Target CEO’s downfall sets bar for future data breaches

The consequences of brands’ data protection breaches in the past have mostly been restricted to bad PR – whether that’s electronics giant Sony, job site Monster or gaming platform Steam. But US retailer Target has shown that the result can be a tangible impact on the bottom line and, ultimately, on the fate of top executives.

Michael Barnett

Target chief executive Gregg Steinhafel resigned over the weekend amid the ongoing fall-out of a hack of Target’s point-of-sale (POS) systems revealed last December, with 40 million shoppers’ payment card details being compromised in the weeks running up to Christmas. That was compounded in January by the further disclosure that up to 70 million more people – some of them possibly the same customers – also had personally identifiable information such as names, addresses and email addresses stolen.

Chief information officer Beth Jacob had already departed in March, alongside the announcement that Target would create the new roles of chief information security officer and chief compliance officer.

As usual, the publicity around the breach Stateside was alarming, but unlike some recent data losses, a very real downturn in sales has followed as customers’ confidence in the Target brand has atrophied. The retailer’s fourth-quarter profits, reported in February, were down 46 per cent.

So what’s different this time from other high-profile breaches? Well, aside from the scale and the prominence of the brand as an everyday shopping destination for millions of Americans, there’s also the fact that this was a mass theft of financial information specifically, giving criminals all they needed to make fraudulent transactions. Secondly, it was shown that people’s data could be stolen in the very act of paying for goods: unencrypted data was intercepted from the POS software by malware when customers swiped their cards in stores.

That’s the killer for Target, because consumers naturally surmise that the best way to stop this happening to them again is not to buy anything on a card in Target – the vulnerability was right there in the store. At least when data is stolen from a hacked database, the customer is likely to have a fatalistic sense that there was nothing they could have done.

This will hurt the brand more than the $61m (£36m) it has spent rectifying its security, more than being subjected to criminal investigations and more than being compelled to testify to Congress.

Yet the differences between this and other hacks might not matter that much in the long run, and neither will the possibility that wider strategic failures at Target contributed to Steinhafel’s departure. The fact is that a link has now been established between data protection, business performance and executive accountability. That should convince boards and compliance officers at companies around the globe that data protection must be top of their agendas.

Recommended