News

Target hires CISO as more retail breaches surface

Brandan Blevins, News Writer

Target Corp.'s first chief information security officer took control of the Fortune 500 retailer's security program this week, even as a number of newly uncovered retail breaches highlight the ongoing challenges his organization will face.

Target announced last Tuesday that the Minneapolis-based retail giant had appointed Brad Maiorino to fill its open chief information security officer (CISO) position, which was

Requires Free Membership to View

created as the result of the massive data breach the company experienced at the tail end of 2013. Data on approximately 40 million payment cards and personal information on 70 million customers was lost as part of the incident.

Former Target CIO Beth Jacob had previously held the reins of the company's security program, but she resigned in March in the wake of the breach. Former Target CEO Gregg Steinhafel too was recently ousted from his position as the costs associated with the historic security incident continued to negatively affect the company's overall financial health.

Now Maiorino, a security executive veteran who previously led an overhaul of auto manufacturing giant General Motor's infosec program, has been tasked with managing Target's technology risk strategy, including the company's ongoing transition to chip-and-PIN technology for its payment cards. He will report to recently appointed CIO Bob DeRhodes.

"I am looking forward to joining the Target team and helping them continue the progress they have made to be a retail leader in information security and protection," said Maiorino in a statement. "I am confident that the combination of a strong team and the leadership commitment will enable us to achieve that objective."

Target's CISO hire comes as other high-profile companies cope with data breaches of varying severity.

Just last week, restaurant chain P.F. Chang's China Bistro alerted customers to a potential data breach that may have compromised some credit and debit cards. The company said it was only made aware of the incident after being contacted on June 10 by the U.S. Secret Service, though P.F. Chang's only confirmed the breach publicly after veteran security journalist Brian Krebs posted details about the investigation on his website.

P.F. Chang's has yet to release further details on the incident, including how many card numbers may have been stolen, when the breach occurred and what other information may have been exposed, as the Secret Service and unnamed third-party forensics experts continue to investigate.

The Scottsdale, Arizona-based company did take the step of moving to manual credit card imprinting systems -- an outdated way of processing payment cards that leaves carbon copies of transactions -- at its stores in the interim.

"This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues," said P.F. Chang's CEO Rick Federico in a statement.

U.S.-based restaurant chain Domino's Pizza also confirmed this week that personal data for more than 600,000 customers of its France and Belgium divisions had been stolen. The Domino's France Twitter account said that the company "uses an encryption system for data," but that it is likely that the data could be decrypted by seasoned hackers.

A hacking group known as "Rex Mundi" that previously targeted U.S.-based payday loan company AmeriCash Advance in 2012 posted a supposed sampling of the data taken as part of the breach on Pastebin, including customers' passwords, full names, addresses and phone numbers. Rex Mundi said it sent out emails to Domino's France and Belgium informing them of the vulnerability they targeted and offering to return the data trove in exchange for 30,000 euros.

"So far, Domino's Pizza has not replied to our demands. We would also like to point out that both of their websites are still up and vulnerable," said the Pastebin post. "Domino's Pizza has until Monday at 8PM CET to pay us. If they do not do so, we will post the entirety of the data in our possession on the Internet."

Dwayne Melancon, chief technology officer for Portland, Oregon-based Tripwire Inc., said that attackers are increasingly taking advantage of weaknesses in non-PCI environments, which means that retailers need to "look at risk in a more holistic fashion."

Melancon said that the switch to carbon paper-based payment systems by P.F. Chang's actually makes sense in the short term, especially if the company does not have a full understanding of which data systems it can trust, but such measures are impractical in the long term because retailers no longer have the process or trained personnel to secure and monitor physical slips.

"A paper-based approach may reduce one specific type of risk, the risk still exists," said Melancon. "The data protection problem has just changed form."

"I'm not particularly surprised at the rising tide of retail breaches," Melancon continued. "Not only are retailers one of the leading targets of cyber criminals, but the perceived success of these breaches over the last year or two encourages cybercriminals to target retailers."