Executives settled around a square table inside a Target Corp. conference room here earlier this month and munched on store-brand snacks as they chewed over something far less appetizing.Opinion surveys commissioned by the company found that the massive cybertheft that waylaid Target late last year had knocked confidence and trust in the 51-year-old retailer to an all-time low.
Some of the executives were frustrated. Target was having trouble shaking the fallout from a key decision by Chief Executive Gregg Steinhafel that made the crisis appear even worse than it already was.
The initial evidence had indicated that credit and debit card numbers of about 40 million Target customers had been stolen. But the retailer had learned later that hackers gained access to partial names and physical or email addresses for as many as 70 million people-a breach that some top executives counseled against disclosing because it was unclear what kind of fraud danger it posed.
Nevertheless, Mr. Steinhafel insisted on making the bigger number public, sparking news reports that as many as 110 million Target customers had been affected.
At the meeting, Chief Marketing Officer Jeffrey Jones groused about the huge number. The public "keeps hearing that equals one third of all Americans," he said. "That's hammering us."
Mr. Steinhafel says he has no regrets about the aggressive disclosure and other costly decisions in the wake of the crisis. "Target won't be defined by the breach, but how we handle the breach," he says.
This account of how Target executives responded to one of the biggest challenges in the company's history is based on interviews with Mr. Steinhafel, Mr. Jones, Chief Financial Officer John Mulligan and other top executives and includes their recollections of internal discussions.
The executives acknowledge the crisis has damaged the retailer's bull's-eye brand, while analysts estimate it may cost Target billions of dollars. During the holiday-shopping season, Target's sales and store traffic plummeted. Call-center volume overwhelmed employees. Executives testified before congressional panels, and the company is facing federal and state investigations into how the cybercrime occurred from its store registers and computer network.
Millions of Target customers were inconvenienced and frightened by the breach, but it isn't clear how many have been victims of fraud. Not every card swiped at Target registers during that time period in question had its number stolen. But all types of cards were affected, from Target's store brand to Visa, MasterCard and American Express. The thieves then sold the card numbers on the black market, after which some shoppers began seeing fraudulent charges.
Over the two months since the crisis erupted, Mr. Steinhafel, 59 years old, has lurched from one difficult decision to another.
At one point, he proposed in a meeting that Target would provide free credit monitoring and identity-theft insurance for one year to all its customers. Scott Kennedy, a senior executive, asked: "You're saying we will give this to any customer who's ever been in a store, but we aren't checking?"
Mr. Steinhafel nodded.
"Then we're offering this to all Americans," Mr. Kennedy replied.
Target went ahead with that plan.
The breach could wind up costing Target, which notched $73 billion in sales in 2012, a few billion dollars, people familiar with the matter say. Investment bank Jefferies LLC, which has analyzed various such breaches, estimates the retailer could have to repay banks up to $1.1 billion for fraudulent transactions on stolen cards.
New chip technology to replace magnetic strips on credit cards could cost about $100 million, one executive told Congress. Card-monitoring services for customers could cost tens of millions, according to one executive. Hundreds of millions of marketing dollars could be diverted to repairing the brand. In addition, costs are mounting for reissuing cards, staffing call centers, forensic and data-security units, and lawyers for public inquiries and private lawsuits.
The day after the cyberattack announcement, Target offered a 10% discount in all its stores for the last weekend before Christmas, a move to win back trust. "No amount of traffic recouped the loss to the bottom line for that," says Mr. Mulligan, the CFO, noting that Target routinely sells national brands at a very low margin.
Mr. Steinhafel's days have been especially hectic since the crisis began. One day earlier this month, he hit the gym at Target's headquarters at 4:30 a.m. for a high-intensity P90X cross-training workout. Later, he reviewed loss leaders (including 24-set crayon boxes) for next-fall's "back-to-school" season, then sneaked into a Target store for an inspection, noticing that there weren't enough carts in the entry and that a mannequin had an out-of-place arm.
Mr. Steinhafel got an early start in the retail business working in his family's furniture store in Milwaukee. Target recruited him out of business school in 1979 as a children's merchandise trainee. He became the architect of the chain's "cheap chic" niche, then was named CEO in 2008, with current annual pay of about $20 million. He says he personally interviews candidates for all of Target's senior executive slots-about 600 jobs in all.
The CEO, who likes to say "retail is detail," is known internally for paying surprise visits to Target stores-there are about 1,800 in the U.S. that drew about 32 million customers a week before the crisis. Store managers say they warn each other to be alert for a man snooping around the aisles, frequently snacking from a box of animal crackers. At a Minneapolis store, manager Jen Mayer says she spotted Mr. Steinhafel on the security tape on Feb. 3. She grimaced at the dirty, snow-tracked entry he inspected.
Recently, Mr. Steinhafel says, he stopped a manager who was reading email on her cellphone as she passed through Target's downtown Minneapolis headquarters. "Please be in the present," he recalls telling her.
Business had been looking up for Target before the crisis. Target joined other national retailers to open on Thanksgiving Day. Mr. Steinhafel said in a news release at the time that customers "shopped Target in unprecedented numbers" over the holiday weekend.
Unknown to Target, a cyberattack also was under way.
From Nov. 27, the day before Thanksgiving, through Dec. 18, Target executives say, shoppers' payment-card data was captured through "malware" installed in Target's computer network. The hackers had entered the network through a vendor.
On the evening of Friday, Dec. 13, Mr. Mulligan, Target's CFO, called Mr. Steinhafel, who was eating sushi with his wife and another couple. "It's probably nothing, but the Feds notified us of some suspicious activity," Mr. Mulligan told the CEO. "We're checking it out."
By Sunday, Target confirmed internally that criminals had infiltrated its network, installed malware that covered 62,000 store registers and potentially stole shoppers' credit-card information. Reached at home while sipping his morning coffee, Mr. Steinhafel was stunned. "This is devastating," he responded to the Target information-technology official.
For two days, Target alerted payment processors and card networks and prepared stores and call centers.
Around that time, Jodee Kozlak, Target's human-resources head, entered Mr. Steinhafel's office and closed the door.
"Can you believe it?" Mr. Steinhafel asked her, putting his head in his hands. "We plan so far out in the future, and then..." He stopped and sat motionless for 30 seconds.
Mr. Steinhafel informed lead director James Johnson at a board compensation committee meeting in Minneapolis on Dec. 18 and other directors by phone. Subordinates drafted a news release and script for call-center and store employees.
When they distributed a final draft to executives around the conference table, Mr. Steinhafel complained that it read like a lawyer wrote it. The group reworked the release until 3 a.m.
Hours later, at 7 a.m. on Dec. 19, Target issued a statement revealing "unauthorized access" to customers who made credit or debit-card purchases in U.S. stores. It said 40 million payment-card numbers had been stolen. "Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause," it said. Target provided a toll-free number for more information.
The breach got wide publicity. Shoppers clogged Target phone lines and stores. Some sent tweets and emails that they would never again shop at Target. On the last weekend before Christmas, the big crowds at Target stores had dwindled.
On Dec. 20, Mr. Jones, the chief marketing officer, urged Mr. Steinhafel to appear in a video on Target's website. The CEO was reluctant. He didn't have a script and was exhausted.
With a camera rolling, Target's public-relations chief, Dustee Jenkins, asked him questions. Mr. Steinhafel, clad in Target's trademark red shirt and khakis store attire, thanked customers for their trust, provided tips to monitor their accounts and promised zero liability to shoppers for any fraudulent charges.
Mr. Steinhafel began holding twice-daily "status meetings" in a 32nd-floor conference room. Access was restricted to a few executives. There were whiteboards and TV screens and tables of store-branded snacks, including a favorite-peanut-butter-filled pretzels. The room overlooked Target Field, home of the Minnesota Twins baseball team, and Target Center, home of the Minnesota Timberwolves basketball team.
Target got more bad news when Mr. Steinhafel huddled with top executives on Christmas Eve. Contrary to early disclosures to customers, personal identification numbers to debit and credit cards also had been stolen, although the company says they were encrypted and therefore not usable.
Mr. Steinhafel spent Christmas Day juggling calls and emails while spending time with his wife and adult children playing a board game and working a jigsaw puzzle.
Millions of calls had been pouring in to the call centers, pushing wait times as long as three hours. On Dec. 26, a Target executive told his colleagues that average waits had fallen dramatically. Mr. Steinhafel leaned forward with his hands on the table and angrily called the report "misleading."
"I just phoned the call center, and was put on hold for 45 minutes and given the runaround several times," he said, his voice growing louder.
He was told that call times could improve within three weeks. "Do it in one week," he ordered.
Target tripled resources devoted to the center, and one week later, response time was down to eight seconds, Mr. Steinhafel says.
On Jan. 8, Target's board met longer than originally scheduled. The directors expressed "total confidence" in Mr. Steinhafel, says lead director Mr. Johnson.
The following day, the Secret Service-the federal body charged in part with investigating cybercrime-told Target that criminals had accessed as many as 70 million more pieces of information in addition to the card numbers. The material included partial names and phone numbers and email addresses, some of which could correspond with card numbers identified as stolen.
Some Target executives told Mr. Steinhafel that 70 million could be too high and that Target wasn't legally required to disclose any data breaches other than stolen card numbers.
Mr. Steinhafel insisted on disclosing the 70 million number. "We can't split hairs," he said.
Target broke the news on Jan. 10. Three days later, the company apologized in full-page newspaper ads.
Investigators and card issuers haven't quantified damages due to fraud from the attack, though Jefferies projects that about 15% of the 40 million cards could be hit with fraudulent charges, estimating the amount at "a few hundred dollars per card." Card-replacement costs have topped $200 million for financial institutions, the Consumer Bankers Association and Credit Union National Association said Tuesday.
Many Target customers have gotten replacements for their credit and debit cards. J.P. Morgan Chase immediately instituted a $300 a day limit on use of its affected debit cards, a major inconvenience at the height of the holiday shopping and travel season.
Target had an ad campaign ready for the Olympics that highlighted efforts by employees to give back to their communities. Mr. Steinhafel's gut told him it wasn't right. He thought customers would think Target was "tone deaf." Target canceled the campaign.
Early this month, prompted by the Target data breach, Congress held hearings on cyberattacks. As Mr. Mulligan, the CFO, made his appearances, Mr. Steinhafel and his executive team watched from the company's "situation room."
A Secret Service official testified that the data breach was "highly technical and sophisticated," prompting Mr. Steinhafel to remark: "That shows it's not just our operation. It would be hard for any retailer to withstand this."
At a daily status meeting early this month, Mr. Steinhafel pushed to accelerate to early next year the timeline for Target to replace magnetic strips on its payment cards with a new chip technology widely used in Europe and Canada that is less vulnerable to fraud.
Another executive briefed the CEO about progress on setting up a coalition with retailers, financial firms and regulators on the uniform adoption of the more secure technology.
Mr. Steinhafel later climbed into his BMW sports-utility vehicle to visit a Target store in Minneapolis testing several new product displays. His vehicle radio had preprogrammed "Prime Country" and "Margaritaville" music channels.
He slid on sunglasses and punched on a melancholy country song. "It's definitely not the time for Margaritaville," he said.