Timeline of Target's Data Breach And Aftermath: How Cybertheft Snowballed For The Giant Retailer

  @MeaganKaym.clark@ibtimes.com on May 05 2014 11:39 AM
Gregg Steinhafel
Target President and CEO Gregg Steinhafel resigned Monday, just months after a widespread data breach put the personal information of some 70 million customers in the hands of computer hackers. REUTERS/Keith Bedford

Target Corporation (NYSE:TGT) CEO Gregg Steinhafel resigned Monday in the aftermath of the retailer’s massive data breach in late 2013, in which the personal information of some 70 million customers was stolen during the holiday shopping season.

Here’s how the Target data breach unfolded over the past five months:

Nov. 27 - Dec. 15, 2013: Personal information, including names, mailing addresses and phone numbers, of 40 million customers who used credit and debit cards at U.S. stores are exposed to fraud.

Dec. 13, 2013: Target executives meet with the U.S. Justice Department. 

Dec. 14, 2013: Target hires a third-party forensics team to investigate the hack.

Dec. 15, 2013: Target confirms that criminals had infiltrated its system, installed malware on its point-of-sale network, and potentially stolen guest payment and credit card data. Target removes malware from "virtually all" registers in U.S. stores. The public remains unaware of the data breach.

Dec. 18, 2013: Data and security blog KrebsOnSecurity first reports the data breach. The Secret Service investigates.

Dec. 19, 2013: Target publicly acknowledges the breach, saying it’s under investigation and the information accessed included credit and debit card numbers and card expiration dates, with no indication that PIN numbers were impacted, according to a spokesperson. Customers jam Target’s website and customer service hotlines.

Dec. 20, 2013: Target says very few credit cards compromised by the breach have resulted in fraud and offers U.S. customers a 10 percent discount off in-store purchases for the last weekend before Christmas. The retailer also announces it has no indication that birth dates or Social Security numbers were accessed in the breach.

Dec. 21, 2013: JPMorgan Chase & Co. (NYSE:JPM) places daily limits on spending and withdrawals for its debit card customers affected by the Target breach, begins reissuing cards and opens some branches on a Sunday to help Target customers.

Dec. 22, 2013: Transactions at Target fell 3 percent to 4 percent compared to the year earlier on the last weekend of holiday shopping before Christmas. Other retailers report strong results.

Dec. 23, 2013: Target’s general counsel Tim Baer hosts a 30-minute conference call with state attorneys general as the company works with the U.S. Department of Justice, Secret Service and others.

Dec. 27, 2013: An ongoing investigation by a third-party forensics unit finds that encrypted debit card PIN information was accessed during the breach, but Target says it believes PIN numbers remain secure.

Jan. 10, 2014: Target says an additional 70 million customers had personal information stolen during the breach, including emails. The company lowered its forecast for its fourth quarter, saying sales were meaningfully weaker than expected after news of the breach.

Jan. 22, 2014: Target lays off 475 employees at its headquarters in Minneapolis and worldwide and leaves another 700 positions unfilled.

Feb. 4, 2014: Target CFO John Mulligan testifies before the U.S. Senate Judiciary Committee, mentioning the ongoing investigation but offering no new information on who might have hacked the data. Mulligan says Target has invested hundreds of millions in data security and rejects claims that its systems weren’t up to par. Other witnesses discuss the benefits of chip-and-PIN technology, used widely in Europe but not in the U.S., where banks and retailers have balked at the expense.

Feb. 18, 2014: Costs associated with the data breach topped $200 million, a report from the Consumer Bankers Association and Credit Union National Association finds.

Mar. 7, 2014: Target lets its employees wear jeans and polos to work in an effort to boost morale after layoffs and the sales-killing data breach.

April 30, 2014: Target says it has committed $100 million to update technology and will introduce chip-and-PIN technology for its debit and credit cards by early 2015.

May 5, 2014: Bob DeRodes, a former tech adviser in several federal government agencies, takes over as Target’s chief information officer. Target CEO Gregg Steinhafel resigns.

Join the Discussion