Target disclosed in December that a cyber attack had resulted in the theft of at least 40 million payment card numbers and 70 million other pieces of customer data weeks before Christmas.
ISS blamed Target's audit and corporate responsibility committees, which oversee risks such as fraud, for being "inadequately prepared" for risks of doing business in electronic commerce.
"It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders," ISS said in its report.
Ahead of Target's shareholder meeting next month, ISS asked for a vote against directors including interim non-executive chair of the board Roxanne Austin, and others, namely Mary Minnick, Anne Mulcahy, Derica Rice, Calvin Darden, Henrique De Castro and James Johnson.
The proxy firm also said a policy to separate chairman and CEO roles could improve the independent oversight of management.
Target's board had not made a decision on whether to continue with an independent chair and will re-assess its leadership structure once a new CEO is announced, the company told Reuters in an email statement.
"...following the criminal attack that resulted in the data breach, the board is re-examining the entire risk oversight structure, including senior management roles and reporting structures, as well as board oversight," Target said.
Earlier this month, Target removed Chief Executive Gregg Steinhafel, who had been in the top job since 2008, and named John Mulligan as interim chief executive.
Target's shares have fallen 12.8 percent since the announcement of the breach to Wednesday's close of $55.34 on the New York Stock Exchange.
(Reporting by Jim Finkle in Boston and Shailaja Sharma in Bangalore; Editing by Ken Wills)