the breach, Target
posted several videos of Steinhafel responding to the data breach on the company’s website.
During these videos he thanked customers for their business and trust in target, shared tips for
the data breach victims, apologized for call center wait times, and offered all guests a 10%
shopping discount (A message from, 2013). While much of this information was useful,
Steinhafel failed to offer a true and sincere apology to those affected. Specifically, he only
offered one apology and it pertained to Target’s inefficiencies in its call centers. Davia Temin
(2013) describes Steinhafel’s response in her article “Targets Worst PR Nightmare” by saying
“though he does apologize briefly, his response does not take enough responsibility, or seem
sorry enough” (p. 1). Given that the data breach impacted millions of innocent victims, Steinfield
should have been more sincere and sympathetic. In addition to his lack of sympathy, Steinfeld
also failed to limit his disfluencies during his address. He spoke for less than two minutes and in
that time he used the phrase “uh” five times. (A message from, 2013) This gave the impression
that he was ill prepared and not taking the crisis seriously. Timothy Comb’s (2014) explains that
“disfluencies such as uhms or uhs” (p. 2) should be avoided, as people will view the user as
deceptive when they are used. He continues by mentioning that crisis managers should “express
concern/sympathy for victims of the crisis” (p. 5). Steinhafel’s constant disfluencies, paired with
his lack of sympathy, lessened the effectiveness of his response and caused people to doubt the
organization’s positive intentions.
Target ineffectively managed its crisis in the following ways: first, by not addressing the
crisis immediately, the company was forced to take a defensive approach once the breach was
discovered; second, the organization failed to provide accurate information and lost the trust of
its customers; third, Gregg Steinfield did not address the public with confidence and sympathy,
which resulted in people questioning Target’s positive intentions. Given the impact of the crisis,
Target has invested nearly $100 million dollars to improve its security and will be adding new
technology to protect customers’ PIN numbers (Clark, 2014). The data breach also represents
one of several reasons that CEO Gregg Steinhafel made the decision to resign in May 2014 (Lee,
2014). Finally, although Target’s stock price has returned to pre-crisis levels, there are still
customers that are taking advantage of the company’s free credit monitoring services as a result
of the data breach (Credit Monitoring).
Works Cited
A Message from CEO Gregg Steinhafel about Target's Payment Card Issues. (2013, December
20). Retrieved March 11, 2015, from http://www.abullseyeview.com/2013/12/target-ceo-greggsteinhafel-message/
Clark, M. (2014, May 5). Timeline of Target's Data Breach And Aftermath: How Cybertheft
Snowballed For The Giant Retailer. Retrieved March 11, 2015, from
http://www.ibtimes.com/timeline-targets-data-breach-aftermath-how-cybertheft-snowballedgiant-retailer-1580056
Coombs, W. (2011). Crisis Management and Communications. Institute for Public Relations.
Credit monitoring FAQ. (n.d.). Retrieved March 12, 2015, from
https://corporate.target.com/about/payment-card-issue/credit-monitoring-FAQ.aspx
Lee, T. (2014, May 7). Target's culture contributed to Gregg Steinhafel's downfall. Retrieved
March 11, 2015, from http://www.sfgate.com/business/article/Target-s-culture-contributed-toGregg-5458122.php
Murray, E., & Shohen, S. (1992). Lessons from Tylenol tragedy on surviving a corporate
crisis. Medical Marketing and Media, 27(2), 1-4.
Quick, B. (2014, January 12). Target CEO defends delay to disclose data breach. Retrieved
March 11, 2015, from http://www.cnbc.com/id/101329300
Temin, D. (2013, December 30). Target's Worst PR Nightmare: 7 Lessons From Target's WellMeant But Flawed Crisis Response. Retrieved March 11, 2015, from
http://www.forbes.com/sites/daviatemin/2013/12/30/targets-worst-pr-nightmare-7-lessons-fromtargets-well-meant-but-flawed-crisis-response/
Vijayan, J. (2014, February 6). Target breach happened because of a basic network segmentation
error. Retrieved March 11, 2015, from
http://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happenedbecause-of-a-basic-network-segmentation-error.html