Target CIO Resigns, Retailer to Retool Entire Security Approach

Target CIO and Executive Vice President of Technology Services Beth Jacob tendered her resignation March 5, effective immediately, as the result of the well-chronicled data breach last holiday season that impacted an estimated 110 million of the retailer’s customers.

Jacob had served as Target’s CIO since 2008 and originally started with the company as an assistant buyer in 1984. She worked elsewhere from 1986 to 2002, when she returned to Target to serve as director of guest contact centers.

“This is a difficult decision after 12 rewarding years with the company I love. But this is a good time for a change,” Jacob wrote in her resignation later.

Target reported on Dec. 19 that about 40 million payment card accounts were hacked during the pre-Christmas shopping season. Later, in an update, it said that about 70 million customers also may have had their addresses, phone numbers and other information compromised.

Impact of the Compromise Still Hurting Target

The retailer is still reeling from that breach, saying last week that its fourth-quarter profit slid a whopping 46 percent and that revenue fell 5.3 percent. Target also said it has had to pay about $61 million in hacking-related expenses.

The Minneapolis, Minn.-based retailer said in the March 5 announcement that it will reconstruct its IT team and will look to the outside for an interim CIO who can guide the company through that process, Target Chairman and CEO Gregg Steinhafel said in a statement to the media.

“While we are still in the process of an ongoing investigation, we recognize that the information-security environment is evolving rapidly,” Steinhafel said. “To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information-security and compliance structure and practices at Target.”

Steinhafel said the company also will elevate the role of the chief information security officer and will start another external search for a chief compliance officer.

Magnetic Credit Cards at POS Locations Was Main Issue

The problems started when thieves broke into the point-of-sale (POS) system at Target in the October-November 2013 time frame. At that time, they stole the data from the magnetic stripes on the back of credit and debit cards. Target, like virtually all other stores in the United States, depends on that information on the magnetic stripe to read all the relevant credit card information to make a sale.

As the result of the data compromises at Target and at Neiman-Marcus last fall, U.S. banks and retailers now are looking at alternate versions of cards and card readers that would have protected credit card customers with an embedded chip in the card.

Target is pledging to speed up the adoption of EMV (Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards) payment card IT. These cards use encrypted chips for a stronger defense against hackers.

The EMV chip that is now embedded in some credit cards is a microprocessor that holds an encrypted version of the information that’s on the magnetic stripe. It establishes communication with the POS terminal and passes the credit card information to it, keeping the data encrypted. If thieves managed to steal the data, which is unlikely, it would still be encrypted and difficult, if not impossible, to use.

EMV Chips Now Being Sought

The problem is that for the EMV chip to be useful, the customer has to have the embedded chip, and the merchant has to have a card reader that can read it. Those card readers are actually installed in some stores in the United States now, but many don’t want to spend the money to upgrade to new card readers.

As might be expected, the data breach has been the centerpiece of a growing number of shareholder lawsuits. Prominently among them is one brought by the Police Retirement System of St. Louis against Target, its board and top executives.

The lawsuit, filed by the $700 million pension fund, accuses Target of “breach of fiduciary duty and waste of corporate assets.”