At the height of the 2013 holiday shopping season, a network security failure at Target Corp. exposed more than...
40 million credit and debit cards and the personal data of approximately 70 million customers. Eight months after the massive data breach, Target began an executive shakeup when the retailer named a new CEO and chairman of the board: Former PepsiCo CEO Brian Cornell took the helm on Aug. 12, replacing 35-year company veteran Gregg Steinhafel.
The company also replaced its CIO and created a new CISO position after investigations indicated hackers stole the debit and credit card data using malware installed on Target stores' point-of-sale systems.
The changes came after Target's 2014 Q1 net income dropped 16% from the previous year. The U.S. Securities and Exchange Commission, the U.S. Federal Trade Commission, and a number of state attorneys general had opened investigations into Target's operations after the data breach. Members of Congress expressed outrage about how Target stores -- and the retail industry in general -- handled the privacy and security of customer's confidential data. As the inquiries about the Target data breach and its network security failures continued, the company's executives were held accountable.
This FAQ is part of SearchCompliance's IT Compliance FAQ series.
Were Target's chief executive and compliance officers held accountable for the security failure?
In the early aftermath of the security breach, Target Corp.'s then-president and CEO Gregg Steinhafel issued several public apologies and offered statements that outlined future steps to protect customer data. In a letter published in newspapers across the country, Steinhafel wrote that Target's customers deserved better and that the company was determined to make things right after the breach.
Fewer than six months later, however, Steinhafel left his position as Target's CEO, president and chairman of the board after 35 years at the company. In a May 5 statement, the board of directors noted that Steinhafel held himself personally accountable for the 2013 data breach.
Steinhafel's ouster came after the company had named a new CIO and created and filled a CISO position. Target also hired a new senior vice president for infrastructure and operations. Steinhafel's replacement as CEO, Brian Cornell, was named on July 31.
Following the security breach, Target publicized several planned measures to transform the company's information security and compliance practices. These measures included separating compliance and risk duties that until that point had been handled by the vice president for assurance risk and compliance.
After hiring Bob DeRodes as CIO in April 2014, Target announced that it continued to seek a chief compliance officer. As of Aug. 1, a CCO still had not been named.
How did fallout from the Target data breach impact the company's IT executives?
Beth Jacob, Target's CIO and executive vice president for technology services at the time of the breach, left the company four months after the incident. Jacob departed in the midst of a heated political climate where lawmakers often cited the breach when arguing for strengthened data privacy and security regulations.
A month after Jacob's departure, Bob DeRodes was named CIO and executive vice president. In May, Target named Brad Maiorino CISO. Maiorino previously served as the chief information security and information technology risk officer at General Motors, and prior to that was CISO at General Electric.
In July, the company named Jim Fisher as senior vice president for the infrastructure and operations division of technology services.
Were Target's directors held accountable for the security failure?
Two weeks before Target's annual shareholder meeting, proxy advisory firm Institutional Shareholder Services Inc. recommended the removal of seven of Target's 10 directors. The firm contended that the Target board failed to effectively manage the risks leading up to the data breach, and that the audit/corporate responsibility committees were not adequately prepared to ensure appropriate risk management. During the shareholder meeting, however, all 10 directors were re-elected.
What other Target executives were held accountable for the security failure?
Target CFO John Mulligan was called to Capitol Hill twice in early 2014 to testify before lawmakers about the massive security lapse. In testimony before the Senate Committee on Commerce, Science and Transportation March 26, Mulligan said intruders entered the network on Nov. 12, 2013, after obtaining an HVAC [heating, ventilation and air conditioning] vendor's access credentials. The company's security systems detected intruder activity that was then evaluated by security professionals.
"With the benefit of hindsight and new information, we are now asking hard questions regarding the judgments that were made at that time and assessing whether different judgments may have led to different outcomes," Mulligan told lawmakers.
Target did not start its own breach investigation until Dec. 12, after the Justice Department notified it of suspicious credit card activity at stores. The company did not notify customers until Dec. 19, a day after the breach was reported online by journalist Brian Krebs. The incident sparked questions among lawmakers and regulators about the retail industry's response to security failures and breach disclosure practices.
In a report prepared by the Senate Commerce Committee staff, Target was criticized for having weak network controls and for missing warnings from its anti-intrusion program that malware was being installed. Hackers "took advantage of weak security at a Target vendor, gaining a foothold in Target's inner network" and "took advantage of weak controls within Target's network and successfully maneuvered into the network's most sensitive areas."