Operations
5/5/2014
12:30 PM
50%
50%

Target CEO Departs in Wake of Data Breach

Target has named an interim CEO and interim chairwoman of its board of directors as the search for a new lead executive gets under way.

More change is afoot at Target as another executive is departing in the aftermath of last year's data breach.

The retailer announced today that Gregg Steinhafel is stepping down effective immediately from his role as president, CEO, and chairman of the board of directors. John Mulligan, Target's chief financial officer, will serve as interim president and chief executive officer while the company searches for a permanent replacement. In addition, Roxanne S. Austin, a member of the company's board of directors, will be appointed interim non-executive chairwoman of the board.

A massive data breach last year affected payment card data and customer information of millions of consumers. Steinhafel has led the company's response to the breach. In a press release, the company thanked him for his leadership.

"The board is deeply grateful to Gregg for his significant contributions and outstanding service throughout his notable 35-year career with the company," the company said. "Under his leadership, the company has not only enhanced its ability to execute, but has broadened its strategic horizons. He also led the company through unprecedented challenges, navigating the financial recession, reacting to challenges with Target's expansion into Canada, and successfully defending the company through a high-profile proxy battle."

Steinhafel is the latest executive to depart the company in the wake of the breach. Beth Jacob resigned as chief information officer this year and has been replaced Bob DeRodes. The company is still searching for a chief information security officer, as well as a chief compliance officer.

The leadership changes are being accompanied by a new focus on security technologies. When it named DeRodes the new CIO, the company jointly announced an effort to accelerate adoption to chip-and-PIN enabled REDcards. Starting in early 2015, the entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard's chip-and-PIN solution. Co-branded cards will be reissued as MasterCard co-branded chip-and-PIN cards.

Target is also moving ahead with a plan to install supporting software for the chip-and-PIN technology and next-generation payment devices in its stores. The new payment terminals are expected to be in all 1,797 Target stores by this September, six months ahead of schedule, according to the company.

"The last few months have tested Target in unprecedented ways," Steinhafel wrote in his resignation letter to the board. "From the beginning, I have been committed to ensuring Target emerges from the data breach a better company, more focused than ever on delivering for our guests. We have already begun taking a number of steps to further enhance data security, putting the right people, processes and systems in place. With several key milestones behind us, now is the right time for new leadership at Target."

Experts around the security chimed in with a variety of opinions about Target's post-breach executive changes. Not all of them felt that a breach necessitates a change in leadership.

"If a CEO's longevity is based on the ability to keep an adversary off the network, everyone will lose their jobs," says Shawn Henry, CSO at CrowdStrike and president of CrowdStrike's Services Division. "The reality is that you cannot keep the adversary off the network. Organizations need to focus on adversary detection and consequence management, and the government needs to focus on identifying who is behind this type of malicious activity."

.

        

 
Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/9/2014 | 10:08:42 AM
Re: Where is your organization's sensitive data? -- Lessons Learned
The message certainly should ring loud and clear to top-level management at retailers (or any organization holding user data) that the buck starts and stops with them when it comes to the security of personal data. I expect they are finally paying attention. (at least i hope so)
kyle F. Kennedy
50%
50%
kyle F. Kennedy,
User Rank: Apprentice
5/6/2014 | 12:46:57 PM
Where is your organization's sensitive data?

First Target's CIO, Beth Jacob resigned in March along with a good percentage of key security team personnel and now yesterday Target's CEO Gregg Steinhafel announced he was stepping down "effective immediately" as part of Target's post breach clean up and remediation strategy. A data breach of any magnitude can't just be measured on the customers that were impacted. Data breach analysis must include the impact to the company's brand and most importantly consumer confidence in that brand going forward. Five months post data breach and Target's financial numbers are still declining with lower consumer confidence a key trait to why those financial numbers keep falling. Protecting Sensitive Data is absolutely critical to any organization no matter how large or small that organization may be. I just hope all the CIO's, CISO's, CTO's, CSO's, and CEO's reading various media outlets on Target's CEO resigning learn from the Target data breach and why it is imperative to have technologies like STEALTHbits – StealthSEEK and StealthINTERCEPT to help discover, prioritize, identify, remediate and secure sensitive data within their enterprise.

Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/5/2014 | 5:15:57 PM
Re: Target CEO Departs
There's obviously probably more to this than the data breach. But it does seem to indicate Target has learned a lot from the incident.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
5/5/2014 | 4:44:29 PM
Re: Target CEO Departs
It's hard to feel sorry for Steinhafel given that he could receive more than $55 million in his exit.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/5/2014 | 4:01:11 PM
Re: Target CEO Departs
True, for a breach of this size more than one head had to roll.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
5/5/2014 | 3:59:27 PM
Re: Target CEO Departs
I thought that's what a CIO was for: an executive the CEO can dispose of if there's a security breach. I guess that firewall failed.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/5/2014 | 12:52:16 PM
Target CEO Departs
Well it was just a matter of time, someone has to take the blame for their troubles.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?