Executive Fallout from Breach Mounts as Target CEO Resigns

Chief executive and president Gregg Steinhafel has left the company after 35 years, including giving up his seat as chairman of the company's board of directors. Steinhafel had overseen the company as CEO since 2008 and as president since 2009. His departure follows that of CIO Beth Jacobs, who was just replaced by Homeland Security veteran Bob DeRodes.

Company CFO John Mulligan will act as interim chief, and Roxanne Austin will assume chairwoman responsibilities. Steinhafel will stay on as an advisor while the firm looks for permanent CEO and board chair.

No reason was officially given as to the reason for the resignation, but the board did note the breach. “Most recently, Gregg led the response to Target’s 2013 data breach,” it said in a statement. “He held himself personally accountable and pledged that Target would emerge a better company. We are grateful to him for his tireless leadership and will always consider him a member of the Target family.”

The retailer’s IT systems were breached in November, when the retail giant saw 40 million credit card numbers – and 70 million addresses, phone numbers, and other pieces of personal information – stolen by a widespread point-of-sale (PoS) hack. Credit card info and other personal details were lifted by the BlackPOS malware that was somehow uploaded from a central server to card-swiping terminals across the nation.

“The resignation of Target president and CEO Gregg Steinhafel reinforces what some of us in the security industry have been saying for some time and that is that data breaches of this nature have significant impact not just on reputation (and therefore stock price) but also on customer and board confidence in the leadership of the organization,” said Steve Durbin, global vice president of the Information Security Forum, in a note to  Infosecurity. “If there was any remaining doubt, this clearly demonstrates that security is a business issue and must be taken seriously by boards.”

He added, “That requires clarity of understanding of the impact of security breach and a proper risk assessment of the vulnerabilities that exist along with the will to address any shortfalls and build a cyber-resilience approach to operating in cyberspace. The requirement is to plan for the unexpected, to have processes in place that allow for timely and effective responses to breaches that go much further than simply getting systems back up and running.”

In all, it added up to the largest retail breach in history, sparking 90+ lawsuits, a Congressional hearing, corporate restructuring and plummeting sales figures for the big-box retailer. But according to a report, it all could have been prevented – had the retail giant simply listened to its own internal early warning systems. The IT staff did not act upon the security alerts until December, when federal authorities notified the company of unusual activity on its networks.

Target later confirmed that the server itself was compromised by a third party using stolen credentials—the result of a serious oversight in sequestering network access.

“It was only a matter of time before Target CEO Greg Steinhafel would be shown the express lane out of Target. His woeful leadership in the mishandling of the security breach exposed tens of millions of his company’s customers to cybercriminals was ample reason to remove him as CEO,” said JD Sherry, Trend Micro’s vice president of technology and solutions, in a comment to Infosecurity. “Other CEOs may share Steinhafel’s fate if they don’t learn from the Target debacle. To me, the lesson is simple: The responsibility of a modern CEO includes relentlessly and tirelessly guarding the security and safety of their customer’s data. The gauntlet has been laid down for all executives that process and store sensitive information that CEOs can no longer pay attention to security only when there is a problem. No matter if you have been a lifer in the organization or new to the role, information security is paramount to the longevity of your business and your career. Attackers will win if the lessons from the Target experience are ignored.”

Kyle Kennedy, CTO at STEALTHbits Technologies, added that the executive casualties should be assessed along with other impacts when discussing the dangers of a data breach, for any company.

“A data breach of any magnitude can’t just be measured on the customers that were impacted,” he said. “Data breach analysis must include the impact to the company’s brand, and most importantly consumer confidence in that brand, going forward. Five months post-data breach and Target’s financial numbers are still declining, with lower consumer confidence a key trait to why those financial numbers keep falling. Protecting Sensitive Data is absolutely critical to any organization no matter how large or small that organization may be. I just hope all the CIOs, CISOs, CTOs, CSOs, and CEOs reading various media outlets about Target’s CEO resigning learn from the Target data breach and why it is imperative to have technologies that discover, prioritize, identify, remediate and secure sensitive data within their enterprise.”

What’s Hot on Infosecurity Magazine?