Posts

3 C-Suite Lessons from Target CEO Resignation

,

Executives Educated by Target CEO resignation

Gregg Steinhafel, who has been Target’s Chief Executive Officer since 2008, has resigned months after one of the largest data breaches in history made Target stock value and sales plummet. He also resigned from the board of directors, although he will remain on in an advisory capacity. This is a major benchmark in data breach fallout, as Steinhafel, a 35-year veteran of the company, is the first CEO of a major corporation to lose his job over a breach of customer data. And given how lax most retailers are about their security (they spend, on average, only 6% of revenues, vs. 15% for banks), he won’t be the last.

Lesson #1: The CEO is Fair Game. A data breach caused deep within the organization (in Target’s case, by a third-party vendor) can now reverberate all the way to the top. No longer can a corporation blame a Chief Security Officer alone for a breach that impacts brand reputation. As I write, many corporations are scrapping their current org chart and having the CSO/CISO report directly to themNot only has Steinhafel became the public face of the Target breach, but Target has become the poster child for the entire concept of security breach (replacing TJX, Sony Playstation and Heartland Payment Systems). Steinhafel’s own words ushered in the significance of his ouster:

“It’s a new era for boards to take a proactive role in understanding what the risks are.”

Target’s slow reaction to the breach (lack of proactivity) is seen as an underlying cause of Steinhafel’s departure and a second great lessoned to be learned:

Lesson #2: Delaying Recovery Risks Your Reputation. Have you ever noticed how unethical politicians lose their case not because of their actions, but because of the lies they tell to cover up their actions? The delay and denial games is just as risky  with data security breaches. The quicker you come clean, the less collateral damage you incur to your brand reputation and recovery efforts. 

Businessweek reported that Target’s cyber-security team had enough information to stop the massive leakage of 40 million credit card numbers and 70 million other pieces of personal information before it started – and did absolutely nothing about it.  At the date their article was published, more than 90 lawsuits had been filed against Target by customers and banks for negligence and compensatory damages. That’s on top of other costs, which analysts estimate could run into the billions.

Also, Target reportedly waited nearly a month to reveal the breach to its customers, taking away valuable time when consumers could have been protecting themselves by changing passwords and closing accounts.  Their attempt to placate the public by offering free credit monitoring services is a classic case of too little, too late.

Lesson #3: Wise Companies Understand the Equation: Prevention <$ Recovery. Recently, Target announced plans to become the first major U.S. retailer to have store credit and debit cards with chip-and-PIN security technology.  As part of its $100 million effort, Target said all of its store-branded cards would be reissued as MasterCard chip-and-pin cards in 2015.  But as I mentioned in a previous blog about how Target started to implement chip-based credit-card technology over ten years ago (they spent $40 million and installed 37,000 new POS terminals but scuttled the initiative for reasons including the fact that it slowed customer checkout), Stenhafel eventually chose speed and convenience over the security of his customers.  If they hadn’t backed out of their original plans, they might be telling a very different story today as they watched other, less-secure stores go down instead. And Steinhafel would still have a job.

You tell me, is a $100 million investment worth saving billions of dollars down the road? From experience, I’ve learned that most organizations come to the realization too late. Your organization, however, has much to gain from the lessons we’ve all taken away from the Target CEO resignation.

John Sileo is President and CEO of The Sileo Group, which  helps organizations from becoming the next disastrous data-security headline. Sileo specializes in making security stick, so that it works. John presents highly interactive, surprisingly funny keynotes for organizations like yours, just as he has for The Pentagon, Visa, Homeland Security and IBM. Contact John directly on 800.258.8076.

Target Data Breach Touches 40 Million In-Store Shoppers

, ,

If you are one of the 40 million customers who have used a credit or debit card at Target stores in the United States between November 27 and December 15, you’d better start checking your accounts for fraudulent activity.  Target confirmed that the data stored on the magnetic strip of cards (customer names, debit or credit card numbers, and card expiration dates) were taken, along with the three-digit security codes  (CVVs) often imprinted on the backs of cards.

The type of data stolen would allow thieves to create counterfeit credit cards and, if pin numbers were intercepted, would also allow thieves to withdraw cash from ATM machines.  Only in store purchases are at risk, so online shoppers need not worry.

Target spokeswoman Molly Snyder would not comment on how customers’ data were stored or encrypted prior to the attack, saying that would be part of the ongoing investigation.  Target immediately notified law enforcement authorities and financial institutions, and the issue is being investigated by the Secret Service and a third-party forensics firm.

This breach is one of the largest ever of American consumer data, nearly matching that of TJX (TJ Maxx and Marshalls stores), which experienced a data breach in 2007 that affected more than 45 million customers.  2013 has been a particularly bad year for breaches overall.  Overall, one in four Americans have been told that some personally identifiable information has been lost or compromised because of data breaches, according to a recent report from Experian, and the pace of attacks is expected to continue rising through 2014.

In a letter sent to Target customers, Target officials say those who have noticed irregular activity on their accounts should call the firm at 866-852-8680.  In addition, all Target shoppers should:

  1. Review their credit card activity online on a daily basis to monitor for suspicious activity.
  2. Set up automatic account alerts with your credit card provider to quickly detect any misuse of cards.
  3. Visit AnnualCreditReport.com to see if there are any newly established, fraudulent accounts set up.
  4. Cancel your credit card if they notice any suspicious behavior. If it’s a debit card, I would cancel it no matter what given that it connects directly to your bank account. Make sure to transfer balances, miles and to switch any auto-pay accounts to the new card.
  5. Freeze your credit with the 3 credit scoring bureaus.
  6. Consider ID Theft monitoring services to help you keep track of abusive behavior of your information online.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to defend the data that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.