Target’s CEO has become the first boss of a major corporation to lose his job over a breach of customer data, showing how responsibility for computer security now reaches right to the top.
Gregg Steinhafel, who was also president and chairman, stepped down nearly five months after Target disclosed a huge breach in which hackers stole millions of customers’ credit- and debit-card records from late November to mid-December. The theft badly damaged the store chain’s reputation and profits.
Steinhafel, a 35-year veteran of the company and chief executive since 2008, also resigned from the board of directors, Target announced Monday.
“He was the public face of the breach. The company struggled to recover from it,” said Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin. “It’s a new era for boards to take a proactive role in understanding what the risks are.”
The departure of Steinhafel, 59, suggests the company wants a clean slate as it wrestles with the fallout. But the resignation leaves a leadership hole at a time that the 1,800-store chain is facing many other challenges.
The company, known for its trendy but affordable housewares and fashions, is struggling to maintain its cachet while competing with Wal-Mart and Amazon.com. Target is also grappling with a disappointing expansion into Canada, its first foray outside the U.S.
Experts say the breach, which highlighted the flaws in Target’s security system, seemed to be the final straw.
The Target board said in a statement that after extensive discussions with Steinhafel, they both “have decided it is the right time for new leadership at Target.” The board also said that he “held himself personally accountable.”
“The last several months have tested Target in unprecedented ways,” Steinhafel wrote in a letter to the board that was made available to The Associated Press. “From the beginning, I have been committed to ensuring Target emerges from the data breach a better company, more focused than ever on delivering for our guests.”
The company’s stock fell 3.45 percent, or $2.14, to close at $59.87.
Chief Financial Officer John Mulligan was named interim president and CEO.
Under Steinhafel’s leadership, Target won praise for its expansion into fresh groceries and its 5 percent discount for customers who use its branded debit and credit cards. In 2009, he defended the company against a proxy fight waged by hedge-fund manager William Ackman, who was pushing his own candidates for the board.
But Target, based in Minneapolis, has been criticized for reacting too slowly to the shift toward shopping on mobile devices. Target just started to let shoppers order items online and pick them up at the store, years later than some competitors.
Analysts also say Target botched its Canadian expansion by moving too aggressively. The company opened about 120 stores in the latest year and lost nearly $1 billion in the Canadian business.
On Dec. 19, Target disclosed that a breach of 40 million credit- and debit-card accounts occurred between Nov. 27 and Dec. 15. Then, on Jan. 10, the company said hackers also stole personal information — including names, phone numbers, and email and mailing addresses — from as many as 70 million customers.
“Ultimately, too much rained down on Gregg Steinhafel,” said Brian Sozzi, CEO and chief equities strategist at Belus Capital Advisors. “There was no way he could escape the black vortex of news.”
Target reported in February that its fourth-quarter profit fell 46 percent on a revenue decline of 5.3 percent, as the breach scared off customers.
Target’s sales have been recovering, but it expects to feel the effects for some time. The breach has spawned dozens of legal actions that could prove costly.
Shares are down 5.8 percent since the breach was disclosed.
Target’s response since the theft has included free credit-monitoring for affected customers and an overhaul of security systems. Two months ago, the company’s chief information officer lost her job.
And last week, Target announced plans to become the first major U.S. retailer to have store credit- and debit-cards with chip-and-PIN security technology.
When the final tally is in, Target’s breach may eclipse the biggest-known data-theft at a retailer, one disclosed in 2007 at the parent company of TJ Maxx that affected 90 million records.
That breach didn’t directly lead to the CEO’s ouster; TJX Co.’s management was already in transition at the time.