TIMELINE-Target CEO steps down after data breach rocks retailer

Mon May 5, 2014 12:00pm EDT

May 5 (Reuters) - Target Corp removed Chief Executive Gregg Steinhafel on Monday in the wake of a devastating data breach that hurt the No. 3 U.S. retailer's profits, shook customer confidence in the company and prompted congressional hearings.

Following are the developments leading up to the exit:

DECEMBER

Dec. 18 - A security industry blog reports that payment card data were stolen from an unknown number of Target customers, starting on the busy Black Friday weekend.

Dec. 19 - Target says hackers have stolen data from up to 40 million credit and debit cards of shoppers.

Dec. 20 - Steinhafel seeks to reassure customers that it was safe to shop at the company's stores and offers 10 percent discounts on the last weekend before Christmas.

Investigators believe that overseas hackers were responsible, a source tells Reuters.

Lawyers and industry sources say that the theft could end up costing hundreds of millions of dollars, but it was unclear who would bear the expense.

Dec. 21 - JPMorgan puts new debit card limits for its Chase brand bank debit cards used by customers at Target stores.

Dec. 23 - Retail consultancy Customer Growth Partners LLC says Target suffered a 5 percent drop in traffic over the final weekend before Christmas.

Target partners with U.S. secret service and Department of Justice for an investigation.

Dec. 27 - Target says PIN data of some customers' bank ATM cards were stolen, but it was confident that the information was "safe and secure".

JANUARY

Jan. 10 - Target raises number of customers affected by the breach to 70 million and lowers its fourth-quarter profit forecast.

Attorneys general from New York, Connecticut, Massachusetts and Minnesota join a nationwide probe into the breach.

Jan. 12 - Steinhafel tells CNBC that he had no idea who was responsible for the breach but that the company was now secure.

Jan. 13 - Target begins a major public relations effort to woo back customers, including placing full-page newspaper ads apologizing for the attack.

Jan. 13 - Democratic lawmakers call for a congressional inquiry into the hacking.

Jan. 14 - Two key U.S. senators write to Steinhafel, seeking "detailed information" on the hacking.

Jan. 15 - The New York Times says Citigroup will replace all customer debit cards involved in the breach.

Jan. 16 - A House of Representatives subcommittee says Target agreed to testify before Congress.

The U.S. government provides merchants with information gleaned from its investigation.

Jan. 21 - The U.S. Secret Service says it was checking for links between the hacking and the arrest of two Mexicans trying to enter the United States with a cache of fraudulent credit cards.

Jan. 23 - Target says its Chief Financial Officer John Mulligan will testify before the U.S. Senate Judiciary Committee on Feb. 4 about the data breach.

Jan. 29 - Target says cyber criminals stole vendor's credentials to breach its system.

Jan. 30 - A Target representative briefs Congressional investigators by telephone about the data breach, but offers few fresh details.

FEBRUARY

Feb. 3 - A senior company executive says Target will speed up a $100 million program to implement the use of chip-enabled smart cards to protect against cyber theft.

Feb. 4 - Target CFO tells U.S. lawmakers that the retailer was "deeply sorry" for the data breach and it was determined to win back customers' trust.

Feb. 5 - The U.S. Secret Service visited the office of a Pennsylvania-based refrigeration contractor, Fazio Mechanical Services, whose login credentials were possibly used to breach Target data, a source tells Reuters.

Feb. 6 - A Fazio representative says Target hackers managed to break into its network by first breaching a "data connection" between Fazio and the retailer.

Feb. 13 - U.S. banks and retail groups say they were joining forces to work on cybersecurity.

Feb. 25 - A U.S. House of Representatives committee demands Target turn over internal documents and messages describing how and when it learned of the breach.

Feb. 26 - Target's net profit almost halves in the holiday quarter and the company warns that costs related to the data breach could hurt future profits. MARCH

March 5 - The company announces an overhaul of its information security practices and the resignation of its chief information officer.

March 13 - Target says its security software detected potentially malicious activity during the breach, but its staff decided not to take immediate action.

March 14 - Target warns that the data breach could have been more extensive than reported.

March 25 - Target missed multiple opportunities to thwart the hackers responsible for the breach, U.S. Senate staffers charge in a committee report.

March 26 - Two banks sue Target and Trustwave Holdings Inc, which provides credit card security services, for "monumental" losses they say card issuers will face because of the breach.

APRIL

April 1 - The two banks who sued Target and Trustwave over responsibility for the data breach drop their lawsuits.

April 14 - U.S. retailers plan to form an industry group for collecting and sharing intelligence about cyber security threats.

April 29 - Target names high-profile information technology consultant Bob DeRodes as chief information officer. (Compiled by Supantha Mukherjee and Soham Chatterjee in Bangalore; Editing by Sriraj Kalluvila)