Tesco CIO Mike McNamara has been headhunted by US retailer Target to become its next CIO, and to clean-up after the devasting hack in which the credit and debit card details of 40 million customers were stolen.
Before being appointed CIO in 2011, when previous CIO Philip Clarke made the step up to CEO, McNamara was Tesco’s IT director and had been responsible for the retailer’s online presence from start-up until 2006. He joined Tesco in 1998 and is the latest in a string of executive departures since Clarke was elbowed out and replaced by former Unilever marketeer Dave Lewis.
According to Lewis, the CIO role will effectively be changed and Tesco will, instead, look to recruit a chief technology officer. “Mike McNamara has decided to leave Tesco to take up an external appointment. Mike has been a tremendous asset to our business and we are sad to see him go. Given this change we take the opportunity to build on Mike’s legacy by taking the next step in technology and recruit a chief technology officer,” Lewis told financial newspaper CityAM.
In addition to building up Tesco’s online presence via its Tesco.com website, McNamara was also responsible for modernising Tesco’s global IT and supply chain, as well as various in-store innovations, such as “scan as you shop” and an innovations lab, set-up last year and intended to develop new technologies and apply them to Tesco’s retail mission. In an exclusive interview with Computing in 2013, McNamara also explained how Tesco’s successful Hudl tablet computer was developed.
McNamara will replace Bob DeRodes, who is retiring after being parachuted-in to a fire-fighting role in the aftermath of the 2013 hack. McNamara will report to Target chairman and CEO, Brian Cornell, who likewise replaced Gregg Steinhafle, who was persuaded to step down as Target CEO in May 2014.
“Technology is critical for Target’s future success. So finding the right leader for this role was one of my absolute top priorities,” said Cornell. “Mike has been a driving force for technology innovation throughout his career. He’s got a stellar track record, and I’m excited to see how he’ll help our team continue to push new innovations that enhance the shopping experience for Target guests, both online and in stores.”
In his new role at Target, McNamara will have oversight of the company’s technology team and operations, including information security, and will help shape enterprise strategy as a member of Target’s executive team.
Target was the subject of a devastating hack at the end of 2013, which saw the debit and credit card details of 40 million customers compromised and the personal details of more than 70 million customers leaked. The card data was transferred via FTP to locations in Russia via compromised servers belonging to companies in Miami, Florida, and Brazil.
The card details were stolen after the attackers, using compromised network access credentials stolen from one of the company’s suppliers, were able to plant malware onto Target’s security and payments system, which could cream-off the credit card details from every transaction at the company’s 1,797 US stores.
While the attack was spotted almost straightaway by FireEye, the company’s security monitoring company, and by its own staff in Bangalore, staff at the company’s headquarters completely failed to heed the warnings. Target head office staff only responded when the US Department of Justice notified the retailer of the breach in mid-December 2013.
If Target’s own head office staff had act upon the initial warnings, the attack would have been stopped before it had even started.
According to security journalist Brian Krebs, up to three million of the stolen card details were sold on the blackmarket to fraudsters at around $27 each. The thieves were able to generate more than $50m in income from the stolen card details, according to Krebs.
The stolen network credentials were acquired from a sub-contractor, Fazio Mechanical Services, a provider of refrigeration, heating and ventilation systems. The company required a data connection with Target to perform electronic billing, contract submission and project management on behalf of Target.
In the aftermath of the attack, first the CIO and then the CEO left the company when it was revealed that lackadaisical management of IT security – an attitude that seemed to stem from the very top of the company – was partly responsible for facilitating the attack.
CIO Beth Jacob, in particular, had been under fire for lacking IT experience, having joined Target’s department store division as an assistant buyer in 1984, and boasting a degree in retail merchandising and an MBA, rather than offering a technical background.