Timeline: Target CEO steps down after data breach rocks retailer

Mon May 5, 2014 12:03pm EDT

(Reuters) - Target Corp removed Chief Executive Gregg Steinhafel on Monday in the wake of a devastating data breach that hurt the No. 3 U.S. retailer's profits, shook customer confidence in the company and prompted congressional hearings.

Following are the developments leading up to the exit:

DECEMBER

December 18 - A security industry blog reports that payment card data were stolen from an unknown number of Target customers, starting on the busy Black Friday weekend.

December 19 - Target says hackers have stolen data from up to 40 million credit and debit cards of shoppers.

December 20 - Steinhafel seeks to reassure customers that it was safe to shop at the company's stores and offers 10 percent discounts on the last weekend before Christmas.

Investigators believe that overseas hackers were responsible, a source tells Reuters.

Lawyers and industry sources say that the theft could end up costing hundreds of millions of dollars, but it was unclear who would bear the expense.

December 21 - JPMorgan puts new debit card limits for its Chase brand bank debit cards used by customers at Target stores.

December 23 - Retail consultancy Customer Growth Partners LLC says Target suffered a 5 percent drop in traffic over the final weekend before Christmas.

Target partners with U.S. secret service and Department of Justice for an investigation.

December 27 - Target says PIN data of some customers' bank ATM cards were stolen, but it was confident that the information was "safe and secure".

JANUARY

January 10 - Target raises number of customers affected by the breach to 70 million and lowers its fourth-quarter profit forecast.

Attorneys general from New York, Connecticut, Massachusetts and Minnesota join a nationwide probe into the breach.

January 12 - Steinhafel tells CNBC that he had no idea who was responsible for the breach but that the company was now secure.

January 13 - Target begins a major public relations effort to woo back customers, including placing full-page newspaper ads apologizing for the attack.

January 13 - Democratic lawmakers call for a congressional inquiry into the hacking.

January 14 - Two key U.S. senators write to Steinhafel, seeking "detailed information" on the hacking.

January 15 - The New York Times says Citigroup will replace all customer debit cards involved in the breach.

January 16 - A House of Representatives subcommittee says Target agreed to testify before Congress.

The U.S. government provides merchants with information gleaned from its investigation.

January 21 - The U.S. Secret Service says it was checking for links between the hacking and the arrest of two Mexicans trying to enter the United States with a cache of fraudulent credit cards.

January 23 - Target says its Chief Financial Officer John Mulligan will testify before the U.S. Senate Judiciary Committee on February 4 about the data breach.

January 29 - Target says cyber criminals stole vendor's credentials to breach its system.

January 30 - A Target representative briefs Congressional investigators by telephone about the data breach, but offers few fresh details.

FEBRUARY

February 3 - A senior company executive says Target will speed up a $100 million program to implement the use of chip-enabled smart cards to protect against cyber theft.

February 4 - Target CFO tells U.S. lawmakers that the retailer was "deeply sorry" for the data breach and it was determined to win back customers' trust.

February 5 - The U.S. Secret Service visited the office of a Pennsylvania-based refrigeration contractor, Fazio Mechanical Services, whose login credentials were possibly used to breach Target data, a source tells Reuters.

February 6 - A Fazio representative says Target hackers managed to break into its network by first breaching a "data connection" between Fazio and the retailer.

February 13 - U.S. banks and retail groups say they were joining forces to work on cybersecurity.

February 25 - A U.S. House of Representatives committee demands Target turn over internal documents and messages describing how and when it learned of the breach.

February 26 - Target's net profit almost halves in the holiday quarter and the company warns that costs related to the data breach could hurt future profits.

MARCH

March 5 - The company announces an overhaul of its information security practices and the resignation of its chief information officer.

March 13 - Target says its security software detected potentially malicious activity during the breach, but its staff decided not to take immediate action.

March 14 - Target warns that the data breach could have been more extensive than reported.

March 25 - Target missed multiple opportunities to thwart the hackers responsible for the breach, U.S. Senate staffers charge in a committee report.

March 26 - Two banks sue Target and Trustwave Holdings Inc, which provides credit card security services, for "monumental" losses they say card issuers will face because of the breach.

APRIL

April 1 - The two banks who sued Target and Trustwave over responsibility for the data breach drop their lawsuits.

April 14 - U.S. retailers plan to form an industry group for collecting and sharing intelligence about cyber security threats.

April 29 - Target names high-profile information technology consultant Bob DeRodes as chief information officer.

(Compiled by Supantha Mukherjee and Soham Chatterjee in Bangalore; Editing by Sriraj Kalluvila)