Of all the PR fiascos that a retailer could potentially face, none may be more disastrous than Target’s 2013 security breach, which took place between Black Friday and mid-December.

As news began to spread — at the height of Christmas shopping, no less — the word on the street was that only Target credit card holders were impacted. Oops, turns out it was actually everyone who ever had any contact with a Target store during that time, including folks who didn’t even make purchases, but simply called a store or customer service for more information. All said, 70 million people were impacted, Target confirmed last Friday. Big oops.

The PR missteps that made things worse

There were several PR missteps along the way that further exacerbated Target’s bad position.

1. They didn’t control the story.

While it’s all wise and good to hold the release of information until all the facts have been gathered and verified, I feel it’s always in a brand’s best interest to release the safe facts they know to immediately secure their position as the owner of the story. In Target’s case, the story was broken Dec. 18 by security blogger Brian Krebs, forcing Target to respond. From that point on they were on the defense. Here is a case where lawyers — who is this case were most likely responsible for forcing the story be held — should NOT trump PR.

2. They failed to under-promise and over-deliver.

Unfortunately, Target grossly underestimated the initial scope of those impacted. Worse case scenario, this could be interpreted as obfuscating. Best case, it looks like incompetence. A better choice would have been to avoid immediate specifics, err on the side of assuming EVERYONE was impacted, and demonstrate how you’re taking care of it…immediately.

3. They missed an opportunity to respond.

Target could have responded in the most meaningful and immediate way possible — at point-of-sale. In the weeks following the breach it isn’t likely that Target saw a significant loss in sales. People love Target. And it was Christmas. Stores should have taken the opportunity to instill confidence by establishing some sort of in-store programming. It could have ranged from a post-sale communique to staffing stores with a small team of compassionate crisis responders.

Experts all agree that Target will rebound. Fellow retail giants — Wal-Mart are you reading this? — will hopefully learn from Target’s mistakes. Security breaches may be unavoidable, but good crisis management is always possible.