Did TJX act properly?

This month's bonus topic is about security incidents, and did TJX take the appropriate steps after their data infrastructure was breached last week.

Security experts have mixed opinions and views on how the retail giant TJX Companies, handled the aftermath of a massive data breach which may have exposed the highly sensitive credit card data of millions of its customers. These views vary from TJX should have determined the size and scope of the compromise more quickly and notified customers sooner to they handled and acted properly by following the advice of law enforcement to not immediately disclose the breach to the public. The Massachusetts based retailer said that an intruder exploited a flaw in a segment of their network that handles credit card, debit card, check and other transactions for customers of their T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States. The breach could also involve customers of its T.K. Maxx stores in the U.K. and Ireland and extend to its Bob's Stores in the U.S. The data security breach was discovered back in December, but the retailer said that law enforcement asked to delay an immediate announcement during the initial investigative phase.

What concerns me is how the breach was handled. TJX should have already predetermined the scope and size of the information data breach. If the scope and amount of data that's been compromised is not known, it means that you do not have an adequate access control system in place. Another area where they could have possibly performed better is in the way the notification of affected customers, was handled. In a data breach, I believe that the victims should be contacted directly, rather than learning of the incident through a company press release or the local news media outlet. While data breaches have become more public, the rate of data breaches is not changing. What is changing is that the data breach laws are becoming more public and comprehensive.

More than 30 states have passed laws similar to California's SB-1386, which requires that companies inform victims of a data breach. A recent study that I will be talking about in greater detail in next month's newsletter, found that data breaches cost companies an average of $182 per compromised record, a 31% increase over 2005. The total average costs for each loss ranged from less than $1 million to more than $22 million, according to recent 2006 findings. Still, some companies are complacent about the whole thing and don't worry or understand the economic impacts that they and others will have to deal with.

If there is one thing that I have learned over the years, it's that companies only increase their information security spending after they've been hacked. The rule of thumb is still to be reactive, as opposed to proactive. Companies that haven't suffered a breach might have a budget of $500,000. A company that has suffered a breach could have a budget in excess of $5 million. Sadly, I expect the trend to continue here also.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.

Regards, Michael Desrosiers
Founder & Principal Consultant
m3ip, Inc.
We Manage Risk, So You Can Manage Your Business
(O)508-995-4933
(C)774-644-0599
mdesrosiers@m3ipinc.com
http://www.m3ipinc.com

4 comments

More Articles by Michael Desrosiers

Click here to add your comments




Tue Jan 23 18:47:34 2007:   BigDumbDinosaur


The real issue isn't that the network was compromised or by whom, but the fact that such sensitive information is being stored at all. There is no good reason for these companies to be storing credit card data, except possibly for the "convenience" of some lazy indviduals who can't enter their credit card data with each order. If the information hadn't been there in the first place the security breach would have been a non-issue for customers, eh?

I do not do business with anyone who permanently stores my credit card data on their system. Many of these companies are running on Microsoft crud, which simply cannot be trusted. Therefore, it should be assumed that a break-in will eventually occur.

My attitude is: 1) If my credit card data isn't there no one can steal it; 2) No company has the right to store credit card data, only to process it to verify card validity and account status; 3) Company employees with access to the server storing credit card info are potentially motivated by dishonesty and/or greed to aggregate and sell such information (q.v., E-mail spam, which often involves purloined addresses from on-line retailers).

If I determine a company has stored credit card data without my permission I send a certified mail (snail-mail) letter to them demanding that they immediately remove the data under threat of legal action. I've only had to do that twice to date -- with positive results.



Tue Jan 23 18:59:42 2007:   TonyLawrence


Well, yeah, but on any given day, TJX takes in a boatload of card numbers - so yes, this would still be a big problem even if they were only storing as little time as possible.





Wed Jan 24 14:45:05 2007:   BigDumbDinosaur


I didn't mean to downplay the importance of system integrity and security. As you say, a merchant like TJX may handle a huge number of sales transactions per day, which fact obviously poses a large security risk.

My point was that long -term storage of credit card info significantly increases the opportunity for theft without providing any real benefit to the customer. If the only use of a credit card number is of a transitory processing nature there's no need to store the data over the long term. The card number and expiration date are required only to get approval for the transaction from the card issuer and to generate the final sales transaction that records the dollar amount. Once the day's activity has been settled with the card clearing entity (usually the merchant's bank) card data is no longer needed, and, in fact, now becomes a storage liability.

My opinion is that, by law, merchants should not be permitted to retain card data once the sales transaction has been completed. I don't care if some shoppers are inconvenienced by having to enter a card number and expiration date each time they put it on plastic. I'll bet all those customers whose information was compromised will feel equally inconvenience if their accounts suddenly sprout all sorts of unauthorized charges.



Thu Jan 25 03:54:22 2007:   drag


Atrittion.org has some interesting stuff dedicated to getting information out about dataloss. They are trying to maintain details in their DLDOS (Data Loss Archive and Database)
http://attrition.org/dataloss/

Also they have links to a mailing list that discuss just this sort of thing. Pretty interesting stuff. It's amazing how much this stuff is going on nowadays.


Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.