The chief information officer of Target Corp. has resigned as the retail giant overhauls its information security operations amid investigations into a major theft of customer data.
The Minneapolis-based company said Wednesday that it is searching for an interim executive to replace departed CIO Beth M. Jacob on what it described as a long-term, temporary basis.
In a statement Wednesday, Target Chief Executive Gregg Steinhafel described the search for an interim CIO as a “first step.”
“While we are still in the process of an ongoing investigation, we recognize that the information security environment is evolving rapidly,” Steinhafel said.
The company provided a copy of Jacob’s resignation letter, dated March 5, in which Jacob wrote, “This is a good time for a change.”
“This is a difficult decision after 12 rewarding years with the company I love,” Jacob wrote. “This is a time of significant transformation for the retail industry and for Target.”
Jacob, 52, of Medina, did not respond to phone messages Wednesday. Target declined requests for interviews.
Steinhafel outlined other changes to Target’s information security management in his statement. The company has created the position of chief information security officer and is hiring outside for that position. It has also started an external search for a chief compliance officer.
Additionally, Steinhafel said the company is working with an external adviser, Promontory Financial Group, to evaluate its “technology, structure, processes and talent.” Promontory, based in Washington, D.C., advises governments and companies on complex risk and regulatory matters.
The chief information security officer position is a new one for Target, a spokeswoman said. Brenda Bjerke, Target’s senior director for information protection, held some of the responsibilities of a chief information security officer, but was not a chief information security officer, she said.
Bjerke will remain with Target, the spokeswoman said. She said she didn’t know what Bjerke’s role would be.
The management shake-up is Target’s latest response to last year’s monster data breach in which cyberthieves made off with two sets of data, the debit and credit card information of about 40 million shoppers and the partial personal information, such as e-mail addresses, of about 70 million people.
The company doesn’t know how much overlap there is between the two breaches or how much of the personal information is repetitious or out of date, but the theft is one of the country’s largest recorded data security breaches.
While there have been relatively few reports to date of actual fraud stemming from the giant theft, the company faces potential fines and costly litigation over alleged negligence in protecting customer data.
Reporting year-end earnings last week, Target said it spent $61 million in the fourth quarter on costs related to the cybertheft, but expects insurance to cover $44 million of it. That number is expected to grow substantially.
Jacob, who holds an MBA from the University of Minnesota, joined Target predecessor Dayton’s in 1984 as a department store assistant buyer. She left in 1986 and returned to Target in 2002 as director of customer contact centers. In 2008 she became CIO and executive vice president of Target Technology Services.
Reporting to Steinhafel, she oversaw operations in the United States and India, where Target runs a technology hub in Bangalore.
Critics have noted that she had deep operations experience but lacked an information technology background.
One former Target IT employee called Jacob’s departure a surprise and said she was well-regarded inside the company.
The primary responsibility for information protection ultimately falls on the Target Information Protection team, a group separate from Target Technology Services that reports up through Bjerke to Target Financial Services, an arm of the company that handles credit and noncorporate financial operations, the person said.
Industry analysts, however, said Jacob’s ouster was not unexpected.
“Target has not been keeping up in terms of keeping pace with the way they need to move forward with technology,” said Amy Koo, a senior analyst at Kantar Retail in Boston. “There was not enough oversight, clearly, or enough controls.”
Brian Yarbrough, a consumer analyst at Edward Jones & Co., said Target is making a statement that it needs to take its technology game “to the next level.”
“I’m sure for somebody this will be a great role,” Yarbrough said. “You can come in and look like a hero.”
Target’s most-public technology struggle has been its effort to fortify its Target.com shopping website, which at one time was run by Amazon.com. The company spent two years re-engineering the website only to have it crash in 2011 less than a month after its debut, during the launch of highly anticipated Missoni merchandise.
Target has continued to play Internet catch-up. Koo said she’s been frustrated that the retailer seems stuck emphasizing website basics. “Why are we not talking about more sophisticated usability rather than speed and stability?” Koo asked.
Target’s point-of-sale systems have been a major focus of innovation efforts.
On Nov. 8, 2013, just weeks before cybercrooks began vacuuming up debit and credit card information with malware on Target’s point-of-sale terminals in nearly 1,800 U.S. stores, Jacob told IT news site ZDNet.com that the point-of-sale system was “one of the crown jewels of our technology system.”
“It’s a part of our technology that has to be really fast and performance has to be great and we have to really protect it from a security standpoint,” Jacob said, “but it’s a place we want to innovate as well.”