The fallout from Target’s data breach is far from over.
The retailer’s chief information officer, Beth Jacob, is stepping down, the company said Wednesday, marking the first high-level departure since the December data theft that affected up to 110 million customers.
Jacob’s resignation is one of the first steps in Target’s overhaul of its security structure. The retailer is working with D.C.-based consulting firm Promontory Financial Group to evaluate its security processes, technology and talent, it said. It’s also upgrading its store cards and payment systems to a more secure technology.
Last week, Target said the data breach had helped pull down its fourth-quarter profit by 46 percent. The attack has cost the company $17 million, it said, but experts say the final tally will be much higher.
“To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target,” the retailer’s chief executive, Gregg Steinhafel, said in a statement provided to The Washington Post.
Target said the shake-up of its leadership ranks is not complete. It will search for an external candidate to replace Jacob as interim chief information officer. That person will guide the company through its security overhaul, Target said. It is also creating two new positions — chief information security officer and chief compliance officer.
The spate of cyberattacks against Target, Neiman Marcus and other retailers has triggered debates in Washington about data security practices, outdated payment technology and customer-notification laws.
At a House Financial Services committee hearing on Wednesday, Secret Service Deputy Special Agent William Noonan urged Congress to enact legislation proposed three years ago by the White House to give law enforcement better tools to detect and prevent intrusions. The proposal called for more oversight, reporting requirements and information-sharing between companies and the government to curb cybersecurity threats.
“While there is no single solution to prevent data breaches of U.S. customer information, legislative action could help to improve the nation’s cybersecurity, reduce regulatory costs on U.S. companies and strengthen law enforcement’s ability to conduct effective investigations,” Noonan said.
But some industry officials are wary of the prospect of more regulations. Troy Leach, chief technology officer at the Payment Card Industry Security Standards Council, which sets the standards for protecting card information, told lawmakers at the hearing that the industry is “uniquely qualified” to police the payment card system.
“Any government standard in this area would likely be significantly less effective in addressing current threats, and less nimble in protecting consumers from future threats, than the constantly evolving PCI Standards,” Leach said.
But the far-reaching impact of data breaches on the American public may be too great for Congress to ignore. Several lawmakers said during the House hearing that they had been victims of identity theft.
Rep. Robert Pittenger (R-N.C.) said he and his wife learned Tuesday that criminals had lifted their credit card information and racked up $4,000 in fraudulent charges.
“We have to remain vigilant in our fight against these individuals and organizations,” Pittenger said. “The consequences of not being equipped for a threat could ruin the lives and threaten the security of millions of Americans.”
Rep. Carolyn B. Maloney (D-N.Y.) said all four members of the Financial Institutions and Consumer Credit subcommittee had their identities stolen at one point. She did not say whether the thefts were related to any of the recent attacks.
“Most Americans have had their identity stolen, including myself,” she said. “And it’s very costly to law enforcement, certainly our stakeholders, our financial institutions and to individuals.”