A prominent proxy advisory firm has recommended that Target shareholders vote out seven of its 10 board members after a massive pre-Christmas data breach.
Institutional Shareholder Services on Wednesday targeted those members who serve on the company's audit and corporate responsibility committee. Included on that list are Anne Mulcahy, former chair and CEO at Xerox, and James A. Johnson, who was once the CEO at Fannie Mae.
ISS also recommended that shareholders should vote to separate the roles of chairman and chief executive.
The data theft, which led to the breach of millions of debit and credit card accounts, has cut into profits and sales at the nation's third largest retailer. Target, based in Minneapolis, cut its annual profit outlook last week after a 16 percent decline in first-quarter earnings. That followed a 46 percent drop in fourth-quarter profits.
The board fired CEO Gregg Steinhafel in early May. The company's chief financial officer John Mulligan is acting CEO, but Target is still searching for a new leader. The company's chief information officer Beth Jacobs abruptly resigned in March. Last month, it named outsider Bob DeRodes, who has 40 years of experience in information technology, as its new chief information officer.
In the wake of the breach, the company is overhauling its security and technology departments. The company has also been accelerating a $100 million plan to roll out chip-based credit card technology, which is considered more secure, in all of its nearly 1,800 stores.
"While the committees have taken certain actions since, these appear largely reactionary in nature, suggesting that the committees failed to appropriately implement a risk assessment structure that could have better prepared the company for a data breach, and possibly prevented its occurrence in the first place," the ISS report said.
Target said that it views risk oversight as the responsibility of the full board.
"As one would expect, following the criminal attack that resulted in the data breach, the Board is re-examining the entire risk oversight structure, including senior management roles and reporting structures, as well as Board oversight," the company said Wednesday.
On Dec. 19, 2013, Target disclosed a breach of 40 million credit and debit card accounts over a nearly three-week period before Christmas. Then on Jan. 10, the company said hackers also stole personal information -- including names, phone numbers, and email and mailing addresses -- from as many as 70 million customers.
The breach has spawned dozens of legal actions that could prove costly.
The ISS recommendation comes less than two weeks before Target's annual shareholder meeting.
Shares slipped 39 cents to $55.38 in midday trading Wednesday.