Target Hires New CIOBob DeRodes to Lead Company's Post-Breach Security Efforts
Target Corp. on April 29 announced the appointment of a new CIO in the wake of the massive breach late last year that compromised 40 million credit card numbers and impacted personal information of an additional 70 million customers.
Bob DeRodes will lead Target's information technology transformation, effective May 5, the company says. DeRodes will assume oversight of the Target technology team and operations, with responsibility for the ongoing data security enhancement efforts as well as the development of Target's long-term information technology and digital roadmap.
DeRodes has more than 40 years of experience in information technology, data security and business operations. He was a senior information technology adviser for the Center for CIO Leadership, the U.S. Department of Homeland Security, the U.S. Secretary of Defense and the U.S. Department of Justice. He has also held top technology positions at a number of multinational companies including Citibank, USAA Federal Savings Bank, First Data, Home Depot and Delta Air Lines.
"The company is continuing its active search for a chief information security officer and a chief compliance officer," Target says.
Beth Jacob resigned as CIO on March 5 (see: Target to Hire New CIO, Revamp Security). In a letter to Target chairman, president and CEO Gregg Steinhafel obtained by The New York Times, Jacob said her resignation was "a difficult decision," but noted that "this was a time of significant transformation for the retail industry and for Target."
"Establishing a clear path forward for Target following the data breach has been my top priority," Steinhafel says in the April 29 statement. "I believe Target has a tremendous opportunity to take the lessons learned from this incident and enhance our overall approach to data security and information technology. Bob's history of leading transformational change positions him well to lead our continued breach responses and guide our long-term digital strategy."
Target also offered updates on the steps it's been taking to ramp up its security and technology efforts following the breach, including:
- Enhancing monitoring and logging, including implementation of additional rules, alerts, centralizing log feeds and enabling additional logging capabilities;
- Installing application whitelisting point-of-sale systems;
- Implementing enhanced segmentation, including the development of point-of-sale management tools, review and streamlining of network firewall rules and development of a comprehensive firewall governance process;
- Reviewing and limiting vendor access, including decommissioning vendor access to the server impacted in the breach and disabling select vendor access points, including FTP and telnet protocols;
- Enhancing security of accounts, including coordinating the reset of 445,000 Target team member and contractor passwords, broadening the use of two-factor authentication, disabling multiple vendor accounts, reducing privileges for certain accounts and developing additional training related to password rotation.
Beginning in early 2015, the company's entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard's chip-and-PIN solution. Existing co-branded cards will be reissued as MasterCard co-branded chip-and-PIN cards.
Earlier in the year, Target announced an accelerated $100 million plan to move its REDcard portfolio to chip-and-PIN-enabled technology and to install supporting software and next-generation payment devices in stores. The new payment terminals will be in all 1,797 U.S. stores by this September, six months ahead of schedule, the company says.
In March, Target joined the Financial Services Information Sharing & Analysis Center, which the company says reflects its continued commitment to shared responsibility between retailers and financial institutions.
"The company also continues to voice support for responsible policy measures that help further enhance security for consumers, including supporting a national notification standard for all data breaches," the April 29 statement says.