Target CIO Beth Jacob Resigns After Huge Breach


So the latest news this week is that the Target CIO Beth Jacob has resigned, it seems to be somewhat linked to the massive heist of credit card details from Target that took place in December last year.

To be fair it was a fairly complex, high-level attack and I’m pretty sure most companies would have been infiltrated with a similarly pervasive attack vector.

Beth Jacob - Target CIO

Target CIO Beth Jacob has apparently fallen on her sword in the wake of the massive security breach in mid-December that compromised 40 million debit and credit cards and swept national headlines. Her resignation was rendered this week effective immediately.

“If you look at the history of other large data breaches, turnover at the top of the IT shop is not unusual,” says retail IT consultant Cathy Hotka.

Target CEO Gregg Steinhafel says the retailer is now looking outside the company for a CIO to succeed Jacob and help overhaul its network security, according to the Wall Street Journal.

Ironically, Jacob, who has a sterling reputation among retail CIOs, was thought of as a great hire by Target in 2008, Hotka says.

Target’s security incident — from the sophisticated breach to Steinhafel penning a mea culpa open letter to Target customers to running apologetic ads in the Wall Street Journal and other major publications to Jacob’s resignation — is a watershed moment for retail CIOs. They are now faced with rethinking their data security strategy.

The kind of breach that occurred at Target was highly sophisticated. Hackers slipped their software into Target’s computer systems via credentials stolen from one of Target’s vendors, reported the Wall Street Journal. The software eventually made its way to checkout stations and began amassing credit card data.


Having worked in this industry for many years, it really comes as no surprise how lackadaisical corporate information security can be at times.

And this was a pretty slick multi-level attack coming in at first through a vendor’s access, and eventually landing on the POS terminals – as was the plan from the beginning I would imagine.

“The people who are responsible for these kinds of breaches are well-organized, criminal enterprises,” Hotka says. “If you went to go up to a bunch of retail CIOs and asked them, ‘Could this have happened to you?’ the answer would be, yes.”

CIOs are put in a tough position because they’re not given adequate security funding, Hotka says. She recalls five years ago when the CIO of apparel and home fashions retailer TJX Companies had asked for additional data security resources and didn’t get them. A massive security breach followed, compromising millions of credit card numbers. TJX Companies agreed to pay $40.9 million to resolve potential claims by banks.

Given the growing sophistication of attacks, retail CIOs must now reconsider whether or not managing the risk in-house is wise. As Jacob’s resignation shows, a retail CIO is culpable yet might not have the know-how or resources to protect the company.

So should retail CIOs outsource data security to the experts?

“I think at this stage it’s not unreasonable,” Hotka says.

There’s a LOT of articles going around about this at the moment, many concerning who’s to blame, was it the CIO? who’s fault is it that engineers brought up that they felt there’s a problem? and so on.

Could the CIO have prevented this? Perhaps if she was very technical and on the ground concerning security practice, but honestly there should be a CSO for that and it falls more under the remit of the CTO than the CIO in my eyes.

Source: Network World

Posted in: Exploits/Vulnerabilities, Legal Issues, Malware, Privacy


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.


Comments are closed.