The retailer is hiring Bob DeRodes to help with new approach to data security.
Target Corp. has reached outside the company for a new technology leader after experiencing one of the worst data breaches in U.S. corporate history, announcing Tuesday the hiring of a widely experienced executive as chief information officer.
Bob DeRodes, 63, held similar positions at Home Depot, Delta Air Lines, Citibank and First Data. He also founded DeRodes Enterprises LLC, a company that consults on information technology and business operations, including for several U.S. government agencies in Washington.
In a statement, chairman and CEO Gregg Steinhafel said that “establishing a clear path forward for Target following the data breach has been my top priority.”
“I believe Target has a tremendous opportunity to take the lessons learned from this incident and enhance our overall approach to data security and information technology,” Steinhafel said.
Also Tuesday, Target said it’s taken a number of steps to bolster its data security practices. The actions include developing a comprehensive process for governing firewalls, disabling certain vendor access points and adding “whitelisting” rules to its point of sale systems, allowing only certain processes to run on them.
Target declined to make executives available to discuss the hiring of DeRodes. An Atlanta resident, he will start at the Minneapolis-based retailer next week.
“It is clear to me that Target is an organization that is committed to doing whatever it takes to do right by their guests,” DeRodes said in the company’s statement.
DeRodes succeeds Beth Jacob, a Target veteran who resigned in early March, little more than two months after the company revealed its point-of-sale systems had been breached by cyberthieves who gained access to the personal and financial information of tens of millions of customers.
The nation’s No. 2 retailer is still hunting outside its ranks for someone to fill the newly-created position of chief information security officer, a job focused more squarely on thwarting cyberattacks. Also on Target’s shopping list: a chief compliance officer. The company wouldn’t say how close it is to filling those positions.
“We’re committed to finding the right person for the role and haven’t specified any timeline,” said spokeswoman Molly Snyder. “Our recruiting efforts are continuing as this role is a high-priority position for us to fill.”
Data security experts differed on the importance of DeRodes’ hire. Anton Chuvakin, a security research director at Gartner Inc., called the chief information security officer position a more critical one for Target at the current time.
Al Pascual, security risk and fraud analyst at Javelin Strategy & Research, said DeRodes was “a natural choice” for the chief information officer job because of his strong background. “The right man at the right time,” Pascual said.
Hackers began siphoning off data during Target’s busy holiday shopping season in early December, damaging the retailer’s reputation and hurting its financial performance as customers drifted away. The company is protecting consumers against losses they may suffer because of the stolen information.
The data breach prompted several congressional hearings on the security of consumer information, and a blistering Senate committee report in March outlining multiple steps Target could have taken to prevent the attack.
Since the breach, the company has reset the passwords of 445,000 employees and contractors and expanded the use of two-factor authentication, meaning adding an additional security step for logging into its systems.
Target also is speeding up its $100 million plan to roll out more secure chip-based payment card technology. The new point-of-sale terminals should be in all of its nearly 1,800 U.S. stores by September, it said, six months faster than previously announced. The stores will be ready to accept chip-enabled cards for payment in early 2015.
The retailer also is working with MasterCard to offer more secure versions of its Target-branded credit and debit cards.
While magnetic strips transfer a credit-card number, chip cards use a one-time code that moves between the chip and the retailer’s terminal, with the data useless to others. They’re also regarded as nearly impossible to copy, at least for now.