"The addition of these "new" positions raises serious concern about how Target could have been running a business of its size and complexity without these permanent roles," ISS said while also dismissing some of the steps the company has taken since the breach as "reactionary."
Target in December disclosed that unknown hackers had broken into its systems last fall and accessed credit, debit card and other data belonging to more than 100 million customers.
Since then, the company has quickly become a textbook example of the consequences a company can face in the wake of a major data breach.
Target's stock price has declined by more than 10% since the breach disclosure, reflecting a $4.2 billion loss in market value between December and May, ISS said. The company has already spent more than $80 million on breach-related expenses, such as breach investigation and remediation, credit-monitoring services for affected customers and legal and other fees.
If the experience of companies such as TJX and Heartland Payment Services are any indication, it could end up spending tens or even hundreds of millions of dollars more in breach-related costs. Already, more than 80 lawsuits have been filed against the company over the data breach.
The breach has also prompted executive changes at the highest level. In March, Target CIO Beth Jacobs resigned from the company over the data exposure. Earlier this month, the company announced that president and CEO Gregg Steinhafel was stepping down.
Not all of the changes are solely breach-related. Many analysts believe that Steinhafel's departure for instance, was likely prompted by Target's botched expansion attempt in Canada over the past two years. The same reason is likely to have contributed to the company's lower stock price, but there's little doubt that the breach has played a major role in the company's woes.
Sign up for CIO Asia eNewsletters.