Target’s chief information officer Beth Jacob has resigned just two and a half months after the US retailer confirmed a data breach impacting about 40 million credit and data debit cards.
The information stolen during the breach included customers’ names, card numbers, expiration dates and card verification value (CVV) information that would enable cyber criminals to clone cards.
In January, Target admitted that sales had “softened meaningfully” after the announcement of the breach and announced it planned to invest $5m in a multi-year campaign to educate consumers about cyber security as part of efforts to win back customer trust.
Jacob joined the company in 2008 and is the first top executive to leave the third largest retailer in the US after it was hit by malware planted on point-of-sale (POS) terminals to steal payment card data.
The attackers gained access to Target’s computer systems by stealing the credentials of a refrigeration contractor.
“We are undertaking an overhaul of our information security and compliance structure and practices at Target,” he told the paper.
More on data breaches
- Racing Post warns users of website breach
- Lakeland warns customers of potential data breach
- Target data breach creates poor retail customer experience
- The ICO issues BYOD warning after breach
- 2013 Cost of Data Breach Study: UK
- London council gets £70,000 penalty for data breach
- EU data breach disclosures to be enforced soon
- Another online firm hit by data breach
According to security blogger Brian Krebs, who broke the news of the Target breach on his blog Krebs on Security, Target’s attackers may have gained access via a poorly secured feature built into a widely used IT management software product running on the retailer’s internal network.
Once inside Target’s network, the attackers were able to plant malware on the POS systems.
The FBI believes the attack is one of the latest in a series of attacks on retailers using memory-parsing malware or RAM scrapers.
The malware is designed to extract payment data from the POS device’s memory before it is encrypted and passed on to a retailer’s payment processing provider.
According to an FBI report, one variant of the POS malware, known as Alina, included an option that allowed remote upgrades, making it more difficult to identify and remove.
Before the Target attack, the largest data breach was the theft of 45.7 million credit card records from TJX Companies in 2007.
Security industry commentators have said the breach at Target should serve as a warning to UK retailers and their customers.