Bloomingdale's suffered a major glitch last week, with some customers receiving gift cards that were issued in amounts 200 times what they should have been. At least one customer received a $25,000 gift card. The situation illustrates two huge retail IT security issues. First, Bloomingdale's apparently has no human approval for gift cards, since it's hard to envision someone approving such amounts without question. But the second issue is that chains have almost no meaningful system for dealing with such glitches.
The problem began when a system confused the number of "Loyallist Points" issued and the dollar values. As Buzzfeed noted, in the Bloomingdale's system, 5,000 points is enough to get a $25 gift card. Some customers with 5,000 points were instead given $5,000 gift cards. Although this is a really bad mistake, all it takes is a small coding error to point to the "points" field instead of the "value" field. It's the exact kind of problem that a human supervisor would instantly spot — given the chance.
But the more frustrating problem is that, once discovered, there is little a retailer can do beyond cancelling the cards as quickly as possible and hoping that the losses are minimal. You can't, however, blame Bloomingdale's for trying.
The Buzzfeed story told of one knowing Bloomingdale's shopper who received a $25,000 gift card and decided to go on a spending spree. This customer headed to a brick-and-mortar Bloomingdale's, probably figuring that any online orders would be canceled before they were shipped. (Somehow, he only spent $17,000. Really? You leave $8,000 on the table? You never heard of eBay?)
At that point, Bloomingdale's customer service reached out, telling him that he "needs to" return the merchandise. He declined the kind request. A mathematically challenged rep then offered him a $100 gift card if he would give back the $17,000 worth of goodies. That offer assumes that Bloomingdale's customers are fundamentally honest and selfless. Does Bloomingdale's realize that these are the same people that they see on Black Friday, trampling strangers with bloodlust in their eyes?
The only leverage Bloomingdale's could actually exercise was to say that if the customer didn't return everything, Buzzfeed said, "he will be banned from the loyalty program — a seemingly acceptable sacrifice for the $17,000 worth of free stuff he picked up."
This is a legally delicate area. Does Bloomingdale's really want to sue its customers? Not only is that a bad PR move, but it would open Bloomingdale's up to discovery and depositions digging into the nature of the glitch and how it happened.
A wiser approach would be to run with the publicity around this glitch and treat it as a sort of IT glitch lottery. The retailer would then seem generous simply by admitting to itself that people were probably going to keep everything they got anyway, and at the same time it would be encouraging people to shop at the chain and buy gift cards, in the hope that they may luck out some day.
If you'd rather not have such glitches in the first place, keep in mind that there are two elements of gift card issuance that failed here. The first was preventative: No one was assigned to approve all gift cards of a certain value. The second was "discovery after the fact." Clearly, this glitch took far longer than it should have to be detected.
That $25,000 gift card guy? He had to wait until the store opened the next morning to cash in. Hence, it's not as if this glitch only went undetected for a few minutes or even hours.
Following those failures, of course, Bloomingdale's committed PR blunders, with that pathetic begging and low-ball offers. If it just couldn't bring itself to say, "Our bad. Keep it all," then how about something like, "We made an error and sent you a card worth far more than you had earned. We have no legal right to take the merchandise back — although we'll certainly cancel any online orders that have yet to ship. Humanitarians we ain't. But if you're open to returning the items, we will be very much in your debt. Please help us." No threats. No implied legal action. Just good old-fashioned begging and a plea for honesty.
Heck, it's worth a shot. At least no one would feel pressured or deceived. That is the best that you can hope for, given that it was your glitch — and lack of oversight — that caused the problem.