Breach Aftermath: Target CEO Steps DownCFO John Mulligan Appointed Interim President
Gregg Steinhafel has resigned as Target Corp.'s chairman, president and CEO following the data breach late last year that exposed 40 million credit and debit card accounts, along with personal information on 70 million customers.
"Today we are announcing that, after extensive discussions, the board and Gregg Steinhafel have decided that now is the right time for new leadership at Target," the company's board of directors said in a May 5 statement. "Most recently, [Steinhafel] led the response to Target's 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company. We are grateful to him for his tireless leadership and will always consider him a member of the Target family."
John Mulligan, Target's chief financial officer, has been appointed as interim president and CEO, the board says. Roxanne Austin, a current member of Target's board of directors, has been appointed as interim non-executive chair of the board. Both will serve in their roles until permanent replacements are named. Steinhafel will serve in an advisory capacity during the transition.
Mulligan attended recent U.S. Senate hearings where his company was grilled for the way it handled the breach (see: Target CFO Grilled in Senate Hearing). For example, senators questioned whether the company could have had better security practices in place when managing its vendors, to which Mulligan responded, "Yes."
On April 29 Target announced the appointment of a new CIO (see: Target Hires New CIO). Bob DeRodes will lead Target's information technology transformation and assume oversight of the Target technology team and operations, with responsibility for the ongoing data security enhancement efforts as well as the development of Target's long-term information technology and digital roadmap. Beth Jacob resigned as CIO on March 5 (see: Target to Hire New CIO, Revamp Security).
The company is continuing its search for a chief information security officer and a chief compliance officer.
Target recently offered updates on the steps it's been taking to ramp up its security and technology efforts following the breach, including:
- Enhancing monitoring and logging, including implementation of additional rules, alerts, centralizing log feeds and enabling additional logging capabilities;
- Installing application whitelisting point-of-sale systems;
- Implementing enhanced segmentation, including the development of point-of-sale management tools, review and streamlining of network firewall rules and development of a comprehensive firewall governance process;
- Reviewing and limiting vendor access, including decommissioning vendor access to the server impacted in the breach and disabling select vendor access points, including FTP and telnet protocols;
- Enhancing security of accounts, including coordinating the reset of 445,000 Target team member and contractor passwords, broadening the use of two-factor authentication, disabling multiple vendor accounts, reducing privileges for certain accounts and developing additional training related to password rotation.
Beginning in early 2015, the company's entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard's chip-and-PIN solution. Existing co-branded cards will be reissued as MasterCard co-branded chip-and-PIN cards.
Earlier in the year, Target announced an accelerated $100 million plan to move its REDcard portfolio to chip-and-PIN-enabled technology and to install supporting software and next-generation payment devices in stores. The new payment terminals will be in all 1,797 U.S. stores by this September, six months ahead of schedule, the company says.