Let’s compare two stories on the Target data breach that offer starkly opposing portraits of how the mega-retailer handled the hacking.
The first appeared last month in The Wall Street Journal, which got an all-access pass to Target’s C-suite officers, including CEO Gregg Steinhafel.
We learn many details of dubious relevance: Steinhafel took calls on Christmas while doing jigsaw puzzles with his kids; the twice-daily hacking meetings were stocked with Target-brand pretzels filled with peanut butter; Steinhafel is a hands-on CEO who munches animal crackers while walking his stores; he was eating sushi with his wife and another couple when he first learned something was wrong; he was sipping his morning coffee when he learned the extent of the damage. That he hits the gym at 4:30 in the morning for a “high-intensity P90X cross-training workout.”
And:
Recently, Mr. Steinhafel says, he stopped a manager who was reading email on her cellphone as she passed through Target’s downtown Minneapolis headquarters. “Please be in the present,” he recalls telling her.
One person’s color is another person’s irrelevancy, but there’s little doubt the WSJ’s detail was over the top; particularly because it turns out that amidst all this access and detail, the Journal missed the real story: That serious missteps by Target were significant factors in the security breach, and that its initial response to the hacking worsened the fallout.
Four days before this story, the WSJ reported that “the breach wasn’t entirely a bolt from the blue” and that Target’s IT staff had warned about potential problems with its system but were ignored. None of that makes it into the piece. It’s a bit surreal (A WSJ spokeswoman declined to comment).
Nor does the WSJ ask why Target sat on the news for six days before telling the public and why it failed to inform its board of directors for five days. You have to read very carefully to pick up on that. Target only disclosed the breach a day after security blogger Brian Krebs, who got the big scoop on December 18 despite being stonewalled by Target.
Instead, the Journal story presents an executive team as action figures under siege through no fault of their own, fighting valiantly to serve their customers and save the reputation of their firm. It’s reminiscent of Andrew Ross Sorkin’s upside-down view of the financial crisis in Too Big to Fail. The Journal says that the hack was “highly technical and sophisticated,” according to the Secret Service and dutifully reports Steinhafel’s claim that “it would be hard for any retailer to withstand this.”
Cue high fives from Target’s crisis PR team. Page one of the Journal!
But wait. Turn to the second story. Bloomberg BusinessWeek reports that the hack “wasn’t particularly inventive, nor did it appear destined for success” and that it was “absolutely unsophisticated and uninteresting.”
More problematic: BusinessWeek finds that Target’s security systems flashed red for more than two weeks before anything was done about the hacking.
For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers–and 70 million addresses, phone numbers, and other pieces of personal information–gushed out of its mainframes…
In testimony before Congress, Target has said that it was only after the U.S. Department of Justice notified the retailer about the breach in mid-December that company investigators went back to figure out what happened. What it hasn’t publicly revealed: Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network. Had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.
That points to a conspicuous absence in all the Journal‘s executive access: Target’s Chief Information Officer. What was she snacking on while all this went down? We’re not told. By the way, she resigned in early March. This fact alone lends weight to the Businessweek version of events and, at a minimum, complicates the Journal’s.
It’s important to note that Target gave BusinessWeek no access, instead issuing a statement from the CEO effectively declining to comment.
And yet the news organization without the access got the better, more complete story.
The big scoop made the cover of the magazine and BusinessWeek made a memorable animated gif out of it:
Huddle up the crisis flacks again, Target.
Ryan Chittum is a former Wall Street Journal reporter, and deputy editor of The Audit, CJR’s business section. If you see notable business journalism, give him a heads-up at rc2538@columbia.edu. Follow him on Twitter at @ryanchittum.