Target’s chief information officer Beth Jacob has resigned on the eve of a major IT security overhaul, following a massive breach of Target’s datacenters that netted hackers data from 110 million customer accounts.
The company will appoint an interim CIO to oversee a $100 million IT overhaul, according to a statement attributed to Target CEO Gregg Steinhafel that was released to the Associated Press March 5.
The company will also hire a chief information-security officer (CISO) to oversee technical and operational security issues, as well as a chief compliance officer (CCO) who will be responsible for risk-assurance analysis and the company’s compliance with federal financial reporting regulations, in addition to frameworks such as the Payment Card Industry Data Security Standard (PCIDSS), compliance with which is required of any company dealing with major credit- and debit-card payments.
The new chief compliance officer will replace Target’s existing compliance chief, who is going through with previous plans to retire at the end of March.
The CISO position will be new, and will consolidate IT security functions previously spread out among several other executives, according to the company. Target has hired financial risk-management and compliance consultancy Promontory Financial Group to help take it through the transition, its accelerated $100 million migration to chip-based payment cards, overhaul of its IT security and infrastructure, and continuing certification with PCI DSS requirements.
Following revelation of the data breach, many security analysts pointed to the uncertain state of Target’s PCI compliance as a contributing factor. The breach now appears to have been caused by the infection of many of Target’s Windows-based point-of-sale systems by the BlackPOS malware, which scrapes data from system memory as the card is scanned, before the encryption and security procedures required by PCI might have prevented the interception. Target has not made public enough information to evaluate its PCI compliance status, but has insisted it was in full compliance with all federal and PCI regulations at the time of the breach.
Target sales dropped off immediately following news of the attack, but have recovered somewhat, according to the company.
In its Feb. 26 earnings announcement, Target reported its profit for the fourth quarter of 2013 was 46 percent below the previous year, though revenue declined only 5.3 percent. “During the first half of the fourth quarter, our guest-focused holiday merchandising and marketing plans drove better-than-expected sales. However, results softened meaningfully following our December announcement of a data breach,” Steinhafel is quoted as saying in the earnings announcement.
As CIO, Jacob led an intercontinental IT staff of nearly 4,000 employees, split between the company’s retail stores and Minneapolis headquarters in the U.S. and development sites in Bangalore, India. She is credited with overhauling the IT organization to make it more agile and effective after taking over as CIO in 2008, increasing its capacity for large-scale IT projects and for taking a more strategic approach to IT, including moving management of the Target.com site in-house, according to a Sept. 2012 profile in the Minneapolist/St. Paul Business Journal.
She has an undergraduate degree in retail merchandising, as well as an MBA from the University of Minnesota.
Jacob was not a traditional IT career executive, however. She started with Target in 1984 as an assistant buyer in its Dayton, Ohio department-store division, left in 1986 and returned in 2002 as director of guest contact centers – the company’s front-line customer-service contact point. She was promoted to VP of guest operations in 2006, promoted again to senior VP and CIO in 2008 and yet again in 2010 to Executive VP of Target Technology Services and CIO.
The role of either Jacob or Target’s IT staff played in the breach has not been determined, but pundits have been predicting her departure since soon after the breach. “While security is ultimately her responsibility,” wrote Forbes blogger and CIO Next community manager Howard Baldwin a week after the breach was announced, “it would be a shame for someone of her vision to be felled by a lapse – intentional or unintentional – within her ranks, if that’s indeed what happened.”
Jacob also led projects including a discount called Cartwheel that attracted 2 million members and a push toward mobile web access to support the 30 percent of Target traffic that came from mobile devices, according to a Nov. 2013 profile in ZDNet.
Jacob focused much of her effort on using IT to drive programs to deliver specific benefits or conveniences to customers to enhance customer loyalty, a goal she referred to as “brand love.”
Ironically, she also oversaw the update and overhaul of Target’s point-of-sale systems, which were perceived as clunky and annoying to customers. “When you shop Target you can swipe your card before the transaction is complete,” Jacob told ZDNet’s Larry Dignan. “It’s a small, but important innovation that we patented a long time ago, that allows our check out experience to be really easy and really fast. Another place that we’ve innovated in point of sale is that we have our guests able to keep their coupons on their mobile phone. They might have several coupons and with a single barcode scan they’re able to capture the value of all of those coupons at point of sale.”
In her letter of resignation, which Target also circulated, Jacob called her resignation a “difficult decision,” but didn’t mention the data breach specifically. “This was a time of significant transformation for the retail industry and for Target,” she wrote.
Image: Target Corp.