Operations
5/5/2014
12:30 PM
50%
50%

Target CEO Departs in Wake of Data Breach

Target has named an interim CEO and interim chairwoman of its board of directors as the search for a new lead executive gets under way.

More change is afoot at Target as another executive is departing in the aftermath of last year's data breach.

The retailer announced today that Gregg Steinhafel is stepping down effective immediately from his role as president, CEO, and chairman of the board of directors. John Mulligan, Target's chief financial officer, will serve as interim president and chief executive officer while the company searches for a permanent replacement. In addition, Roxanne S. Austin, a member of the company's board of directors, will be appointed interim non-executive chairwoman of the board.

A massive data breach last year affected payment card data and customer information of millions of consumers. Steinhafel has led the company's response to the breach. In a press release, the company thanked him for his leadership.

"The board is deeply grateful to Gregg for his significant contributions and outstanding service throughout his notable 35-year career with the company," the company said. "Under his leadership, the company has not only enhanced its ability to execute, but has broadened its strategic horizons. He also led the company through unprecedented challenges, navigating the financial recession, reacting to challenges with Target's expansion into Canada, and successfully defending the company through a high-profile proxy battle."

Steinhafel is the latest executive to depart the company in the wake of the breach. Beth Jacob resigned as chief information officer this year and has been replaced Bob DeRodes. The company is still searching for a chief information security officer, as well as a chief compliance officer.

The leadership changes are being accompanied by a new focus on security technologies. When it named DeRodes the new CIO, the company jointly announced an effort to accelerate adoption to chip-and-PIN enabled REDcards. Starting in early 2015, the entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard's chip-and-PIN solution. Co-branded cards will be reissued as MasterCard co-branded chip-and-PIN cards.

Target is also moving ahead with a plan to install supporting software for the chip-and-PIN technology and next-generation payment devices in its stores. The new payment terminals are expected to be in all 1,797 Target stores by this September, six months ahead of schedule, according to the company.

"The last few months have tested Target in unprecedented ways," Steinhafel wrote in his resignation letter to the board. "From the beginning, I have been committed to ensuring Target emerges from the data breach a better company, more focused than ever on delivering for our guests. We have already begun taking a number of steps to further enhance data security, putting the right people, processes and systems in place. With several key milestones behind us, now is the right time for new leadership at Target."

Experts around the security chimed in with a variety of opinions about Target's post-breach executive changes. Not all of them felt that a breach necessitates a change in leadership.

"If a CEO's longevity is based on the ability to keep an adversary off the network, everyone will lose their jobs," says Shawn Henry, CSO at CrowdStrike and president of CrowdStrike's Services Division. "The reality is that you cannot keep the adversary off the network. Organizations need to focus on adversary detection and consequence management, and the government needs to focus on identifying who is behind this type of malicious activity."

.

        

 
Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/9/2014 | 10:08:42 AM
Re: Where is your organization's sensitive data? -- Lessons Learned
The message certainly should ring loud and clear to top-level management at retailers (or any organization holding user data) that the buck starts and stops with them when it comes to the security of personal data. I expect they are finally paying attention. (at least i hope so)
kyle F. Kennedy
50%
50%
kyle F. Kennedy,
User Rank: Apprentice
5/6/2014 | 12:46:57 PM
Where is your organization's sensitive data?

First Target's CIO, Beth Jacob resigned in March along with a good percentage of key security team personnel and now yesterday Target's CEO Gregg Steinhafel announced he was stepping down "effective immediately" as part of Target's post breach clean up and remediation strategy. A data breach of any magnitude can't just be measured on the customers that were impacted. Data breach analysis must include the impact to the company's brand and most importantly consumer confidence in that brand going forward. Five months post data breach and Target's financial numbers are still declining with lower consumer confidence a key trait to why those financial numbers keep falling. Protecting Sensitive Data is absolutely critical to any organization no matter how large or small that organization may be. I just hope all the CIO's, CISO's, CTO's, CSO's, and CEO's reading various media outlets on Target's CEO resigning learn from the Target data breach and why it is imperative to have technologies like STEALTHbits – StealthSEEK and StealthINTERCEPT to help discover, prioritize, identify, remediate and secure sensitive data within their enterprise.

Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/5/2014 | 5:15:57 PM
Re: Target CEO Departs
There's obviously probably more to this than the data breach. But it does seem to indicate Target has learned a lot from the incident.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
5/5/2014 | 4:44:29 PM
Re: Target CEO Departs
It's hard to feel sorry for Steinhafel given that he could receive more than $55 million in his exit.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/5/2014 | 4:01:11 PM
Re: Target CEO Departs
True, for a breach of this size more than one head had to roll.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
5/5/2014 | 3:59:27 PM
Re: Target CEO Departs
I thought that's what a CIO was for: an executive the CEO can dispose of if there's a security breach. I guess that firewall failed.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/5/2014 | 12:52:16 PM
Target CEO Departs
Well it was just a matter of time, someone has to take the blame for their troubles.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.