Target’s CEO just became cyber-crime’s biggest corporate casualty

Gregg Steinhafel just learned that when it’s broke, even fixing it ain’t enough.
Gregg Steinhafel just learned that when it’s broke, even fixing it ain’t enough.
Image: Reuters/Allen Fredrickson
We may earn a commission from links on this page.

Target CEO Gregg Steinhafel did everything right.

When the retail chain suffered a massive security breach that compromised the data of tens of millions of customers at the height of last year’s US holiday shopping season, Steinhafel disclosed more information than he was legally required to, offered free credit monitoring and identity theft insurance to millions, and conducted an “end-to-end review” of Target’s people and technology.

At his own insistence, the company kept revising upward (paywall) the numbers of people affected, which eventually ran to some 40 million credit-card users and personal data from as many 70 million. And the strategy seemed to be working: When the company announced its most recent quarterly earnings at the end of February, its share price jumped on a stronger-than-expected profit.

But today Target announced that Steinhafel, who is also president and chairman of the board, will step down immediately. CFO John Mulligan will step in as CEO while the company searches for a replacement. That makes Steinhafel the highest-profile corporate casualty of a world where data breaches can affect millions of consumers, and cost a company billions in sales and years of customer loyalty.

Evidently, doing everything right afterwards didn’t make up for the mistakes that had gone before. Target had, according to a Bloomberg Businessweek report, made ample preparations for a large-scale hacking attack of just the kind that it experienced. But while the company’s security team was notified of suspicious activity in the early stages of the breach, before data had been transferred, it did not respond until the data loss had affected tens of millions of people.

What probably didn’t help Steinhafel’s position was that his insistence on transparency kept the scandal in the news and added to the nervousness. The company was struggling to a degree in other areas—lower traffic as more people shop online, and a pricey and struggling expansion into Canada. As a 35-year company veteran who had a reputation as an excellent merchandiser, and been instrumental in defining Target’s niche as a kind of mid-range alternative to Walmart, Steinhafel could probably have survived those difficulties. But the February earnings report, while better than expected, nonetheless highlighted a 46% drop in profit and a substantial fall in sales:

Image for article titled Target’s CEO just became cyber-crime’s biggest corporate casualty

Some other companies have had similar breaches. But the number of people affected in Target’s case, and the fact that it happened during the much-discussed holiday season, led to dozens of lawsuits and a public-relations nightmare that didn’t end. As a retailer, Target is more reliant on consumer’s explicit trust than some victims of other large data breaches, like Experian or Adobe, making for a much worse backlash.

Steinhafel told The Wall Street Journal (paywall) back in February that “Target won’t be defined by the breach, but how we handle the breach.” The company has evidently decided that the best way to make that true is to let Steinhafel go—even if the clean-up job, too, is mostly to his credit.