Target CIO Resigns Amid Ongoing Breach Fallout

US retailer Target is still reeling from its damaging security breach, as the CIO hands in her resignation

American retailer Target Corp continues to feel the pain from its highly damaging data breach, as profits plummet 46 percent and revenue fall 5.3 percent in the quarter.

As a result, Chief Information Officer (CIO) and executive VP of Technology Services Beth Jacob has tendered her resignation, effective immediately.

Damaging Breach

Jacob had served as Target’s CIO since 2008 and originally started with the company as an assistant buyer in 1984. She worked elsewhere from 1986 to 2002, when she returned to Target to serve as director of guest contact centres.

Target logo“This is a difficult decision after 12 rewarding years with the company I love. But this is a good time for a change,” Jacob wrote in her resignation later.

Target reported on 19 December that about 40 million payment card accounts were hacked during the pre-Christmas shopping season. Later, in an update, it said that about 70 million customers also may have had their addresses, phone numbers and other information compromised.

The retailer is still reeling from that breach, saying last week that its fourth-quarter profit slid a whopping 46 percent and that revenue fell 5.3 percent. Target also said it has had to pay about $61 million (£36m) in hacking-related expenses.

The Minneapolis, Minn.-based retailer said in the 5 March announcement that it will reconstruct its information-security team and will look to the outside for an interim CIO who can guide the company through that process, Target Chairman and CEO Gregg Steinhafel said in a statement to the media.

Security Overhaul

“While we are still in the process of an ongoing investigation, we recognise that the information-security environment is evolving rapidly,” Steinhafel said. “To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information-security and compliance structure and practices at Target.”

Steinhafel said the company also will elevate the role of the chief information security officer and will start another external search for a chief compliance officer.

The problems started when thieves broke into the point-of-sale (POS) system at Target in the October-November 2013 time frame. At that time, they stole the data from the magnetic stripes on the back of credit and debit cards. Target, like virtually all other stores in the United States, depends on that information on the magnetic stripe to read all the relevant credit card information to make a sale.

As the result of the data compromises at Target and at Neiman-Marcus last Autumn, US banks and retailers now are looking at alternate versions of cards and card readers that would have protected credit card customers with an embedded chip in the card.

Target is pledging to speed up the adoption of EMV (Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards) payment card IT. These cards use encrypted chips for a stronger defence against hackers.

The EMV chip that is now embedded in some credit cards is a microprocessor that holds an encrypted version of the information that’s on the magnetic stripe. It establishes communication with the POS terminal and passes the credit card information to it, keeping the data encrypted. If thieves managed to steal the data, which is unlikely, it would still be encrypted and difficult, if not impossible, to use.

The problem is that for the EMV chip to be useful, the customer has to have the embedded chip, and the merchant has to have a card reader that can read it. Those card readers are actually installed in some stores in the United States now, but many don’t want to spend the money to upgrade to new card readers.

As might be expected, the data breach has been the centerpiece of a growing number of shareholder lawsuits. Prominently among them is one brought by the Police Retirement System of St. Louis against Target Corp., its board and top executives.

The lawsuit, filed by the $700 million (£418m) pension fund, accuses Target of “breach of fiduciary duty and waste of corporate assets.”

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.