Target’s CIO resigns after massive data breach

Target’s chief information officer has resigned two-and-a-half months after a data breach impacting about 40 million credit and data debit cards

Target’s chief information officer Beth Jacob has resigned just two and a half months after the US retailer confirmed a data breach impacting about 40 million credit and data debit cards.

The information stolen during the breach included customers’ names, card numbers, expiration dates and card verification value (CVV) information that would enable cyber criminals to clone cards.

The breach was one of the largest of 2013 and is one of the largest retail breaches to date with the personal information of 70 million customers also thought to have been compromised.

In January, Target admitted that sales had “softened meaningfully” after the announcement of the breach and announced it planned to invest $5m in a multi-year campaign to educate consumers about cyber security as part of efforts to win back customer trust.

Jacob joined the company in 2008 and is the first top executive to leave the third largest retailer in the US after it was hit by malware planted on point-of-sale (POS) terminals to steal payment card data.

The attackers gained access to Target’s computer systems by stealing the credentials of a refrigeration contractor.

Target chairman Gregg Steinhafel said the company will search for an interim CIO to guide the company through an overhaul of its systems, reports the Guardian.

“We are undertaking an overhaul of our information security and compliance structure and practices at Target,” he told the paper.

According to security blogger Brian Krebs, who broke the news of the Target breach on his blog Krebs on Security, Target’s attackers may have gained access via a poorly secured feature built into a widely used IT management software product running on the retailer’s internal network.

Once inside Target’s network, the attackers were able to plant malware on the POS systems.

The FBI believes the attack is one of the latest in a series of attacks on retailers using memory-parsing malware or RAM scrapers.

The malware is designed to extract payment data from the POS device’s memory before it is encrypted and passed on to a retailer’s payment processing provider.

According to an FBI report, one variant of the POS malware, known as Alina, included an option that allowed remote upgrades, making it more difficult to identify and remove.

Before the Target attack, the largest data breach was the theft of 45.7 million credit card records from TJX Companies in 2007.

Security industry commentators have said the breach at Target should serve as a warning to UK retailers and their customers.

Read more on Privacy and data protection