Miles Jennings - Blog

Target Taps New CIO After Disastrous Breach - Miles Jennings

Written by Miles Jennings | May 5, 2014 8:00:03 AM

Major retailer Target has hired a prominent outsider to be its new CIO in the wake of the ouster of Beth Jacob, who resigned two months ago after a major credit card breach by sophisticated cyberthieves.Bob DeRodes, 63, held similar positions at Home Depot, Delta Air Lines, Citibank and First Data. He also founded DeRodes Enterprises LLC, a company that consults on information technology and business operations, including for several U.S. government agencies in Washington, according to the Minneapolis Star Tribune.In a statement, chairman and CEO Gregg Steinhafel told the paper that “establishing a clear path forward for Target following the data breach has been my top priority. I believe Target has a tremendous opportunity to take the lessons learned from this incident and enhance our overall approach to data security and information technology.”While DeRodes will be the CIO, he won’t have primary responsibility for data breach protection. The article said the retailer will “fill the newly-created position of chief information security officer, a job focused more squarely on thwarting cyberattacks.”But the article questions which position will have more impact: the CIO or the chief information security officer. It said, “Data security experts differed on the importance of DeRodes’ hire. Anton Chuvakin, a security research director at Gartner Inc., called the chief information security officer position a more critical one for Target at the current time.”According to the Wall Street Journal, “Target said in January that, beginning in November, hackers had stolen 40 million credit- and debit-card numbers, and addresses and telephone numbers of up to 70 million customers. It later said that at least 12 million shoppers had both their credit card and some personal information stolen.”Larry Dignan, editor in chief at ZDNet.com, reported, “Target outlined the following moves since the data breach:

  • Enhancing monitoring and logging with more rules, alerts and centralized feeds.
  • Point-of-sale systems that whitelist applications.
  • New network firewall rules and a governance process.
  • Limiting vendor access.
  • Reset 445,000 Target employee and contractor passwords.

Target added that it will give its REDcards chip-and-pin technology in early 2015 and will work with Mastercard to reissue cards. Chip enabled payment systems will also be available by then.”Dignan reported in March, “So far, the tab for Target’s data breach has mostly been covered by insurance. The costs for the fourth quarter were $61 million, but $44 million was covered by insurance.”At the blog CIO Engage, George V. Hulme wrote, “According to data in the Kantar Retail ShopperScape report, 33% said they shopped at a Target store this January, a 22% fall from the same period a year ago. A story in Supermarket News reports: “’The overall trend in Target’s past four-week shopper penetration has been on a downward trajectory for the past several years. The retailer’s confirmation of a major breach of its guests’ payment information proved a critical moment in exacerbating that decline.’”He added, “With a minimum of 40 million customer credit card records compromised and up to another 70 million records including addresses and phone numbers compromised, the costs endured by Target and the insurance company are sure to rise. Last year Ponemon published its annual report on the cost of a data breach, and pegged the average U.S. cost to be approximately $188 per record. That cost includes all IT investigation-related costs, customer churn (something Target is experiencing now), credit monitoring and notifications, regulatory costs and so on.”The Washington Post reported, also in March, that number is likely to grow higher. “Target said the data breach had helped pull down its fourth-quarter profit by 46 percent,” the company said.The retailer is working with D.C.-based consulting firm Promontory Financial Group to evaluate its security processes, technology and talent, it said. It’s also upgrading its store cards and payment systems to a more secure technology, the Post reported.