Target Can’t Handle Inundation of Queries Following Security Breach

Target’s support infrastructure for handling fallout from a massive credit card data breach was woefully inadequate the day after the retailer acknowledged that some 40 million credit cards had been compromised between Nov. 27 and Dec. 15, Consumer Electronics Daily found. Holders of Target’s own REDcard debit or credit card who tried calling the toll-free number on the back of the card were stymied through a second day as calls got a busy signal. The REDcard website was virtually inaccessible Thursday after Target released the news, and was very slow to respond Friday.

A banner at the top of the Target website on Friday directed customers to a notice about the unauthorized access to data dated Dec. 19 in which Target told customers, “Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause. The privacy and protection of our guests’ information is a matter we take very seriously and we have worked swiftly to resolve the incident.” Target said it “began investigating the incident as soon as we learned of it” and said the data involved included customer name, credit or debit card number, and the card’s expiration date and CVV -- the security code. The retailer said it’s working with a third-party forensics company “on a thorough investigation” and is examining ways to prevent such incidents in the future.

But the issue was far from resolved for customers and banks. While Target urged customers to keep monitoring their accounts, we found it painstakingly difficult to do so. The phone number provided in the Target notice was answered electronically with a message “regretting the inconvenience caused by unauthorized access to payment card data in U.S. stores.” It directed customers to https://corporate.target.com for more information. That link looped us back to the original notice with the phone number we had just called.

Another option directed REDcard customers to press 1 for questions about their account. When we did so, we were directed by an automated recording to check account activity at rcam.target.com. After roughly a dozen failed attempts at that URL due presumably to high traffic, we finally reached the website where we were instructed to enter a user name and password. As a new REDcard customer, we weren’t sure if we had enrolled. We selected the option to retrieve the user name and password and got an error message. The page instructed us to go back or to call Target Card Services at yet a different phone number. That number went directly to a busy signal.

We then attempted to enroll in the Manage My REDcard section on the Target website. The process took roughly 45 minutes with plodding operation at every stage of data entry. We were able to enroll our card, set up five personal questions to be used for identification and then hit an “Enhanced Management Security” page requesting a phone number to link to the account before we could view recent transactions. We plugged in the phone number and then hit another error message when we tried to move ahead to access the account transactions. Another security page popped up requesting the last four digits of the Social Security number. We inserted that and our account information appeared. To our relief, the only charge there was one we had made in a store the previous weekend.

Target’s Facebook page took a multitude of hits Thursday and Friday as angry customers vented their frustration over the Byzantine trail they had tried to take to see if their accounts had been violated. One visitor wrote: “After 48 minutes on hold with Target, suddenly a busy signal and my call was dropped. ARE YOU KIDDING? This is completely unacceptable.”

Another Facebook user, Julie, suggested with some sarcasm that Target “cancel everyone’s card and then spend your man power reissuing them to everyone since none of us can get through using the number or website!!!!” In what appeared to be a robot response from Target, she was told, “Hi Julie, we'll be sure to share your thoughts with our teams, we appreciate your feedback!” An exasperated Julie retorted, “'Your teams'” can’t do anything like that, we all know that! I doubt anyone in your corporate office is actually watching these posts!” She suggested all REDcards should be canceled within the hour “or you guys are going to be in some serious trouble PR-wise and that can kill a business!” Target responded, “Hi Julie, if you're looking to check on a debit card, you may also reach out to your bank. Thank you!"

A heated conversation emerged on the Facebook post over user responsibility. A visitor named Rae said those complaining that Target should be taking more proactive action called on them to “grow up” and cancel the cards themselves rather than asking Target to do it. Another visitor, Kari Ann, agreed that canceling a card is the cardholder’s responsibility “but the frustration is that we cannot access our accounts; websites and phones [are] not working.”

Ironically, it’s Target’s valued REDcard customers who were most frustrated. Facebook user Tara said, “It seems like everyone knows how to handle their bank account info for their non-Target cards, the complaint is the Target card. It is impossible to cancel when the website won’t let you access your account and the phone number to call is constantly busy.”

Those with Target debit cards were particularly vocal. A Facebook user named Camille said, “At the very least you should identify the REDcards linked to debit accounts and cancel those immediately! The banks will do nothing unless your account is compromised. Your site does not work for us to reset our pins. Your phone number hangs you up automatically. We went to our local Target (where we do all our shopping) and they told us to CALL the NUMBER! We are done with Target."

Compromised accounts through other credit and debit card issuers are being handled by issuing banks. One Target customer, Liz, who attributed seven unauthorized Western Union charges in two days on her MasterCard to the Target fiasco, told us she’s waiting to hear from her bank whether her card needs to be canceled and reissued. She was able to begin that process Thursday as the news broke about the Target breach, but she was still concerned about having to cancel her credit card five days before Christmas.

The consequences of the breach are reaching beyond Target’s traditional customer base. A holiday shopper told us Thursday she had planned to look on the Target website for a Christmas present for a friend. Although the breach occurred in stores, not through Target’s e-commerce, all she needed to see on the website was a notice about “some sort of credit card breach” to make her shop elsewhere. That “definitely deterred me from shopping online there,” she said. Target did not immediately respond to questions.