Target’s Lacklustre Apology

I’ve just received an email from Target, far too late after their credit card hack debacle. Despite the ample time they had to word a true apology, the following is what they’ve released (with my comments):

Dear Target Guest,

As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.

Nothing wrong here – a statement of facts, told plainly. All good.

I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you.

“I’m sorry this occurred”, like “mistakes were made”, is not an apology. Also, being put on hold is a cause for regrets of inconvenience, not the loss of 70 million people’s personal financial information.

Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available.

This is fine, everyone likes a freebie, even a somewhat odd one. Here’s where things really go downhill, though:

In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:

  • Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
  • Delete texts immediately from numbers or names you don’t recognize.
  • Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.

This is completely nonsensical and has nothing at all to do with the problem at hand. Target’s own servers got hacked – this was not a phishing scam. Why even mention this? It’s like your bank telling you to lock your house doors after their own vault got robbed. The failure here was entirely Target’s and caused by their own lack of proper security.

The email is at best a half-hearted non-apology. How could they have done better?

  1. Actually apologize. “You put your trust in our security systems and they were not up to the task. This has caused us to lose your personal information, and we are very sorry”.
  2. Say how you will fix it. “To help prevent this from ever happening again, we will be implementing xyz security measure (2048-bit RSA keys, replacing the magnetic strip cards, whatever).” Note that Target have not mentioned how they will fix the source of the problem, or whether they will be fixing it at all.

It’s that simple. There’s no need to ramble on about security measures that are wholly unrelated to your own failure, or tell people that their call is important to you. Just apologize and fix the problem.