IT Security & Network Security News & Reviews - eWeek



IT Security & Network Security News

TJX Intruder Moved 80GB of Data Without Detection


By: Evan Schuman
2007-10-25
Article Rating:starstarstarstarstar / 0


There are  user comments on this IT Security & Network Security News & Reviews story.


Federal court filings show TJX had failed to comply with nine of the 12 applicable PCI requirements.

Citing new information about the TJX data breach, attorneys suing the clothing retail chain amended their complaints on Oct. 25 and want a jury to evaluate TJXs security professionalism.

New details that emerged from documents filed in federal court Oct. 25 include:

  • A TJX consultant found that not only was TJX not PCI-compliant, but it had failed to comply with nine of the 12 applicable PCI requirements. Many were "high-level deficiencies," the consultant said.

  • "After locating the stored data on the TJX servers, the intruder used the TJX high-speed connection in Massachusetts to transfer this data to another site on the Internet" in California. More than "80 GBytes of stored data improperly retained by TJX were transferred in this manner. TJX did not detect this transfer."

  • In May 2006, a traffic capture/sniffer program was installed on the TJX network by the cyber-thieves, where it remained undetected for seven months, "capturing sensitive cardholder data as it was transmitted in the clear by TJX."

  • In 2004, before the attacks began, TJX was issued a report on its security compliance that "identified numerous serious deficiencies at TJX, including specific violations. TJX did not remedy many of these deficiencies."

  • At his deposition, the unnamed TJX consultant said that "he had never seen such a void of monitoring and capturing via logs activity at a Level One merchant as he saw at TJX."

  • "The data breach at TJX affected more than 100 million separate and distinct credit and debit card account numbers, more than twice the size of the next largest data breach in the history of the country."

  • The filings confirmed that both Visa and MasterCard have fined TJX. Visa issued "a substantial fine" in connection with the TJX data breach, dubbing it an "egregious violation" of security procedures. The sizes of the fines were not specified.

    Click here to read more about why TJX wanted to keep its IT security details secret.

    The filings for the first time also listed the key security problems that a TJX consultant found: improperly configuring its wireless network; not segmenting cardholder data devices from the rest of network traffic; "TJX did not have an IT department that was properly tasked to manage the environment used to store, process or transmit cardholder data"; improperly storing prohibited cardholder data; using usernames and passwords "that were easy to penetrate"; improper patch procedures; logs not properly maintained; anti-virus protection "improper"; and weak intrusion detection.

    The size of the TJX data loss keeps growing. Read more here.

    Oct. 25s revised complaint linked the bad security practices with the computer breach, which forced banks to take expensive actions to defend themselves. One key issue in civil cases such as this is whether the defendant can be shown to be simply careless or deliberately reckless. That distinction relies on showing what was likely in the defendants mind at the time of the acts that led to the data breach.

    Attorneys for the banks indicated they would try to show that intent with internal TJX documents obtained during discovery. "TJX knew—and discussed internally prior to the breach—that its deficiencies in network and data security could lead to the exact losses incurred here in the many millions of dollars," said the filing. "Had TJX properly disclosed information about the extent of its noncompliance with network security requirements prior to the breach, then actions to correct the deficiencies and prevent the breach could have been taken," the filing said.

    Retail Center Editor Evan Schuman can be reached at Evan.Schuman@ziffdavisenterprise.com.

    Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.







     
     
    >>> More IT Security & Network Security News & Reviews Articles          >>> More By Evan Schuman
     


    • FEATURED SPONSOR VIDEOS

    Benefits of Workload Optimization

    What Smart Companies MUST Learn from Gaming

    Advances in Authentication

    Vertical Markets Benefit from Workload Optimization

    View More Videos

    Brought to you by
    Advertisement

    FEATURED SPONSOR MESSAGE

    Microsoft Sponsored Resource Center

    Increase Your Microsoft Office 365 Knowledge! Dig inside this suite of cloud-based collaboration tools.

    Watch the video >>

    Brought to you by

    Suggested Related Content:

    Articles Labs/How-To Multimedia


    Advertisement
    Contact Us | About | Advertise | Site Map
    eWEEK Quick LInks

    Security:
    Enterprise Networking
    Network Security
    Infrastructure Security
    How To: Data
    Security Watch Blog
    Storage:
    Data Storage
    Cloud Storage
    Storage Virtualization
    Network Access Storage
    How To: Storage
    Storage Station Blog
    Computing:
    Apple OSX
    Linux Systems
    Windows 7
    Managed Print Services
    Computer Reviews
    Microsoft Watch Blog
    Google Watch Blog
    Communications:
    VoIP Solutions
    Wireless Technology
    Messaging Software
    Web Services
    Apps & Development:
    Application Development
    Enterprise Apps
    Search Engines
    Database Software
    Web 2.0
    CIOs

    Vertical Markets:
    Federal Government IT
    Health Care IT
    Finance IT
    Mid-Market
    Channel and VARs
    Careers Blog
    More eWeek Links:
    Green Computing Center
    Tech Knowledge Center
    Tech Newsletters
    Tech RSS Feeds
    White Papers
    Tech Videos
    Magazine Subscriptions
    Enterprise Websites:
    ZDE Home
    eWeek
    Baseline Magazine
    Channel Insider
    CIO Insight
    eSeminars and Events
    Web Buyers Guide
    Developer Websites:
    DevSource C# and .Net
    Dev Shed
    DeveloperShed
    ASP Free
    SEO Chat
    Codewalkers
    Tutorialized
    Scripts.com
    Dev Mechanic
    Dev Articles
    Web Hosters
    Dev Hardware
    Technology Websites:
    Device Forge
    Desktop Linux
    Linux Devices
    Windows for Devices
    PDF Zone
    Linux Watch
    TechDirect
    Windows Migration
    Smarter Technology

    Use of this site is governed by our Terms of Use and Privacy Policy
    Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
    ZDE Cluster 11
     
    Close this advertisement