Business

Target CIO resigns as security revamped over data breach

Target Corp.'s executive ranks have suffered their first casualty since hackers stole credit card numbers and other personal data of millions of the retailer's shoppers last year.

Company's 4th-quarter profits take a hit following hacking incident

Target Corp.'s CIO has resigned following a data breach that led to hackers compromising millions of credit and debit card accounts of customers last year. (Rick Wilking/Reuters)

Target Corp.'s executive ranks have suffered their first casualty since hackers stole credit card numbers and other personal data of millions of the retailer's shoppers last year.

The nation's second largest discounter told The Associated Press that Beth Jacob, who has overseen everything from Target's web site to its internal computer systems as chief information officer since 2008, has resigned. The company said it will search for an interim CIO.

The departure, which was effective on Wednesday, comes as Target works to overhaul some of its divisions that handle security and technology following the massive data breach. Target said the resignation was Jacob's idea, but some analysts speculate that the executive has faced intense scrutiny as the company has tried to restore its reputation among investors and shoppers.

"People are questioning Target's security and she was the fall guy," said Walter Loeb, a New York-based independent retail consultant.

The resignation points to the changing roles and demands on CIOs. They've long assumed a behind-the-scenes position overseeing not only technology, but the overall safety and security of company systems. But security experts say more is being demanded of them as the public becomes more aware of big security breaches.

70 million customers affected

"Now, they have to take on an active role," said Heather Bearfield, partner in the technology and assurance group at accounting firm Marcum LLP. "You can't sit back and rely on the infrastructure."

Target disclosed on Dec. 19 that a data breach compromised 40 million credit and debit card accounts between Nov. 27 and Dec. 15. Then on Jan. 10 it said hackers also stole personal information — including names, phone numbers, and email and mailing addresses — from as many as 70 million customers.

When all is said and done, Target's breach could eclipse the biggest known data theft at a retailer: TJX Cos. in 2007 disclosed a breach of customer information that compromised more than 90 million records at its T.J. Maxx, Marshalls and HomeGoods stores.

We recognize that the information security environment is evolving rapidly- Target CEO Gregg Steinhafel

Target has said it believes hackers broke into its network by infiltrating the computers of a vendor. Then the hackers installed malicious software in the checkout system for Target's estimated 1,800 U.S. stores.

In the wake of the breach, Target has been working to make changes. The company is accelerating its $100 million plan to roll out chip-based credit card technology, which experts say is more secure than traditional magnetic stripe cards.

The company also is changing technology and security duties within the company. For instance, compliance duties at Target were overseen by Target's current vice president of assurance risk and compliance, who already had plans to retire at the end of March. Now, Target is separating the responsibility for assurance risk and compliance.

Gregg Steinhafel, the Chairman, President, and Chief Executive Officer of Target Corporation, said the company is searching for an interim chief information officer. (Allen Fredrickson/Reuters)

The compliance officer makes sure that the company meets outside regulatory requirements and internal policies, while the risk assurance division identifies and monitors the risks affecting the business.

Target, which is based in Minneapolis, also said it plans to look outside the company for a chief information security officer and a chief compliance officer. Before the overhaul, information security functions were split among a variety of executives. Target's new chief information security officer will centralize those responsibilities, the company said.

Additionally, Target said it is working with an outside adviser, Promontory Financial Group, to evaluate its technology, structure, processes and talent as part of the overhaul.

"We recognize that the information security environment is evolving rapidly," said Target CEO Gregg Steinhafel.

Meanwhile, Target has been dealing with the fallout from the theft. The company said last week that its fourth-quarter profit fell 46 per cent on a revenue decline of 5.3 per cent as the breach scared off customers.

Target said sales have been recovering as more time passes, but that it expects business to be muted for some time: It issued a profit outlook for the current quarter and full year that missed Wall Street estimates because it faces hefty costs related to the breach.

'Difficult decision'

In a letter to Steinhafel that was furnished by Target, the outgoing CIO did not mention the data breach, but Jacob said that resigning was a "difficult decision."

During her tenure, Jacob played a big role in bringing Target's online operations in-house a few years ago. She also got attention for overseeing Target's innovation lab that opened last May in San Francisco. The lab looks at futuristic technology, including how wearable gadgets like smart watches might be used in stores.

But during her time as CIO, Target also endured some public relations nightmares related to its online operations. The web site had several outages, particularly the well-publicized launch of a limited collection from Italian designer Missoni in the fall of 2011. The company has worked hard to fix those problems.

Shares of Target ended down 73 cents, or more than 1 percent, to $60.60 on Wednesday. The stock is down a little over 3 per cent since the breach was disclosed.