Target CEO Steps Down Following Data Breach Fallout


Target Corp. said Monday that its chief executive, who led the response to its massive credit card breach, is stepping down while the company bolsters systems.

Target president and CEO Gregg Steinhafel is stepping down from his position, effective immediately, the company said. The move, made after "extensive discussions," according to the company's board, comes just days after the retail giant hired a new chief information officer to oversee its IT and operations units. John Mulligan, Target's chief financial officer, has been appointed as interim president and CEO. Steinhafel, who has been at the company for 35 years, will serve in an advisory role during the transition, the company said.

''Most recently, Gregg led the response to Target's 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company," the company's board of directors said in a statement announcing Steinhafel's departure.

[Related: Despite Prominent Retail Breaches, POS System Attacks Decline, Report Finds]

Target is still dealing with the fallout of a massive data security breach resulting in the theft of tens of millions of credit and debit cards. Attackers struck the retailer's systems during the peak of the holiday shopping season, using a stolen password to gain initial access to its systems, then remotely installing malware designed to scrape the memory of point-of-sale systems where the card data is most vulnerable.

Solution providers tell CRN that the massive breach, and a string of other retail breaches believed to be connected to an organized cybercriminal gang based in Eastern Europe, helped fuel discussions about data security among their retail clients. PCI compliance also is complex and often up to the subjective judgment of auditors. 

Target hired an outside firm based in India to monitor its FireEye appliance for malware infections, but despite being warned about activity that triggered a warning, Target reportedly failed to respond. The outsourced monitoring, combined with the attention being paid to FireEye and other systems designed to detect advanced threats, highlighted the complexity associated with network monitoring and incident response, said Greg Williams, a security compliance consultant at MMIC Group, a medical liability insurer in the Midwest that operates a security services and risk consulting arm that works with security channel providers.

Proactive system monitoring and incident response are two necessary security best practices that are often poorly addressed, Williams said. Most businesses fail to invest in the personnel to conduct effective incident response or lack the resources to get the skilled staff on hand, said Williams, who ran a team that monitored security appliances. Williams called the job of finding potential security threats laborious.

"You can go blind just looking at all the different alerts, and chasing all those false-positives adds to the pain that the job entails," WIlliams said. "Monitoring is one thing and responding to an alert is a different one that few firms have the resources to master."

It’s easy to advocate that companies establish network security best practices and take a more proactive approach to monitoring the network, but, in practice, it is extremely difficult because of growing network complexity at many firms, said Justin Flynn, a consultant and network security specialist with Chicago-based solution provider Burwood Group. Many firms fail to completely implement effective and efficient measures, Flynn said.

"There's a variety of reasons why the process is difficult and expensive," Flynn told CRN. "Businesses often start with the best intentions, but hit a logjam somewhere in the process."

Following Target’s massive data security breach, Neiman Marcus executives said their firm was the victim of attackers that bilked 350,000 credit and debit cards using similar techniques. Meanwhile, Michaels Stores said on April 17 that attackers had infiltrated its point-of-sale systems and stole 2.6 million credit and debit cards.

Target announced that it is adopting a long-standing measure in Europe and Asia called chip-and-pin, which is used to bolster the security of transactions conducted at brick-and-mortar stores.  

The company said its new CIO, Bob DeRodes, who started at the new position today, would oversee the rollout of its chip-and-pin technology. DeRodes, an industry veteran with 40 years experience, was most recently a senior information technology adviser for the Center for CIO Leadership, the U.S. Department of Homeland Security, the U.S. Secretary of Defense and the U.S. Department of Justice.

Target is still searching for a chief information security officer and a chief compliance officer.

Despite all the attention being paid to attacks against retailer point-of-sale (POS) systems, Verizon, which has produced a data breach investigations report that analyzes thousands of breaches since 2008, is tracking a decline in POS system attacks. Attackers are transitioning to web-based attacks against online payment systems, said Christopher Porter, a managing principal at Verizon. Porter told CRN that retailers of all sizes are targets of financially motivated cybercriminals. POS systems are often poorly maintained and are protected by default and weak passwords, making them easy pickings for attackers, Porter said.

"The attacks that we have analyzed are moving from wide-scale, smash-and-grab-style hits to well-thought-out and systematic campaigns,” Porter said. "Meanwhile, criminals are moving online where financial transactions are significantly increasing."

PUBLISHED MAY 5, 2014