Cybercrime's First CEO Casualty: Avoidable Error

In the earliest days of the breach, Target began circulating data on the number of customers impacted. Subsequently, though, it continually revised the number upward to the point that everyone stopped paying attention.
This post was published on the now-closed HuffPost Contributor platform. Contributors control their own work and posted freely to our site. If you need to flag this entry as abusive, send us an email.

It was inevitable -the first resignation of a Fortune 100 chairman and CEO in the wake of a serious security breach. Target CEO Gregg Steinhaffel got the hook! Though the pundits insist other key drivers triggered his resignation, the reputational debt Target sparked in its mishandling of the largest retail privacy breach in history certainly triggered Steinhaffel's demise.

Since every large company today is on notice that getting cyber-hacked is more certain than probable. Steinhaffel simply didn't possess the reputational wherewithal to commit as many mistakes as he and Target did and survive. Sadly, most companies simply don't develop crisis-communication plans in place when a cybersecurity event erupts. It's clear that Target didn't. Target, however, also made a number of cardinal errors and omissions that cascaded into insurmountable reputational debt. They boil down to these:

At first, don't deny: Target possessed information on the breach before cybercrime journalist Brian Krebs broke the story on Dec. 18. Rather than owning the information on its own terms, Target reacted by dribbling out information colored by emotional denial and over-lawyered language
Never define the universe in the midst of the crisis: In the earliest days of the breach, Target began circulating data on the number of customers impacted. Subsequently, though, it continually revised the number upward to the point that everyone stopped paying attention. Trust and credibility had been mortgaged irreparably.
Show your work: Much like calculating a math problem on paper, companies in crises must enlighten the stakeholders that breathe life into the organization on what they're doing to address the crisis and use trusted internal and external subject matter experts to cascade the data and information. Target appeared to have absolutely no structure or taxonomy for multistakeholder engagement and activation, which is particularly tragic given that privacy crimes are a shared pain point for industry generally.
Establish moral clarity: Every crisis must have a reference point that establishes moral clarity, or it needs a North Star that makes manifestly clear the guiding principle for crisis response. This can take the form of a clear and unequivocal customer promise fortified by action or a root-cause analysis followed by major organizational changes that seek to prevent any recurrence of the risk. Ours is a redemptive society, but in the absence of a compass to galvanize the power of perception, forgiveness proves quite elusive. If only in name, Target completely missed the mark on this - assuming it even tried

The Target saga is particularly significant because it was largely avoidable. If Target had possessed a vibrant crisis plan that kept pace with the speed of risk, it would have discovered the breach much earlier, communicated faster and broadly, and probably would have earned sympathy points as a victim of a largely uncontrollable existential threat. Instead, Target was the victimizer, fueling the wrath and bounty-seeking of customers, regulators, capital markets, elected officials and, ultimately, its own board.

Close

What's Hot