Document Sample
lessons-learned-from-the-tj-maxx-data-breach Powered By Docstoc
					Lessons learned from the TJ Maxx Data Breach

Written by Neal O'Farrell

I've been writing about the TJX (owners of retailers TJ Maxx and Marshalls) security breach in
my blog for the last couple of months, and I thought it might be useful to see what we have
learned from what is now described as the biggest data security breach ever.

In January 2007 TJ Maxx announced that millions of customers might have been affected by a
data breach that was undiscovered since 2005. To make matters worse, the data breach may
have been the result of a simple security oversight - failing to secure a wireless network at a
discount store.

According to the Wall Street Journal - "The $17.4-billion retailer's wireless network had less
security than many people have on their home networks, and for 18 months the company -
which also owns T.J. Maxx, Home Goods and A.J. Wright - had no idea what was going on. The
hackers, who have not been found, downloaded at least 45.7 million credit- and debit-card
numbers from about a year's worth of records, the company says. A person familiar with the
firm's internal investigation says they may have grabbed as many as 200 million card numbers
all told from four years' records."

TJ Maxx later estimated in its SEC filings that the breach would cost the company around $5
million. But security experts place the potential long-term cost as high as $4-$8 billion.

But according to one security blog "The Ponemon Institute, a think tank focused on record
privacy and data protection, expects the TJX breach costs to be even higher. They cite costs in
the range of $182.00 per record, based on research from November 2006 of the cost of
breaches incurred in 31 separate incidents. For TJX, this translates to $8.6 billion."

In additions to fines, recovery costs, and brand damage, TJ Maxx is now being sued by more
than 300 banks and credit unions.

There's no doubt that the incident gives consumers an unprecedented look into how much or
how little companies like TJX do to protect us from identity thieves, but the drip-feeding of facts
by the company may leave us with more questions than answers.

Lessons learned from the TJ Maxx Data Breach

Written by Neal O'Farrell

For example, according to industry buzz TJX might have been ignoring even basic security
rules for years, and even ignored the more recent security standards introduced by the credit
card industry to avoid such breaches.

While most organization that take credit cards use some form of encryption to protect data
during and after the transaction, it appears that not only were the TJX thieves able to intercept
customer credit card data before it was even encrypted, the bad guys already had a copy of the
encryption key anyway. According to one security analyst it's like locking the door and leaving
the key under the mat. And word is out that TJX was also not compliant with a new data security
standard called PCI introduced specifically to ensure that retailers protect their cardholder data
around the clock.

As a quick overview, the world got its first inkling of the problems at TJX in January 2007 when
the retailer announced that hackers had managed to break into its computer systems and steal
the personal and credit card records of customers who had shopped at its TJ Maxx, Marshalls
and other stores in the United States, Canada, Puerto Rico, the United Kingdom and even

Experts and consumers were even more shocked to learn that hackers may have had
undetected access to the company's computers as far back as May 2005 and that some of the
records stolen went as far back as 2003. And after remaining silent on the subject for as long as
it could, TJX finally admitted the worst news - that more than 45 million customers might have
been affected by the breach, making it the biggest and possibly the costliest data breach in

And although TJX assured us that there was no evidence that any of the stolen information had
been used in a crime, a few weeks ago police in Florida announced that they had arrested six
suspects in an $8 million gift card fraud using information stolen from TJX.

Then the lawsuits followed. One of TJX's largest shareholders announced that it was suing the
company in an effort to force TJX to provide more information about the data breach and the
real extent of the losses. And Massachusetts Attorney General Martha Coakley announced that
she will head an investigation by dozens of states into the security breach.

Lessons learned from the TJ Maxx Data Breach

Written by Neal O'Farrell

Since the breach was announced security experts and reporters have analyzed in great detail
how TJX might have lost the data, how their security failed, and what they could have done
better before and after the data breach. And many observers came to the conclusion that the
whole TJX incident might have exposed a more troubling problem.

In a March 30 th article in eWeek magazine called "The Nightmare Scenario: What If TJX Did
Everything Right?" a reporter posed an even more troubling question - "What if it turns out that
TJX had indeed been doing everything right the whole time?" he asked.  "In other words, what if
this proves to be much less of a case of TJX being careless and much more a case of the
intruders being clever, resourceful and persistent?"

In the same article Mark Rasch, a former federal prosecutor, added "It's really easy to say that
TJX screwed up. A more frightening thought is that they didn't."

What if indeed? If companies like TJX, with vast resources available to invest in security, can
not only fail to prevent thieves from accessing and stealing 45 million customer records but also
couldn't even detect their intrusion once in nearly 18 months, what's left to protect consumers
like us?

It's another reminder that we can't rely on laws, promises, or security technology to completely
protect us. Instead we have to look after ourselves.

So what should we demand as consumers whose data is vulnerable to theft?

   - A greater investment in security by  firms of all sizes, and greater vigilance of their own
networks and     computers so that no-one can ever had such undetected access for so long.

Lessons learned from the TJ Maxx Data Breach

Written by Neal O'Farrell

  - Immediate disclosure of the breach,     regardless of what happened to the data or
whether it was used to commit   identity theft.

    - Free credit monitoring for at least 12      months for everyone affected by the breach, and
this free service must be      actively promoted to all affected customers. While many data losers
do      offer free credit monitoring they rarely promote or publicize it.

   - Compensation for every affected      customer, even if they are not victims of identity theft
as a result.


Shared By: