Target's CEO is the latest victim of the data breach that rocked the retail world. Gregg Steinhafel is stepping down as chairman, president and chief, handing the reins temporarily to CFO John Mulligan. Target is now on the hunt for new leadership.
Target revealed in late December that a breach had led to the theft of information on 40 million credit and debit card accounts in transactions that occurred from Nov. 27 to Dec. 15. In January, the company said the theft may also have exposed identifying information like names, addresses and e-mail addresses for as many as 70 million customers. In February, Krebs on Security broke the news that at the heart of the costly breach were credentials stolen from a third-party vendor.
The Target data theft was the largest affecting a retailer since data on 45.7 million shoppers was taken in 2005 at retailing giant TJX, which operated several chains, including T.J. Maxx and Marshalls.
"The board is deeply grateful to Gregg for his significant contributions and outstanding service throughout his notable 35-year career with the company," Target's board said in a statement Monday. "We believe his passion for the team and relentless focus on the guest have established Target as a leader in the retail industry."
Under the Bus
The board's statement went on to say that Steinhafel created a culture that fostered innovation and supported development of new ideas. "He also led the company through unprecedented challenges, navigating the financial recession, reacting to challenges with Target's expansion into Canada, and successfully defending the company through a high-profile proxy battle," the board said.
Then why throw him under the bus? Because he led the response to the breach and "held himself personally accountable and pledged that Target would emerge a better company." In other words, someone had to take the fall.
But Steinhafel was not the only scapegoat. In March, CIO Beth Jacob resigned. Jacob had sat in her role since 2008 and had overseen everything from Target's Web site to its internal computer systems.
Who's Really To Blame?
We caught up with Chester Wisniewski, a senior adviser at Sophos, to get his take on the carnage at Target. He told us Steinhafel's resignation sends an important message to executives at organizations who don't believe that IT is their core business.
"Responsibility for the information gathered during the course of business does not only lay with the computer staff in the basement of your building, it goes straight to the top floor as well," Wisniewski said. "The information security of your customers should be just as much a priority as their physical safety when shopping at your stores."
Target is not the only retailer to see a breach recently. Neiman Marcus said after Target's problems became public that it, too, may have been breached. More recently, Sally Beauty Holdings admitted a systems breach.
"While retailers certainly have a responsibility to customers and shareholders to prevent this type of theft, the best way to solve the problem is to stop using 16 digits as if they are a secret code that unlocks people's bank accounts," Wisniewski said. "The card industry itself has at least as much responsibility for resolving this problem as the merchants."