April 2, 2007
Encryption Didn’t Stop TJX Breach
There are many lessons to be learned from the TJX breach but perhaps most important is that encryption is no guarantee that files are safe from hackers.
TJX, the parent company of Marshalls and T.J. Maxx, had encryption codes in place to ward off attacks on its systems but the failure has authorities looking seriously at the possibility that thieves who made off with more than 45 million credit and debit card numbers were, at the very least, aided by someone inside of TJX.
While the company has been understandably mum on the possibility that either an employee, contractor or someone in contact with such a person may have been involved in the break in, the scenario appears more likely as information emerges.
“It’s hard to know from the filing if it was an external or internal weakness,” Steven Sprague, chief executive of Wave Systems Corp., told The Boston Globe.
Gwenn Bezard, research director for security consulting firm Aite Group, said the ability to get past the safeguards in place “supports the involvement of an insider.” According to Ms. Bezard, such scenarios become more likely as thieves find low-paid employees at companies with access to encryption codes that can be corrupted with the prospects of a big payday.
Bill Bartow, vice president of Tizor Systems Inc., said the TJX case shows, “encryption alone isn’t enough to protect your data, and there’s a possibility that TJX didn’t do a good job of protecting its keys. If that’s the case, it’s that the encryption is only as good as your process for protecting the keys.”
There is also a possibility, according to the Globe report, that the thieves may have pulled off the heist without the need for encryption information. The thieves, it has been suggested, may have had access to steal information during the card approval process. During this stage of the process, data is transmitted without the protection of encryption.
Discussion Questions: What security lessons should be learned from the TJX case? How likely is it that consumers will come to associate Marshalls and T.J. Maxx with the largest theft of consumer credit and debit card information in history? Considering the enormity of the crime, how do you think TJX will weather the storm?
BrainTrust
Recent Discussions
Discussion Questions
Poll
The comments reflect what is probably the biggest fallout-less trust in general for retailers. As the technology trends move towards more sophisticated card products (e.g., chips so you just flash your card to a reader) consumers becoming less trustful will affect adoption rates and costs. Sloppy data handling will also make consumers less willing to share info that will help retailers market more effectively. In the end, it can even push consumers to look for tighter privacy laws (as in Europe) further restricting retailers from improving their focused marketing.
I do think that this could affect TJX’s retail business in the short term, particularly with older customers; many of whom are still reluctant to purchase on the internet for security reasons. This incident confirms their worst fears. Very distracting times at TJX. Pursuing non-compete vengeance against ex-senior executive VP and president, Alex Smith (newly-minted CEO of Pier 1); fighting off Pier 1’s unexpected restraining order backlash…now this!
The TJX security breach is just another wake up call to all companies about security. Many companies focus on external security and do little to insure internal security. This is a great example of the focus that needs to be placed on internal security. Disgruntled employees always find a way of getting back at the employer and this is a good example of a “big ouch!” Security encryption keys should be guarded like gold.
The general public is unaware of such risk. Many believe “it can’t happen to me,” until it does happen.
Speaking from a consumer perspective only on this issue…I can personally attest that my wife and I are finished with both retail chains. We used to shop at both outlets for clothing and baby gifts, but had three cards affected by the heist. After countless letters from our banks and having to spend many hours changing all my direct billing online due to account number changes…it is just not worth the risk. I would only shop there with cash from now on…how un-American when U.S. consumers normally shop well beyond their means as the clamoring for more “stuff” quietly whispers to us at the retail shelf/rack.
The lesson to be learned from the TJX filing is that retailers need to plan how they handle encryption and also their decryption software as well. Encryption alone doesn’t protect data. Keys also need to be protected. Information theft also occurs during other steps of information processing and gathering. If TJX identifies and resolves the breach and announces a solution effectively to the public then the long term impact will be minimal.
I can’t usefully comment on the technical aspects of the TJX data breach. I’ll let the forensic types sort out who did what to whom when and how did they do it.
That said, their communication with their customers has been, in a word, abysmal. Perhaps they’re being ‘over-lawyered’ on the supposed benefits of staying silent. However, by their (in)actions they’ve made it clear that it’s all about TJX and the customers affected (not to mention those that wonder if they’ll be affected) are essentially on their own.
The executive team at TJX needs to get proactive about helping the folks who have been their customers.
Relapsing back into my usual paranoid guise, I will be sure to take my checkbook next time I go anywhere near a store where I plan to spend more than the cash on hand (which I keep low due to potential muggings). The problem, of course, is that more places are refusing to accept checks in the UK. Probably nowhere near as profitable for the banks. Whatever happened to the old adage, the customer is king?
There’s no doubt that the folks at TJX will make data security a high priority from now on. But there seems to be no major wakeup at hundreds of other retailers and banks. If the banking and retailing industries were overwhelmingly serious about protecting credit and debit card numbers, customer identities, bank account numbers, etc., it’s unlikely this crime category would be as widespread. Criminals look for the low-hanging fruit. If voters demanded a major fine for every breach ($1,000 per identity, for example), there’d be a big attitude change. Unless you’ve personally had your identity stolen, it just doesn’t seem to be a voter priority, either.
More Discussions
Is Five Below Poised For Even Greater Growth?
Five Below is hitting serious growth numbers. Can this trend continue?Should IKEA Be Flattening Management?
Should IKEA be trimming down its management headcount?Is Legislation the Answer on Visa, Mastercard Swipe Fees as ~$200 Billion Record Is Set?
Is lawmaking the way forward on swipe fees?
The comments reflect what is probably the biggest fallout-less trust in general for retailers. As the technology trends move towards more sophisticated card products (e.g., chips so you just flash your card to a reader) consumers becoming less trustful will affect adoption rates and costs. Sloppy data handling will also make consumers less willing to share info that will help retailers market more effectively. In the end, it can even push consumers to look for tighter privacy laws (as in Europe) further restricting retailers from improving their focused marketing.
I do think that this could affect TJX’s retail business in the short term, particularly with older customers; many of whom are still reluctant to purchase on the internet for security reasons. This incident confirms their worst fears. Very distracting times at TJX. Pursuing non-compete vengeance against ex-senior executive VP and president, Alex Smith (newly-minted CEO of Pier 1); fighting off Pier 1’s unexpected restraining order backlash…now this!
The TJX security breach is just another wake up call to all companies about security. Many companies focus on external security and do little to insure internal security. This is a great example of the focus that needs to be placed on internal security. Disgruntled employees always find a way of getting back at the employer and this is a good example of a “big ouch!” Security encryption keys should be guarded like gold.
The general public is unaware of such risk. Many believe “it can’t happen to me,” until it does happen.
Speaking from a consumer perspective only on this issue…I can personally attest that my wife and I are finished with both retail chains. We used to shop at both outlets for clothing and baby gifts, but had three cards affected by the heist. After countless letters from our banks and having to spend many hours changing all my direct billing online due to account number changes…it is just not worth the risk. I would only shop there with cash from now on…how un-American when U.S. consumers normally shop well beyond their means as the clamoring for more “stuff” quietly whispers to us at the retail shelf/rack.
The lesson to be learned from the TJX filing is that retailers need to plan how they handle encryption and also their decryption software as well. Encryption alone doesn’t protect data. Keys also need to be protected. Information theft also occurs during other steps of information processing and gathering. If TJX identifies and resolves the breach and announces a solution effectively to the public then the long term impact will be minimal.
I can’t usefully comment on the technical aspects of the TJX data breach. I’ll let the forensic types sort out who did what to whom when and how did they do it.
That said, their communication with their customers has been, in a word, abysmal. Perhaps they’re being ‘over-lawyered’ on the supposed benefits of staying silent. However, by their (in)actions they’ve made it clear that it’s all about TJX and the customers affected (not to mention those that wonder if they’ll be affected) are essentially on their own.
The executive team at TJX needs to get proactive about helping the folks who have been their customers.
Relapsing back into my usual paranoid guise, I will be sure to take my checkbook next time I go anywhere near a store where I plan to spend more than the cash on hand (which I keep low due to potential muggings). The problem, of course, is that more places are refusing to accept checks in the UK. Probably nowhere near as profitable for the banks. Whatever happened to the old adage, the customer is king?
There’s no doubt that the folks at TJX will make data security a high priority from now on. But there seems to be no major wakeup at hundreds of other retailers and banks. If the banking and retailing industries were overwhelmingly serious about protecting credit and debit card numbers, customer identities, bank account numbers, etc., it’s unlikely this crime category would be as widespread. Criminals look for the low-hanging fruit. If voters demanded a major fine for every breach ($1,000 per identity, for example), there’d be a big attitude change. Unless you’ve personally had your identity stolen, it just doesn’t seem to be a voter priority, either.