Target Mocks, Not Helps, Its Data Breach Victims

The only thing consumers did wrong is to shop at Target. Why are they being blamed for the retailer's security failings?

Ira Winkler, Field CISO & Vice President, CYE

January 22, 2014

3 Min Read

At face value, Target's $5 million contribution to organizations that educate consumers on computer safety makes sense. There was a computer compromise -- one that compromised weak computer security -- so Target should look to strengthen it. Unfortunately, the error pointed out a weakness in Target's security efforts, not those of its customers. The only thing that consumers did wrong is shop at Target.

If Target wanted to help its victims, it would have contributed $5 million to resources that help victims of the crimes that resulted from Target's own security failures. For example, the funds would be much more effective in the hands of the Identity Theft Resource Center, a nonprofit that provides counseling to victims of identity theft, which Target's customers have become.

Instead, Target mocks and marginalizes its victims by sending a message that everyone -- consumers and retailers -- has equal responsibility when it comes to data breaches. To a limited extent, that is true, but the donation is a blatant attempt by Target to repair its image without taking responsibility for its security failings.

Worse, the action implies that, if customers (the victims of the identity theft) had only engaged in better security practices, they would not have been attacked in the first place. If Target were truly interested in repairing its image, it would reframe the discussion and take responsibility for the fact that its own internal weaknesses compromised user data.

More class, less action
Some make the case that it's not wrong for Target to make a large donation to some very good organizations, but the truth is that Target knows that it will likely have to donate money to some nonprofit as part of a class action settlement when the dust settles. If it pays that money now, while it is in the middle of a public relations nightmare, there's really no down side.

The reality of class actions is that consumers rarely benefit from them. Yes, it sounds good that Target will ultimately pay tens of millions of dollars in settlement fees. But what I've discovered, after researching many such lawsuits, is that most consumers walk away with nothing tangible. Let's assume, for example, that Target agrees to pay $30 million for consumers to obtain a year of free credit monitoring. Many people already have this service, and few take advantage of it. So Target will likely end up paying less than $5 million of that sum.

Target will also probably give some discount coupons or credit vouchers that let customers believe they will receive $50 million in payouts. These payouts will require consumers to go through extensive measures to prove they suffered a loss. Then they will be required to go into and spend more money at Target. Assuming consumers actually take advantage of the payouts, that spending could represent a net gain for Target. Then there is the $5 million donation, which is a drop in Target's marketing budget. Of course, the big money -- $10-$20 million or so -- will probably go to the attorneys supposedly representing the class in the action

Well-meaning but irrelevant nonprofits help Target mock its victims while attorneys get rich filing paperwork. Target needs to stop implying that its victims are to blame. It needs to start providing real help that repairs the real damage it caused through its failure to provide adequate security for its customers' data.

Ira Winkler is co-founder and president of Secure Mentem Inc. and president of the Internet Security Advisors Group. Described as a modern day James Bond, he began his career at the National Security Agency and is recognized as an expert in Internet security and cybercrime.

About the Author

Ira Winkler

Field CISO & Vice President, CYE

Ira Winkler, CISSP, is the Director of the Human Security Engineering Consortium and author of the books You Can Stop Stupid and Security Awareness for Dummies. He is considered one of the world’s most influential security professionals and was named “The Awareness Crusader” by CSO Magazine in receiving its CSO COMPASS Award. He has designed, implemented, and supported security awareness programs at organizations of all sizes, in all industries, around the world. Ira began his career at the National Security Agency, where he served in various roles as an Intelligence and Computer Systems Analyst. He has since served in other positions supporting the cybersecurity programs in organizations of all sizes.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights