Operations
5/5/2014
12:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Target CEO Departs in Wake of Data Breach

Target has named an interim CEO and interim chairwoman of its board of directors as the search for a new lead executive gets under way.

More change is afoot at Target as another executive is departing in the aftermath of last year's data breach.

The retailer announced today that Gregg Steinhafel is stepping down effective immediately from his role as president, CEO, and chairman of the board of directors. John Mulligan, Target's chief financial officer, will serve as interim president and chief executive officer while the company searches for a permanent replacement. In addition, Roxanne S. Austin, a member of the company's board of directors, will be appointed interim non-executive chairwoman of the board.

A massive data breach last year affected payment card data and customer information of millions of consumers. Steinhafel has led the company's response to the breach. In a press release, the company thanked him for his leadership.

"The board is deeply grateful to Gregg for his significant contributions and outstanding service throughout his notable 35-year career with the company," the company said. "Under his leadership, the company has not only enhanced its ability to execute, but has broadened its strategic horizons. He also led the company through unprecedented challenges, navigating the financial recession, reacting to challenges with Target's expansion into Canada, and successfully defending the company through a high-profile proxy battle."

Steinhafel is the latest executive to depart the company in the wake of the breach. Beth Jacob resigned as chief information officer this year and has been replaced Bob DeRodes. The company is still searching for a chief information security officer, as well as a chief compliance officer.

The leadership changes are being accompanied by a new focus on security technologies. When it named DeRodes the new CIO, the company jointly announced an effort to accelerate adoption to chip-and-PIN enabled REDcards. Starting in early 2015, the entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard's chip-and-PIN solution. Co-branded cards will be reissued as MasterCard co-branded chip-and-PIN cards.

Target is also moving ahead with a plan to install supporting software for the chip-and-PIN technology and next-generation payment devices in its stores. The new payment terminals are expected to be in all 1,797 Target stores by this September, six months ahead of schedule, according to the company.

"The last few months have tested Target in unprecedented ways," Steinhafel wrote in his resignation letter to the board. "From the beginning, I have been committed to ensuring Target emerges from the data breach a better company, more focused than ever on delivering for our guests. We have already begun taking a number of steps to further enhance data security, putting the right people, processes and systems in place. With several key milestones behind us, now is the right time for new leadership at Target."

Experts around the security chimed in with a variety of opinions about Target's post-breach executive changes. Not all of them felt that a breach necessitates a change in leadership.

"If a CEO's longevity is based on the ability to keep an adversary off the network, everyone will lose their jobs," says Shawn Henry, CSO at CrowdStrike and president of CrowdStrike's Services Division. "The reality is that you cannot keep the adversary off the network. Organizations need to focus on adversary detection and consequence management, and the government needs to focus on identifying who is behind this type of malicious activity."

.

        

 
Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/9/2014 | 10:08:42 AM
Re: Where is your organization's sensitive data? -- Lessons Learned
The message certainly should ring loud and clear to top-level management at retailers (or any organization holding user data) that the buck starts and stops with them when it comes to the security of personal data. I expect they are finally paying attention. (at least i hope so)
kyle F. Kennedy
50%
50%
kyle F. Kennedy,
User Rank: Apprentice
5/6/2014 | 12:46:57 PM
Where is your organization's sensitive data?

First Target's CIO, Beth Jacob resigned in March along with a good percentage of key security team personnel and now yesterday Target's CEO Gregg Steinhafel announced he was stepping down "effective immediately" as part of Target's post breach clean up and remediation strategy. A data breach of any magnitude can't just be measured on the customers that were impacted. Data breach analysis must include the impact to the company's brand and most importantly consumer confidence in that brand going forward. Five months post data breach and Target's financial numbers are still declining with lower consumer confidence a key trait to why those financial numbers keep falling. Protecting Sensitive Data is absolutely critical to any organization no matter how large or small that organization may be. I just hope all the CIO's, CISO's, CTO's, CSO's, and CEO's reading various media outlets on Target's CEO resigning learn from the Target data breach and why it is imperative to have technologies like STEALTHbits – StealthSEEK and StealthINTERCEPT to help discover, prioritize, identify, remediate and secure sensitive data within their enterprise.

Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/5/2014 | 5:15:57 PM
Re: Target CEO Departs
There's obviously probably more to this than the data breach. But it does seem to indicate Target has learned a lot from the incident.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
5/5/2014 | 4:44:29 PM
Re: Target CEO Departs
It's hard to feel sorry for Steinhafel given that he could receive more than $55 million in his exit.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/5/2014 | 4:01:11 PM
Re: Target CEO Departs
True, for a breach of this size more than one head had to roll.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
5/5/2014 | 3:59:27 PM
Re: Target CEO Departs
I thought that's what a CIO was for: an executive the CEO can dispose of if there's a security breach. I guess that firewall failed.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/5/2014 | 12:52:16 PM
Target CEO Departs
Well it was just a matter of time, someone has to take the blame for their troubles.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

CVE-2014-3301
Published: 2014-07-26
The ProfileAction controller in Cisco WebEx Meetings Server (CWMS) 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned messages, aka Bug ID CSCuj81700.

CVE-2014-3305
Published: 2014-07-26
Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCuj81735.

CVE-2014-3324
Published: 2014-07-26
Multiple cross-site scripting (XSS) vulnerabilities in the login page in the administrative web interface in Cisco TelePresence Server Software 4.0(2.8) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCup90060.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.