Opinion: CIOs should learn a lesson from the TJX hack: Don't assume data is safe from intrusion even if it's encrypted.
The hack attack on the TJX computer systems was sophisticated, spectacularly successful and thwarted the security and encryption systems that were in place at the time of the crime. Thats my opinion on the attack following the reading of an SEC filing that, for the first time, provided some detail of how at least some of the information regarding nearly 46 million credit card users was put at risk over an 18-month period.
The full filing can be found at here
. The customer information breach has been well-covered
by eWEEKs Evan Schuman, but details of the breach have been lacking as government investigators and private firms hired by the company to review its security procedures have tried to unravel just what happened. The section of the filing under the title of Computer Intrusion provides additional detail about how, during a lengthy period from an apparent initial intrusion in July 2005 until December 2006, a computer intruder had extensively penetrated the companys systems.
TJX says the intruder had access to the companys encryption key. Click here to read more.
In the filing the company states, "On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006, that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems."
Why do I think the hacker was a pro? Three reasons. One is the length of the intrusion. Eighteen months is a long time to have illegal access.
Two, the intruder (or intruders) did a good job of covering his (or her, or their) tracks as indicated by this statement from the filing, "In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006. Given the scale and geographic scope of our business and computer systems and the time frames involved in the Computer Intrusion, our investigation has required a substantial period of time to date and is not completed. We are continuing to try to identify information stolen in the Computer Intrusion through our investigation, but, other than the information provided below, we believe that we may never be able to identify much of the information believed stolen."
And three, despite some encryption and data wiping policies in place (at least according to the SEC filing), the intruder was sufficiently computer-savvy to know when unencrypted data would travel in the clear. From the SEC filing, "Through our investigation, we have identified approximately 100 files that we believe the Intruder, during this period, stole from our Framingham system (the vast majority of which we believe the Intruder created) and that we suspect included customer data. However, due to the technology utilized by the Intruder, we are unable to determine the nature or extent of information included in these files. Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the Computer Intrusion during 2006 could have enabled the Intruder to steal payment card data from our Framingham system during the payment card issuers approval process, in which data (including the track 2 data) is transmitted to payment card issuers without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX."
The bottom line for CIOs and information security managers: You can never let your guard down. You can divide up your data, wipe your data and encrypt your data, but that does not necessarily mean your data is safe from intrusion. Constant vigilance of your systems, your procedures and your people working on those systems is the price of computer security today. If you are not willing to pay that price, you may just find yourself in the daily headlines.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.