Enterprise Applications - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Enterprise Applications


TJX Data Breach Raises Questions



 By: Evan Schuman
2007-01-19
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Enterprise Applications story.


Rate This Article:
Poor Best
Opinion: An occasional well-publicized data breach at a large chain is a terrible thing for that company and its customers, but it just might be a good thing for the industry.

When TJX Companies—the $16 billion global retail chain that owns T.J. Maxx and Marshalls, among many other brands—disclosed on Jan. 17 that it had "suffered an unauthorized intrusion" into its computer systems in December, it seemed to be forthcoming.

After all, the chain issued what appeared to be a detailed statement about the incident. Detailed or not, it was certainly longer than the typical "weve been penetrated" statement.

The statement said the company had retained the services of General Dynamics and IBM both to help investigate and to upgrade security systems to ostensibly prevent another, similar intrusion.

But a closer reading of the statement raises quite a few questions, none of which the company has tried to answer.

To be fair, criminal security breaches are among the most sensitive and tricky things to discuss publicly. How specific does one dare get before revealing too much? The culprit is still out there and concealing how much is known about the crime can often help catch the bad guy.

That said, the "we dont want to help the bad guy" rationale is quite convenient when there might be questions about whether the retailer was sufficiently careful about protecting data and systems.

Resource Library:
Lets start with the timing. If the chain was so concerned about quickly alerting potentially at-risk customers, why did it wait until Jan. 17 to reveal an intrusion that it said happened a full month early ("mid-December 2006" is how the statement described it)?

How safe were its systems? The carefully worded statement said, "With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores."

That sounds great, but why didnt this $16 billion retailer with more than 2,300 stores—which The Wall Street Journal said might have exposed more than 40 million cards in this incident—already have a security package that was "appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores"? Were its systems last month adequate and now theyre overkill? Or are they now adequate and they were insufficient last month?

IT pros say they cant prevent data breaches. Click here to read more.

There are also the PCI implications, courtesy of Visa, Mastercard and other card players. What exactly was captured? The chain said the "intrusion involves the portion of TJXs computer network that handles credit card, debit card, check, and merchandise return transactions," and that "store information related to customer transactions" including drivers license information was also impacted.

Does that include card application data, with everything from household income to prior addresses and name of employer? Getting back to PCI, does it include CVC numbers, which are technically not allowed to be stored? How much of the data was encrypted?

Another question might be a wording issue. "TJX has specifically identified some customer information that has been stolen from its systems," said the statement. The colloquial interpretation of the term could mean the typical intrusion effort, where the byte-bandit bypasses security and then copies files and leaves. Technically, some security experts say, the phrase "stolen from its systems" should refer to a malicious and destructive act, such as when an intruder copies files and then deletes them or materially changes them.

Were the files actually stolen, meaning they no longer exist within the TJX system? Even if that had been the case—which seems unlikely—hopefully backups would be sufficiently removed to not be impacted.

The geographies mentioned in the statement also are interesting. Quoting again from their statement: This incident impacted "customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada, and may involve customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could also extend to TJXs Bobs Stores in the U.S." The data from all of those geographies were stored in one place? That would be unusual, said Mark Rasch, a former federal prosecutor specializing in technology crimes. Rasch wondered whether the breach impacted a third-party card processor that all of the TJX units shared?

Is the only way to protect yourself to adopt a cash-only mentality? Click here to read more.

As CardSystems learned when it was victimized by an intrusion, protecting future customers is important, but what will ultimately save—or destroy—a companys credibility and trustworthiness is how it handled systems right before the attack.

If IT execs cant get the funding for proper security, they need to point to retailers who get hurt and then suddenly have the public spotlight shone on how well they protected their customer data. I absolutely hope the facts ultimately show that TJX was an ideal corporate citizen and that it had done everything reasonable to do to protect itself.

For the industry, however, its sometimes not a bad thing for a company to get beaten up for less-than-ideal procedures. If nothing else, it gives a reason for margin-fearing execs to cough up the cash, just in case.

Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan_Schuman@ziffdavis.com.

To read earlier retail technology opinion columns from Evan Schuman, please click here.

Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.



  Reader Comments: TJX Data Breach Raises Questions
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Enterprise Applications Articles          >>> More By Evan Schuman
 


xr۸(;whkLQԷH)ٖcؖē"!c")yg}AIvɜbݍFxEgoD.mU71IIvjj.}0裗%{굯!I#ȐmdQUHợzjd4j4+lu{Xʫײx 'DPL1B1Y٘c6(dp,{5hrZ'|Սs62"&Iy%vO|'٦Iߤ ȶ|3>QdھoOǩ }a>&|4ފOш(QCseYԡ0VJSikSV!+629zPV^ 72Fș}5SZ$ҩdc;3[$-XldUEO'Cc`WMۅT* Tja5#uj5Tx%y5Fc[R zacB3IUO?(SM'q_)z^}%jm"l˱,zNg0i,˚y_/(Q׋R(_:[oDܣagvr=}s5w~]+J];7C(T{p nΫjX8v{>~h_^;r  tn%&W jDTV*b>A6j@B+ZS7B-Gb!_y$Z]S Ә(N,?Bb9Og򋩥}ovzmo^vH>߉ekby 1(jPAb(ʠW+メQo;?{\uz{K:G{:R],Olio ijzPePK9LóZ|$)7H ?uOodC'Sdx*g3EwU3PZ,3$gbvrV~BX +}=êy> mdʱ(|͚rN ',4}G_0JD33SfI23Q] MHUņ]`)ex_ȗ8ř/-_PeP_΢[0jJt*軜ɛ!"ĈK9Cx,ʹc#'$[o".S3U誥sv ZnVՉ*YX]uUfjZBwY?i)Koߵq꿿mMŧvzۆ)gF0 ,H!e޴$8W9UBrEʐT`H8ʕ/7љn!SK2A :3ϩfO(mNRgul>"ʠ *광bG\j4@!> &-O4譫L)H_B|)Fp*z TnٮA%UǖA ϛLu%08{Ƀ5z9PͻCizy1&Cդw;TfgPg,e]< vLߓ1#,> T<ĥL>9Ԃ.v9.Wb;A/hb^9DEMi@ P!$4O`r6́lb(?JHX)Zp`(ݞH@)%s\J裲XB ^X//1͙RdRIӴU !4݅i5~Ī笱s SJ`ݓn̜07ÚL ~D蹁m>(L5i+://'ܑMúG! e hB=Us AryͪX 4)|ƓBw3&3O@1sz@fepIU&FnU_IVTV3(Q2}u}ãL)E݋+)q SX-hOmC?ز.Jd-Y֕ވյ 0z1(a]k%\<$74Bʶd/^[``֩EYQ^RMPD@BR)I aY*^(txNLqעQ\8Wc( \T Kӈ0q B55-L!1ȁ2?ȨOlĖCfx3bAеMW}4Dd|f[',TN )!lgb{(:A۰ XXfTLaqAk'6aa;w:pms>u Z\/V°+]1&A0o "}hqᐉNTS 0AaguΤk!2bkP +|QQ"cuMD@ g23OT#4t̠ZlNV9 QZV-L kl\nrpn R*v^n^gh(^~w*j*:WDX00nA@и(٩7M4.&XX²DJQm G]ܸv?fCŜU^bx $jXU#tQ(JZ/)j83(3f^ně( Jϡtr`F@g}u>90L7wTz]!a=EGڏ?!L53#z@zz.0g0Lj7:p~c8@"OsѬ?b(Tk ȟՊ {1gj֒.8F2QA) CqMQYp4Yn r;ؾP{XDƿl 7B+E?e$ߌcc *Rg-jd7WR_晓66Wd=s5|XM-6+05|9_A R-cxyێy:sU6u'Si,uGQXȿxT*3D@jN10t]k4c\LGe,7;PV~j7;aS-U|SW ߁N1_S*u)^@,JRCzy]U X#uHһ>rs5b dri#Z URXUw/ v\wϊrh2jk.- e?71טs"9t{ ixrT),?1Ȉg <<rqvNyŦ,QO+Mu,7Auq0ݎ_3sqmi&Uqm7L"?R 0?1TJvH0jRX+JJExv(P|ɘKV=nM\&>M| \ qѿ$Ͽn >h3JRP^L=PȕG\P|RԞ!\KrSW6_TQz< 2w>y?6oa mU/+7t*{79^&^S@C#I xݯ( ӄC7w"[Xa+w11U^ݼfOZ>{P BP` &M/Ot@h6A?^<Kfۤq.>+y{u9_bm՞wys0cjynty01EﵲRYԹ>kzLuwooϤUm Fya8dDeA $HX$Ũꐙm6iuJ m}.dhPwεxI{ٽsݖ⭎7΃!uvxuy{}|U8B#Deu{hq\3nmG 'EL9Z=IswMT_C5!-{{־Ă Ü q*D|x[ 7πahZ}m7Zgފ#S^aYXHE`:!wUktZ. B>_,{B*q\>2setVSP+bK "$DY |Fڧ' <9ψ苢ٿx{})2$#>_/8ʚ=?yVO:| CBR'R8/;=13$I AKQxeps A\$~h )%P \ G"[O[tϝx12Abn IZ;Ű<5Ք2x 9RJȔ&8z>RB&T k'qZV⼞6X(-0 P+wf|ʊ5R!M=YMz{܀ذƇ{:wg^3K:Wow ̗-I+#/AiA0;`",G\S|,Eu{v1Cκ'~?/@ 6̯{ɏ$Q :Duc*]+GA,T 9gJwuكf#ؒ:t?i%+e{m¶"CSq ;:`*Q8XH!HrRU7=o9Ȝ9%'3{x`,hg^d1ҷ+PdƛztA RG3Kc̮滪vO}{Ӈ4.3{P,^=Xz,C]f+wRȤ.o,K-T#"ǵP#vދR*Q{uZГC mDfi0so[DL; ʷcU0~_O} rmC'󎾟Qyc,d AX9-w!V9$8>lNqd3h l|nwkLbll3"yCDQI=þ42٤p2[v3Z;62L+|^BZyfa c|1ߊ:"YcχgɎeMz s2y ^1­+)M[KcBU9OTz˭M _ x+Vxfъ%Ŗl~'wKl ѩa*41.MVY$r < ӶB)$g29۱<¡eyeUyco<)͝'ӗ93C] ),7BHك%4ɂ?k ;2F@b%tԾ5=g5rUtB"O%0b ~F[45fN,>Q ɺly`s5Z[+UryB[O-_V>2btsߛ(+u-u?uE+A dtc s z`]ÖPKoRs &[̝Fr 1:#. D  ώ泋JEߖ2K_20fxBե[ Hy# 0H,oGE|ܲNP'H{|xҥ ߓ,֙Y`26PA!@ys˾Ifˮ6ϻ+IҶ$S$}s&zMG 5\Vҩ4 rRBhk$A"g%@ɳ|nɝƔWjU-T$L$R DYGm(`PDG `+Ja!&톇Evvc l3a}e5WqB"p~7~7~7~7~}#lP-+/7Fsbdp[η% VѼЈI-w1̈Tga"|s H" !HDA$k~:!5>vN~bz6/(%}63/HMa/Kijt ;=2$( P@-[u-)% 05gϓI!ߥ cҽ,[i+((u]F+.=7}( Q?mf (XMnnoK2l&ȷxn],u2$ h5g|&vЊBM˳K<霉*,ܺͭnI/<՟;LӨf8ЭQmfzO x$'.}sP 9泋nIYlp^>n-K FÚ\,u{2IQt(A}}ND螻̄vB?PPPP rm z*43 bpjPޱD|IJ=樳~_yioR/u)_ۺ?L5, {$uY((&¹vp/Hƭ{ݦ-3~m;:b1 ԕ\]qtBغJر~"Q9v r\ZY6w:n67ƵĻ@=clxPRQH'*z%I-ٕj#`QQGX\p`D#طAH B_13ӡmgR2S /g^E!f=;M9-%/ɜo4򓲒!g1](.8hα[:vlnk>ӻvS{b QԒN;r^:Y? A H tTv 9HoowBBS_k TG =4},㦀2x7GbTO2Б!:! C+lyhýE)MmwlG5Ϳ䎣o Kfx2zrON3au ]m! Vi8PgUFASkͤdmB栎Ʒ/`evau kjD]q`Y҅سK] uʢG\ 4y-6W!sGYj,&~RPKE*`L䝂bqX32G&ɯ u*X*U#%XWY5LÇ:fm+A 2yHjsx]ҮV“ hG\ݶ($3(C̳2e=' VfLLC&p]^\r|xw F@ { 9~ Z騒ׂ3ʑu+ZF}`t5BkX =8$u,vI>oL"E(w90`D^dbIe7‹y8?X;Uͥq:ͼ͢E f tMcc95(P)9z%o RkKN dc/ C|ljSGuFW†SJ9`ɥUj+Z HX(-?[v7|Y}Xb}QULXL/ƷmXصOL;WTTc]8_q=o7ݝB gnufCSWCKO 0Ė@a,iwg,.mm @&DӰ0-|2I;NRUucC"̶pb?B1_V*Z S}}3]-+BZP]r^b%^ue/@Cu &ׅg:grP**c9&Ra *zdH6&`GN((# Qr{ʷy=ob[-B|#yt}&GA+W ݹDH}+nA{,t:W&rFHEڭ6-ݽ2H@j=M}1~fK:DEoOu=)?d_`}oˊR8瓽]fACLN`srZe2l~B PPqcO[1a.sY(x+jOĽ`EGvʹMh%mFhdhtk*q )O-xL#F[ RV$wߠn~z*ܟ'U^ݼǭbPg걭h݀2ǰ[:LXQ4pL7Z}?эQݹN!?ч! g@L-;nHqAX#hbGC෽nrnŘ[V aNr:z>v 1?I1OtCax c136#l-b;bB{3\5qC۹alU^(l+wxcF.\|>G%vAo a/htM\"@JP|נ6hP؞b?pm{bSJDn$|soe>,aԟؠ9,d<([]ĝ?]S7'+Ӡ!L<1ZYrC,F5?YG71T]N1'?v!b&us\bHMjcB4_ DGŵq>jka]L ͓?0H.ƌ R͗/J]A 2,c-V0Gx6>z;'*u^+a9e Aί[Wm(T}25\HE2^ûL‹7"8|*0j͟~S"vmY 8[qm+c+ʵt7gg:,3vNq=_{Ԥ/p@a2D*GM* F8)n}>u; Tj^*V^m]9^w)Ao)鷐~>JIBz7%)> ppNI?瀟Mi~}E'ӼOeth_'}h\C;)4R?B2>vͫ_ _^ s+UJ>R *>GS?_@EJ _)W~{2?)s w2~]h7]?M/7@7)qoRܦOKK诟B_!ާHҿ)t߻RK\'I)Ru S.ryB/ ȋU৴tXB]Az=U s[MR}ח: e|*,XW&>31hpVYdcRh byHeÿ~V= >7ǸJx˕ո]@&ٻo,hcENZ%&~Qg΂'fo{쫤cWMET ^Ud>܃f c~֥cFtK-6(d;H_<h}MF߃|n'ʛ݌ߪ-_`26UB` U/8 C8bGÀ[E/Wp E!Хco3`a Jj_3Bas8a+h;RX~'P`K֞6:̆,%tr\`3o`xތz~&\ŠNC Jؒ&VED-͟)']'cTFL,D> 3 HGsP#cF4?3l1@ө|\N<%3!U{/TxP e{g(, rû/Yj*hԮ'gfh\1aŐckÂ"V\=7!(! $9w0++cB]tR-LC'ZnܸexCޏ:cbRz{Ž l U_*YBÌĴSOzF"eu%Oar1l$f~!*dm]Hn5Qw<ވ'ĭɄt8=[t,b7lnԙ%_|\n/~} _:;jwқ{&9"|Ŷb.iO}I~ؚ{ 2bx343 Gq+.Ġ/>'gTWB&,*3U\6f8YZtb?mƄ ~Äӷ %,HNSPsHOMLl 5vls&̿ۃc0D00㏱+/v E1^{ #E3$ Z$E '_! Obx`#YߞR Dϙ"Ntx:mKe'n-Yݨnm L sӃK˅3RZⷳINzH,܈ cAaɋm/d)0XPv<3s wT5 M9D/ڦvs__vlܕOVKm;)֭l2-1 u<w؆;qVgK(P+)i;%^GPVWݞO /Xo}8-hzlmπ XuC(߅;PhFq:hI 7%:3[ `zmzx@&yژH\*,8f 4vsf῝;P? `a2\D$x kok5gx3<v7 sfC&+4qN`Wpۂ{򐷘iWRpCV)tnOK5䋰ANxӃNs,^rEXջ!琸8Nm]Pjãō $Wc<=ҭ(=?h_~,&?cu]nJQںa#W"îUTMveщމn^ aWO{dC30* d[| c)d̄eaZͼ<*;҂o/pQ\F$/1/y䕔tlH}m5{PX1#R9 &t;>u0 # ߰· j49)>-SۙSg Qo>";]R*N-Z75SpF y>A Wq^! @;ĵy& ƅW54]>9T< W[OPQ96:| ,ݐbZ"N֊2q)9=ON*LH6^?}ftD@ͭōm]Qe"!\/4/xr{ϼs ϩwU_|Jެe;r 3z395YKS3ё/GmtWlԣw@{e~ A<!?c}2/uQjA7z۫~ǐ { IJP.I k=6K@>"p e,5TuT]}deȏ bC4;QwgP h@5U0!wEWČ'X?{n7CIb#wJ}Oڟ$z}{[ 1DIF's8K.›7\wC)+ˉOT[L`WӱW/>5Lh5? UK^Ul#*|,R'鼽޶I{yI)/V.Jvj1,xlx&.cj12j/)h#Ѣ0& /Q`yWL1ĬK*zA4tքj1xa:`S!ɂF4CuEdaNW}>_f #3WυK.{:C F5 T=h>JnB>6ZW Yk6R7Kx BdڶNso `=ѾA [CP3YPx;79&_Pz>貰@@,ZXمnӖoհu( xOk;K\"P3-ְKKձ~$`W{8+Yj@:Ƣu^@͞[nd,ʸ\xɼ1~<%LNTn Ub: 8$/.ǖCtBȠ"m,~@&ES;Yx/Cou ݢ`͓Mim^`fL)Avc❹8" N%.*^ #^@,u#xZsJU\$=d`Im{N8XcѲ_y֑_Eiuɹ&7SA>.] vF._"yRo ~6E ش<_/Z(#بUg?hd]G[3qNbG oQX)Xq!c4 w`fCđ]x58|l/ڀ4Z$x^a2>_wysXC`Jh^AHzT}*%X"V ΣvExEi{{wOZv_IAFitNqVޞ ص',Ms6/@1Zfo={C0  DY o P)T X4w[1&c>Zr/Պ`m^[vmؾ^f:%}(|Prqq൙mJߥT%F}F7DOe`V&چe/ao?<