Target Top Exec Resigns Over Data Breach

Company appoints new CIO; plans to enable REDcard with chip-and-PIN technology

Published in CSP Daily News

 Gregg Steinhafel

MINNEAPOLIS -- In the wake of the recent high-profile data breach that has caused retailers in all channels--including the convenience store channel--to review and enhance data security measures, big-box chain Target Corp.'s board of directors said that its top executive has resigned.

"After extensive discussions, the board and Gregg Steinhafel have decided that now is the right time for new leadership at Target," the board announced in a statement. "Effective immediately, Gregg will step down from his positions as chairman of the Target board of directors, president and CEO."

The company has appointed John Mulligan, Target's CFO, as interim president and CEO, and Roxanne S. Austin, a current member of Target's board, as interim nonexecutive board chair. Both will serve in their roles until the board names permanent replacements.

"Gregg led the response to Target's 2013 data breach," said the board. "He held himself personally accountable and pledged that Target would emerge a better company. We are grateful to him for his tireless leadership."

Target has hired a new technology leader to help guide the company's information technology transformation. Bob DeRodes will lead Target's information technology transformation as executive vice president and chief information officer. He will assume oversight of the Target technology team and operations, with responsibility for the ongoing data security enhancement efforts as well as the development of Target's long-term information technology and digital roadmap. The company is continuing its active search for a chief information security officer and a chief compliance officer.

DeRodes comes to Target with more than 40 years of experience and is a recognized leader in information technology, data security, and business operations. He has been a senior information technology advisor for the Center for CIO Leadership, the U.S. Department of Homeland Security, the U.S. Secretary of Defense and the U.S. Department of Justice. He has also held top technology positions at CitiBank, USAA Federal Savings Bank, First Data, Home Depot and Delta Air Lines.

Since the initial confirmation of the data breach, the company has taken significant actions to further strengthen security:

  • Enhancing monitoring and logging, which includes implementation of additional rules, alerts, centralizing log feeds and enabling additional logging capabilities.
  • Installation of application whitelisting point-of-sale (POS) systems, which includes deploying to all registers, point-of-sale servers and development of whitelisting rules.
  • Implementation of enhanced segmentation, which includes development of POS management tools, review and streamlining of network firewall rules and development of a comprehensive firewall governance process.
  • Reviewing and limiting vendor access, which includes decommissioning vendor access to the server impacted in the breach and disabling select vendor access points including FTP and telnet protocols.
  • Enhanced security of accounts, which includes coordinated reset of 445,000 Target team member and contractor passwords, broadening the use of two-factor authentication, expansion of password vaults, disabled multiple vendor accounts, reduced privileges for certain accounts, and developing additional training related to password rotation.

Chip & PIN

Target also announced a significant new initiative as part of the company's accelerated transition to chip-and-PIN-enabled REDcards. Beginning in early 2015, the entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard's chip-and-PIN solution. Existing co-branded cards will be reissued as MasterCard co-branded chip-and-PIN cards. Ultimately, through this initiative, all of Target's REDcard products will be chip-and-PIN secured.

Earlier this year, Target announced an accelerated $100 million plan to move its REDcard portfolio to chip-and-PIN-enabled technology and to install supporting software and next-generation payment devices in stores. The new payment terminals will be in all 1,797 U.S. stores by this September, six months ahead of schedule. In addition, by early next year, Target will enable all REDcards with chip-and-PIN technology and begin accepting payments from all chip-enabled cards in its stores.

In March, Target joined the Financial Services Information Sharing & Analysis Center (FS-ISAC), a nonprofit private sector initiative developed by the financial services industry to help facilitate the detection, prevention and response to cyberattacks and fraud activity. Minneapolis-based Target has 1,916 stores--1,789 in the United States and 127 in Canada.