Target: Deceive first, answer questions later

Issuing deceptive statements is no way to win back customers' trust. That's a lesson for anyone who might find itself in Target's position someday.

For Target to get beyond its data breach disaster, it needs to regain the trust of its shoppers. Mystifyingly, it has opted to issue statements that are, at best, misleading. Some tiptoe beyond misleading, since the chain had to know they were untrue when it issued them.

The latest example came Friday, when Target confirmed that encrypted PIN data was stolen. Then came the whopper: "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

Of course those debit card accounts have been compromised. Webster's dictionary defines compromise as exposing something "to risk or danger." When personal identification numbers that give full access to someone's bank account are in the hands of experienced and sophisticated cyberthieves, I think it's safe to say that those bank accounts are indeed exposed to risk or danger. How could anyone argue otherwise?

Target's statement emphasized that the cards were triple DES encrypted and that the encryption key was not stored in Target's systems. It added that the data "can only be decrypted when it is received by our external, independent payment processor."

First off, Target's people know well that any encryption can be broken, if the attacker spends enough time and has enough compute power. It may not be easy, but it can certainly be done. Triple DES is an excellent encryption option, but nothing is unbreakable. Therefore, saying that the data "can only be decrypted" by its payment processor is untrue.

Target should be applauded for not storing that encryption key anywhere on its system. Having it stored solely at its payment processor is also a good move, but processors' systems can be broken into as well. Indeed, given that they have data from a huge number of retailers, it's an especially attractive target.

So, in theory, how could the attacker get access to the PINs? First, a brute-force cracking effort on the encrypted data might work. Second, the key might be grabbed by an attack on the processor's systems, as has happened in the past. Third, there might be a Target insider -- or a processor insider -- who could give up the key for money. Or who might be tricked into giving it up, via social engineering, which cyberthieves love.

Had Target simply said that the stolen PINs were fully encrypted so there's an excellent chance that they won't be accessible, that would be fine. It could have also truthfully added, "We currently have not seen proof that the bad guys have in fact deciphered these PINs. We've also not seen any evidence that they haven't."

It could have said, "We have used top-notch encryption, so your PIN is probably safe for the moment. But please change your PIN right away, so you'll be even safer." Better yet, banks could force the PINs to be changed when the card is used next. That would get new PINs to be in place quickly, without locking any customers out (in theory).

But by stating that the codes are perfectly safe, Target is demonstrating the perfect way to not restore trust. I have noticed this tendency with a lot of marketers. If their product can do something very well, they feel a need to exaggerate it.

This follows the biggest lie of all, which Target unleashed on Dec. 20: "Yesterday, we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated." The vagueness gives Target very little cover. What does it mean by "the issue"? In context, it's clearly meant to communicate that the method the attackers used "has been identified" and the security hole they took advantage of has been "eliminated."

A few days later, Target told state attorneys general that -- understandably -- it was still trying to determine the attackers' exact methods. That makes perfect sense, since data breach investigations take time and the initial indications often prove to be untrue. Target fully knew that and yet it immediately said it had identified the issue and then -- this is the killer -- had "eliminated" it. It was trying to convince people that the security risk was gone, when it knew that it was far too early to reliably say that.

Why would it say that, knowing it was false? The most likely -- albeit cynical -- interpretation is that it believed its intended audience (shoppers) would be trusting enough (and not technically astute enough) to not know it was false. In short, its customers would believe it and might not slow down their shopping at Target.

Target's behavior in all this is not at all unusual, but it is completely wrongheaded. Here's my advice to any company that suffers a data breach like this: Tell your customers the truth. Don't let the PR people and marketers make everything sound bright and happy. Your customers are going to hear the actual truth eventually, and if it contradicts what you have said in your statements, it is going to be harder for them to trust you in the future. Weaselly, soft-soap statements are no way to restore trust.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek and eWeek. Evan can be reached at Look for his column every Tuesday.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingTargetsecurityRetai

More about indeedTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts