Target: Timeline of a data breach

Target's data breach has been devastating to the retailer and the larger retail industry. It's a story with a very long tail. FierceRetail, along with its sister-publication FierceITSecurity, has put together a helpful timeline tracking Target's data breach, additional retailers affected, industry initiatives and subsequent news items related to security.

We will continue to update this timeline as events occur. Security issues and fraud aren't going away and you can count on FierceRetail and FierceITSecurity for up-to-date coverage.

May 5: Target CEO Gregg Steinhafel resigns effective immediately. Steinhafel's departure after 35 years with the retailer comes just five months after Target's data breach was revealed. Target CFO John Mulligan will serve as interim president and CEO.

April 29: Target took one step closer to rebuilding its IT team with the addition of Bob DeRodes as EVP and CIO, effective May 5. DeRodes assumes oversight of the Target technology team and operations, with responsibility for the ongoing data security enhancement efforts as well as the development of Target's long-term IT and digital roadmap.

March 13: Target confirmed it failed to act on early warnings of malicious activity during its massive data breach. "With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different," company spokeswoman Molly Snyder said in a statement.

March 12: Target seeks to overhaul security and IT. CEO Gregg Steinhafel said the company is looking for someone to act as interim CIO, is also looking for a chief information security officer (CISO) and will realign oversight of critical IT security functions. Target is looking outside the company for the CISO and a chief compliance officer, newly created positions at the company.

March 11: Target reveals it shelved a campaign tied to the Winter Olympics, because the move would have felt "tone deaf" in light of the data theft.

The campaign was supposed to be titled "Around for Good" and was to highlight the company's philanthropic mission and community contributions. Jeff Jones, Target's CMO, told Advertising Age the campaign may be resurrected for later in the year at a yet-to-be determined date.

March 5: Target CIO Beth Jacob resigns.

Feb. 24: An investigation by Neiman Marcus revealed that hackers set off roughly 60,000 alerts in Neiman Marcus' security system, alerts that were ignored, during an attack that compromised customer account information during a four month period in 2013.

Feb. 18: Target computer security personnel may have raised concerns about potential vulnerabilities in the retailer's system in advance of the November 2013 data breach. At least one computer analyst proposed a thorough review of the system, according to reports.

Feb. 13: Tesco, the U.K.'s largest supermarket chain, is the latest victim of hackers. More than 2,000 of its shoppers have personal details stolen following a data breach.

Feb. 11: The National Cyber Investigative Joint Task Force (NCIJTF) issues a report saying the recent cyber attacks on retailers were not part of a coordinated attack. The NCIJTF says it is tracking and coordinating investigations by the government and retail industry concerning security breaches at stores' POS systems and believe a third party is responsible for the attacks.

Feb. 6: A Pennsylvania-based heating and refrigeration contractor that services Target stores confirms it was "a victim of a sophisticated cyber attack operation," which could be how the hackers gained access to Target's systems.

Fazio Mechanical Services acknowledges it had access to Target's network for electronic billing and project management purposes. It is suspected thieves used Fazio's vendor credentials to access Target's network and upload their malware to cash registers. Only 25 registers were hacked, but up to 110 million cards were compromised during the attack, according to Target.

Feb. 4: Target says it will roll out chip and PIN card readers and accelerate a $100 million POS transformation. Company execs tell a Senate committee that just 25 cash registers were involved in the security breach. John Mulligan, Target's CFO, confirms that the fraudulent access to Target's POS system was caused by hackers who used an outside vendor's credentials.

Feb. 3: White Lodging Services, a company that manages Holiday Inn, Marriott, Radisson, Renaissance, Sheraton, and Westin hotels at 14 locations, admits to a data breach of its POS system at food and beverage outlets that exposed credit and debit card information of guests. Also, the Senate Banking Committee holds hearings examining the recent breaches at leading retailers.

Jan. 25: Following a report by security researcher Brian Krebs, Michaels Stores confirms it is investigating a possible breach involving customers' credit and debit card data. This would be the second major data breach at the largest U.S. arts and crafts retailer within three years.

Jan. 20: The Wall Street Journal reports that Target had the more secure chip and PIN cards in 2004, but abandoned the program after less than three years when shoppers failed to adopt the cards.

Jan. 17: IntelCrawler identifies two Russian hackers as the developers of the POS malware used in the Target and Neiman Marcus data breaches.

IntelCrawler also confirms six additional unnamed retailers have been hit with data breaches similar to that of Target.

Jan. 16: A report from iSIGHT Partners created at the request of the U.S. government reveals the cyber attack on Target was a concerted effort by skilled hackers. According to the document, a malicious program that extracted personal data from POS terminals at store check-out stations was "almost certainly derived" from BlackPOS, software that contained malware scripts with Russian origins.

Jan. 15: Target invests $5 million to support a new cyber security coalition to educate consumers and announces it will pay for one year of credit monitoring services and identity theft protection by Experian.

Jan. 11: Neiman Marcus confirms that it, too, has been the victim of a security breach. The Dallas-based retailer says it began investigating reports of fraudulent activity on credit cards belonging to customers who had shopped in its stores in mid-December when it discovered that its systems had been intruded. A third-party forensics firm confirmed the cyber-security intrusion on January 1, the company says.

Jan. 10: Target says that some additional 70 million customers had their personal information stolen during the holiday data breach. The stolen information may include names, mailing addresses, phone numbers, or emails. In addition, Neiman Marcus admits to security researcher Brian Krebs that it had also experienced a data breach involving customers' credit and debit card data.

Jan. 8: Target customers struggle to get answers from the retailer. One report reveals that callers to the retailer's customer service line failed to get through, were put on hold for lengthy periods and often disconnected.

Jan. 2: The Department of Homeland Security's US-CERT issues a security alert warning about several types of memory scraping malware targeting POS systems of US retailers.

Dec. 31: Target reveals that a small number of gift cards sold during the holiday season failed to activate. While Target Spokeswoman Molly Snyder says less than 0.1 percent of Target gift cards sold were impacted and unrelated to the security breach, the timing serves to further contribute to its already murky customer relations.

Dec. 27: Target's ongoing forensics investigation into the data breach reveals that encrypted debit card PIN information was accessed during the breach, though the retailer says it believes PIN numbers remain safe.

Dec. 23: Target's general counsel, Tim Baer, hosts a conference call with U.S. state attorneys general to allay concerns about damages in the wake of the data breach.

But shoppers are not so easily convinced. The company announces sales at Target stores fell approximately 4 percent during the final weekend before Christmas compared to the same weekend the prior year.

Dec. 21: JP Morgan Chase alerts debit card customers affected by the Target breach that it will place daily limits on spending and withdrawals as it works to reissue cards in the following two weeks.

Dec. 20: Target says it has no indication that birth dates or social security numbers were accessed and that it is working to secure free credit monitoring for affected customers.

In what will likely be the first of many, a lawsuit is filed in federal court in San Francisco, claiming that Target "failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach."  

Dec. 19: Target acknowledges the breach of information publicly and says the matter is under investigation and that information accessed included customer names, credit or debit card numbers used, their expiration dates and encrypted security codes.

Dec. 18: News of the breach is reported by security blogger Brian Krebs; The Wall Street Journal then reports the Secret Service is investigating the breach.

Nov. 27-Dec. 15: A data hack at U.S. Target stores exposes as many as 40 million credit- and debit-card customers to fraud through a compromised point-of-sale (POS) system.