[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] One year later: Five takeaways from the TJX breach


By Jaikumar Vijayan
January 17, 2008 

One year ago today, The TJX Companies Inc. disclosed what has turned out 
to be the largest information security breach involving credit and debit 
card data -- thus far, at least.

The data compromise at the Framingham, Mass.-based retailer began in 
mid-2005, with system intrusions at two Marshalls stores in Miami via 
poorly protected wireless LANs. The intruders who broke into TJX's 
payment systems remained undetected for 18 months, during which time 
they downloaded a total of 80GB of cardholder data.

TJX eventually said that 45.6 million card numbers belonging to 
customers in multiple countries were stolen from its systems. Even that 
number may be far too low: a group of banks that is suing the retailer 
claimed in an October court filing that information about 94 million 
cards was exposed during the serial intrusions.

The sheer size of the data theft puts TJX in a league of its own among 
companies hit by such incidents, and the breach has made it something of 
a poster child for sloppy data security practices among retailers. In 
addition, the breach highlighted several familiar issues and some 
not-so-familiar ones.

Here, on the one-year anniversary of the breach becoming known, are five 
takeways for security managers:

Breach disclosures don't always affect revenue or stock prices ...

Despite being the biggest, costliest and perhaps most written-about 
breach ever, customer and investor confidence in TJX has remained 
largely unshaken. TJX's stock was worth about $30 when the breach was 
disclosed, and its closing price today was just over $29. Meanwhile, the 
retailer said this month that in the 48-week period that ended Jan. 5, 
its consolidated comparable-store sales increased 4% from the 
year-earlier level.

Clearly, TJX's customers weren't as concerned about the breach as many 
observers had expected they would be. Much of that no doubt has to do 
with the fact that consumers realize they themselves won't have to pay 
for any fraud that might result from payment card compromises, said 
Avivah Litan, an analyst at Gartner Inc.

... but they can be costly

TJX has said that in the 12 months since the breach was disclosed, it 
has spent or set aside about $250 million in breach-related costs. That 
includes the costs associated with fixing the security flaws that led to 
the breach, as well as dealing with all of the claims, lawsuits and 
fines that followed the breach.

For instance, settlements reached by TJX include offers of free 
credit-monitoring services for three years to consumers whose driver's 
license numbers were exposed in the breach, plus cash reimbursements, 
vouchers and a promised three-day customer appreciation event this year, 
during which the company plans to offer 15% discounts on all goods.

"I think a lot of companies are seeing how costly these breaches can 
get," said Forrester Research Inc. analyst Khalid Kark. As a result, 
there's a lot more awareness in the executive suite about the need for 
security controls, Kark said. He previously estimated that the breach at 
TJX could end up costing the company $1 billion over the next few years.

PCI remains a work in progress

The breach brought to light the fact that many retailers, including 
top-tier ones like TJX, had not yet fully implemented the set of 
security controls mandated by the major credit card companies under the 
Payment Card Industry Data Security Standard, or PCI. The rules took 
effect in June 2005 and required merchants, especially ones such as TJX 
that process a high volume of card transactions annually, to implement 
12 broad security controls for protecting customer data.

But court documents filed by the banks that are suing TJX allege that 
the company wasn't compliant with nine of the mandated controls during 
the period when the intrusions were taking place. And TJX was by no 
means alone. In response to the slow adoption of the PCI controls, Visa 
Inc. threatened to start imposing hefty fines and higher transaction 
fees on merchants if they didn't become compliant by the end of last 

Visa won't disclose whether it has fined any merchants since then, but 
there is ample anecdotal evidence that it has.

The card payment process has issues

The TJX breach exposed a fundamental rift, with banks and credit card 
companies on one side and merchants on the other. In several states, 
credit unions and smaller banks have lobbied the legislatures to pass 
new laws requiring retailers to reimburse them for the costs involved in 
notifying customers of breaches and reissuing cards.

But the lobbying attempts failed everywhere except in Minnesota, which 
last May approved the Plastic Card Security Act -- a law that holds 
breached entities financially responsible if they were storing 
prohibited card data on their systems.

In fighting the state bills, retailers have argued that the commissions 
they pay to card companies on each transaction are supposed to cover 
fraud-related costs, making any additional payments a double penalty. 
They also said that the only reason they store payment card data is 
because they're required to by the credit card companies. In October, 
the National Retail Federation asked Visa and the other card companies 
to drop that requirement.

The NRF's request is echoed by Litan, who long has argued for 
fundamental changes in the card industry's payment process, via the 
introduction of measures such as one-time passwords and all PIN-based 

The bad guys remain hard to catch

For all the attention paid to the breach by TJX, its hired forensics 
experts and law enforcement authorities, the perpetrators thus far 
haven't been tracked down. Some individuals who allegedly used card 
numbers stolen in the breach have been arrested. But the hackers 
themselves have remained frustratingly out of reach, as is the case in 
most breaches.

"The crooks are still at it," Litan said. "They probably will strike 
again. They're laughing all the way to the bank."

Subscribe to InfoSec News