On the same day that Target's new CIO was slated to officially assume his role, the mega-retailer's CEO announced his resignation.
Following its massive holiday breach, Target has continued to undergo major leadership changes, with the latest being the exit of Chairman and CEO Gregg Steinhafel.
On Monday, Target's board of directors issued a statement on Steinhafel stepping down, revealing that John Mulligan, the company's CFO, would serve as interim president and CEO.
“Today we are announcing that, after extensive discussions, the board and Gregg Steinhafel have decided that now is the right time for new leadership at Target,” the statement said. “Effective immediately, Gregg will step down from his positions as Chairman of the Target board of directors, president and CEO.”
The company also provided Steinhafel's resignation letter dated May 5 (PDF), which referenced a number of challenges the retailer faced, including the data breach impacting millions of its customers.
“Target has also faced its share of difficulties, from the worst recession in our lifetime, to a high-profile proxy contest, and most recently, a slow start in Canada and the 2013 data breach,” Steinhafel wrote.
While the payment card breach served as poor publicity for the company, reports have already begun to underscore other factors likely contributing to Steinhafel's exit, such as Target's sales shortfalls in Canada last year. On Monday, Reuters reported that Target experienced a loss of nearly $1 billion in the country in 2013 on sales of $1.3 billion.
In a Monday interview, Avivah Litan, vice president and distinguished analyst at research firm Gartner, told SCMagazine.com that the company's breach was “likely the tipping point,” in a rough year, but not the sole impetus for its change in guard.
Of note, the timing of Steinhafel's exit coincides with the overhaul of other governance at Target, specifically, the entrance of Bob DeRodes, Target's new executive vice president and chief information officer. DeRodes fills the shoes of Target's former CIO Beth Jacob, who resigned in March.
Last Tuesday, the company announced that DeRodes would officially lead its “information technology transformation” starting Monday – the same day Steinhafel made his departure public.
On Monday, Rick Doten, CISO at DMI, a provider of mobile solutions and services, told SCMagazine.com that the personal risk involved in data breaches appears to have widened from IT management to consequences readily felt by C-suite members.
“There's a difference between a corporate risk and personal risk,” Doten said, explaining that breached companies often remain viable competitors, even if senior execs take the heat for incidents.
He added that, “as risk management becomes more of a focus as it relates to IT, it's not just going to be IT folks that get canned when there's a problem, but those business people higher up the chain.”
Doten said that a myriad factors – including incident response costs and potential loss of customers – impacts who shoulders consequences for breaches.
“There's personal risk to individuals that is stemming outside of IT folks, because its impact is much broader to the business,” Doten said.
Through its breach investigation, Target found that 40 million credit and debit cards, CVV numbers and encrypted PIN codes were stolen following a three-week attack on its point-of-sale (POS) devices. In addition, the names, mailing addresses, phone numbers and email addresses of up to 70 million individuals in a different set of accessed data was also impacted.
According to a Monday Forbes article, Target's shares dropped soon after news of Steinhafel's resignation went public. In morning trading, the retailer's shares dipped 3.2 percent to $60.05.