But the latest revelations also start to put TJX into a new light. Granted, there are still far too many unknown facts to establish whether or not TJX was a conscientious protector of consumer private data, but the latest information raises the possibility that it might indeed have been.
Industry speculation—coupled with MasterCard confirming that TJX was in violation of PCI rules—prompted suggestions that TJX had failed to encrypt data. It still may have failed to encrypt some data, but the companys federal filings reports of cyber-thieves circumventing TJXs encryption certainly implies that there was some, perhaps more so than had been assumed.
Suggestions that the theft of data several years old proved TJX was holding onto data far too long was undermined by the latest filing, which said that TJX routinely deleted data but that a rogue program the intruders planted on TJX systems captured and made copies of the data beforehand. The filing doesnt establish that TJX was indeed not retaining data too long, but it raises the possibility that it was acting quite properly.
That in turn raises a much more disquieting thought. What if it turns out that TJX had indeed been doing everything right the whole time? In other words, what if this proves to be much less of a case of TJX being careless and much more a case of the intruders being clever, resourceful and persistent?
In the words of former federal prosecutor—and currently managing director for FTI Consulting—Mark Rasch: "Its really easy to say that TJX screwed up. A more frightening thought is that they didnt."
Before we get into the scary scenario that TJX IT managers were model IT citizens—which would truly mean that todays cyber-thieves could execute such a huge breach on any major retailer at any moment—lets take a look at the new details they revealed in their government filing.
As TJX has done throughout this situation, the company has issued a rather lengthy document, which seems to have lots of new details. In all fairness, it does deliver many new goodies. But for every new detail it reveals, it raises 10 more questions. Its like a bright young university student discovering that the more he learns, the more he realizes all that he doesnt know.
Before some reader calls me Grasshopper ($10 for the first reader who properly identifies that pop-culture reference), lets drill down. TJX reported that "we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX."
What was not addressed was how TJXs investigation came to that conclusion, nor any indications—or even theories—as to how the intruder came to have such access. Was it an inside job? Sources within the investigation suggest that it wasnt. Had the visitor obtained it somewhere, learned that it was for TJXs system and then decided to target TJX? Maybe.
A more likely scenario is that the intruder found the encryption key while engaged in the breach. This is made more likely because many retail IT departments will leave such encryption keys in the very same server that holds the encrypted data. Although thats convenient for the retailers IT staff, its also quite convenient for any intruder.
Getting back to whether TJX was practicing safe computing. The encryption key revelation doesnt actually shed much light. The attacker could have brilliantly obtained the key some other way or could have obtained the key in some brilliant way that no one would have expected to defend against. On the other hand, the key might have been left in an easily discovered file, perhaps even the default file used by the software installer. Without knowing the key particulars, theres no way to know.