Target CEO out after massive cyberattack; CFO to replace

Target CEO out after massive cyberattack; CFO to replace

Summary: UPDATED: The company's chief financial officer will now take the lead in the executive suite. In leaving the job, Gregg Steinhafel may receive as much as $9.26 million.

TOPICS: Security
(Image via CNET)

Target's chief executive and chairman Gregg Steinhafel has stepped down, effective immediately, following an earlier devastating cyberattack that dinged profits and launched a congressional inquiry.

In a statement, Target's board of directors said: "Today we are announcing that, after extensive discussions, the board and Gregg Steinhafel have decided that now is the right time for new leadership at Target."

The board has named chief financial officer John Mulligan as interim chief executive and president. Roxanne Austin, a member of Target's board of directors, will serve as non-executive of the board.

It comes five months after the retail giant said it was the victim of a cyberattack that resulted in the theft of more than 40 million credit card details, and as much as 110 million bits of customer data in total.

In his resignation letter, Steinhafel said he was "proud" of the gains the company has made, but added that he was "tested... in unprecedented ways" following the breach.

A 14A filing with the US Securities and Exchange Commission on April 29, 2013 said Steinhafel will receive $9.26 million if he voluntarily terminates his contract with Target. It's unclear if that figure remains the same just over a year after the filing was submitted. An up-to-date 14A is expected in the coming days.

In a recent interview with ZDNet prior to the breaches, Jacob walked through Target's approach to mobile commerce, the in-store experience, and ironically how point-of-sale technology leaves an impression. Target's point-of-sale terminals were at the core of Target's data breach.

Profits suffered significantly drop in the first quarter of 2014 after the data breach. According to earlier reporting, the data breach was mostly covered by insurance. The costs for the fourth quarter were $61 million, but $44 million was covered by insurance. 

The successful hacking of its systems also led to members of the company's board and executive level to face questions in Congress.

The board's statement added: "He held himself personally accountable and pledged that Target would emerge a better company," the statement read. However, it wasn't enough to keep Target's chief information officer in his position.

Beth Jacobs, whose tenure as chief information officer spanned more than five years, resigned earlier this year following the scandal. Jacobs was replaced by Bob DeRodes as the head of its internal IT strategy at the end of April. 

Updated at 9:55 am ET: with executive compensation figures for 2013-2014.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I dont get it

    I charge customers using a web service provided by a merchant account. I never see credit card information. Why cant they do the same? There is no need to keep credit card information except when is time to buy something. I can undertand customer information, but credit card info?
    • CC #

      The CC numbers were lifted directly at the POS terminal as the CC info was passed along to memory for processing. The hack lifted the numbers directly from the memory in a process known as memory scraping.
    • Two parts to that

      Credit card information was collected via the data breech, so storage of information or lack thereof would have no change in what occurred.

      Someone has to store the information, either the "merchant account" or the store, at least long enough to get to charge the credit card. With businesses like Target, returned items would have funds put back on the card that was charged. At least this was a standard way of doing things. At this point I've seen a variety of methods now, including just giving cash back.

      There should be some improvements made to better handle systems with both information stored and who has access to internal systems inside Target stores.
  • It always surprises me...

    ...How these people, who run companies that can literally crush lives and whole economies with the decisions they make, can just walk away from their jobs and the burning wreckage they wrought with a golden parachute and right back into a similar job to do it again. Few ever face personal financial pain or ruin for their decisions that cause the same for others.
    • Look for him in the hallways of Congress soon...

      ... lobbying Congress on behalf of the retail and credit industries to block any initiatives aimed at finally moving the US credit card industry out of the dark ages and into the modern era of chip+PIN.
      • You're liable for pin+chip

        At the moment the credit card company are insured for thief but on pin+chip thats down to you, so I might be safer but when someone does hack it you're SOL. Oh and retailers are pushing for pin+chip, its the banks that don't want it.
      • Even better idea...

        Maybe this is a golden opportunity to get rid of credit cards entirely and switch back to all cash. That way you don't have to worry about personal information getting stolen or any sort of liability.
        Third of Five
    • Misplaced Blame...

      Gregg Steinhafel didn't directly cause this, nor did he have a hand in it. He was simply the head of the company at the time. He took responsibility for it since it happened on his watch, and that was the right thing to do. He isn't running away. His departure is most likely a mutual decision between him and the board of directors. People like you who pass judgement without thinking it through are the reason he has to leave. Him staying there threatens to hurt them in the long run because it doesn't instill consumer confidence. Keep in mind how many different computers, servers, programs etc. all work together within their company. Any programmer there can write one small line of code that isn't secure leaving the entire company and its customers vulnerable. It is impossible for the CEO to know everything happening under his watch at every moment. Stuff happens, and he just happened to be the one in charge when it did. At least he accepted responsibility, just like any leader should.
      • A Lot easier

        It's a lot easier to do the "right thing" when you're paid over $9,000,000 to walk away.
        Finding a scapegoat is rarely productive.
        • Wish I Could "Fired" Like That

          I'd happily take 1% of that sum to walk away from my current job. Seriously, WTF?
      • too bad...

        When you are getting paid over $24,000,000 a year you damn well better know what is going on. And when you hire a consultant to come in and determine your vulnerabilities, you need to address those vulnerabilities and not poo-poo them because they will cost to much. Add to the fact that if he left voluntarily he would get over $9,000,000, most people would see the writing on the wall and know that their time was up so grab the cash and bail. I'm sure with his connections he'll be running Kohl's or Sears or JC Penny or some other large corporation with a multimillion dollar salary....
  • CFO bad choice

    Just what they need... a bean counter to cut budgets and bring more shortsighted pennywise pound foolish programs in. I see breach #2 on the horizon coming with a full head of steam.
  • Microsoft and Target

    From a Microsoft press report...
    Tony Burzio
    • Yep

      I'm semi-surprised that Microsoft (and Dell) hasn't pulled this video yet:
  • No surprise

    Target's internal organization, governance and processes are absolutely byzantine. The current executives aren't solely to blame for it, but they didn't do much to challenge or change it, either. The data breach was the symptom of a culture where accountability and decision making are diffused. When an organization puts everyone in charge, no one is.
  • Wouldn't it make more sense...

    Wouldn't it make for sense for the CTO or CIO or whatever they have to step down rather than the CEO?
    • read the story to the end...

      ...where the last paragraph mentions that the CIO resigned earlier this year.
  • Protecting ram space

    Every modern processor and most modern operating systems have ability to limit RAM access to the process that requests the space. Developers need to change their getmem and freemem routines and keep a memory handles list.

    Not complex at all.
  • TARGET Was Told of Breach, Did Nothing.

    Good details here from credible media:

    Target's anti-malware contractor and its internal security team both set off early alarms about the "absolutely unsophisticated" malware and its data breach.

    Target staff did nothing for two weeks, as credit card data spewed from their servers, until US DOJ informed them.
  • Firing the CEO a questionable action

    Forbes just published a different take on the Target situation - noting that cyber-crime leaders make it clear all companies are targets. It's only a matter of time before every company is victimized. Firing the CEO doesn't solve the cyber crime problem, but does leave Target without what has been capable leadership