When TJX Companies—the $16 billion global retail chain that owns T.J. Maxx and Marshalls, among many other brands—disclosed on Jan. 17 that it had “suffered an unauthorized intrusion” into its computer systems in December, it seemed to be forthcoming.
After all, the chain issued what appeared to be a detailed statement about the incident. Detailed or not, it was certainly longer than the typical “weve been penetrated” statement.
The statement said the company had retained the services of General Dynamics and IBM both to help investigate and to upgrade security systems to ostensibly prevent another, similar intrusion.
But a closer reading of the statement raises quite a few questions, none of which the company has tried to answer.
To be fair, criminal security breaches are among the most sensitive and tricky things to discuss publicly. How specific does one dare get before revealing too much? The culprit is still out there and concealing how much is known about the crime can often help catch the bad guy.
That said, the “we dont want to help the bad guy” rationale is quite convenient when there might be questions about whether the retailer was sufficiently careful about protecting data and systems.
Lets start with the timing. If the chain was so concerned about quickly alerting potentially at-risk customers, why did it wait until Jan. 17 to reveal an intrusion that it said happened a full month early (“mid-December 2006” is how the statement described it)?
How safe were its systems? The carefully worded statement said, “With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores.”
That sounds great, but why didnt this $16 billion retailer with more than 2,300 stores—which The Wall Street Journal said might have exposed more than 40 million cards in this incident—already have a security package that was “appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores”? Were its systems last month adequate and now theyre overkill? Or are they now adequate and they were insufficient last month?
There are also the PCI implications, courtesy of Visa, Mastercard and other card players. What exactly was captured? The chain said the “intrusion involves the portion of TJXs computer network that handles credit card, debit card, check, and merchandise return transactions,” and that “store information related to customer transactions” including drivers license information was also impacted.
Does that include card application data, with everything from household income to prior addresses and name of employer? Getting back to PCI, does it include CVC numbers, which are technically not allowed to be stored? How much of the data was encrypted?
Another question might be a wording issue. “TJX has specifically identified some customer information that has been stolen from its systems,” said the statement. The colloquial interpretation of the term could mean the typical intrusion effort, where the byte-bandit bypasses security and then copies files and leaves. Technically, some security experts say, the phrase “stolen from its systems” should refer to a malicious and destructive act, such as when an intruder copies files and then deletes them or materially changes them.
Were the files actually stolen, meaning they no longer exist within the TJX system? Even if that had been the case—which seems unlikely—hopefully backups would be sufficiently removed to not be impacted.
The geographies mentioned in the statement also are interesting. Quoting again from their statement: This incident impacted “customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada, and may involve customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could also extend to TJXs Bobs Stores in the U.S.” The data from all of those geographies were stored in one place? That would be unusual, said Mark Rasch, a former federal prosecutor specializing in technology crimes. Rasch wondered whether the breach impacted a third-party card processor that all of the TJX units shared?
As CardSystems learned when it was victimized by an intrusion, protecting future customers is important, but what will ultimately save—or destroy—a companys credibility and trustworthiness is how it handled systems right before the attack.
If IT execs cant get the funding for proper security, they need to point to retailers who get hurt and then suddenly have the public spotlight shone on how well they protected their customer data. I absolutely hope the facts ultimately show that TJX was an ideal corporate citizen and that it had done everything reasonable to do to protect itself.
For the industry, however, its sometimes not a bad thing for a company to get beaten up for less-than-ideal procedures. If nothing else, it gives a reason for margin-fearing execs to cough up the cash, just in case.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.