On Monday, the CEO of Target became cybercrime’s biggest corporate casualty. Gregg Steinhafel, a 35-year veteran of Target and chief executive since 2008, stepped down and resigned from the board of directors roughly five months after the company disclosed a massive data breach affecting tens of millions of customers. Target has struggled to restore consumer faith in its bull’s-eye brand ever since, watching its shares fall nearly 6 percent and reporting a 46 percent drop in fourth-quarter profit.
The largest known data theft at a retailer occurred in 2007 at the parent company of T.J.Maxx, affecting 90 million records. When the final tallies are in, Target’s breach may well eclipse it. Target revealed in December that the credit and debit card numbers of about 40 million customers were stolen, and then added in February that hackers gained access to partial names and physical or email addresses for as many as 70 million people. Another shocking update came in March, when Bloomberg Businessweek reported that Target’s $1.6 million malware detection system had worked perfectly, spotting the hackers and alerting specialists in Bangalore, India, who flagged the security team in the U.S. But then, as Businessweek put it, “Nothing happened.”
On the other hand, it’s fair to say that any company could have fallen victim to a data breach like this one. At a hearing on the cyberattacks in February, testimony from a Secret Service official noting that the infiltration was “highly technical and sophisticated” prompted Steinhafel to comment, “That shows it’s not just our operation. It would be hard for any retailer to withstand this.” But this breach happened to Target, a huge retailer with a huge customer base, just as the general public was finally turning its attention to cybersecurity.
Steinhafel had other blemishes on his record, such as Target’s botched rollout in Canada last year. With his resignation, it appears that Target’s board is hoping to wipe the slate clean and send yet another signal that security will be a renewed priority. Target had already sent Beth Jacob, its highest-ranking technology officer, out the door in early March. Her replacement, Bob DeRodes, a former senior information technology adviser for the U.S. Department of Homeland Security, the Secretary of Defense, and the Justice Department, started Monday. DeRodes was tapped from outside the company, while Jacob ascended from within Target’s notoriously insular culture. John Mulligan, the chief financial officer who served as Target’s head spokesman on the data breach, has been appointed interim CEO.