Target disclosed in December that a cyber attack had resulted in the theft of at least 40 million payment card numbers and 70 million other pieces of customer data weeks before Christmas. ISS blamed Target’s audit and corporate responsibility committees, which oversee risks such as fraud, for being “inadequately prepared” for risks of doing business in electronic commerce.