Hacked to the Maxx: It would be tough to come up with a more distressing start-of-year hacking story than the data breach at TJX Companies, parent company of T.J. Maxx and other retail outlets.
As our story by Senior Writer Matt Hines explains, “TJX officials said that outsiders were specifically able to gain access to the portion of its computer network that retains its customers credit card, debit card and check information, along with data related to merchandise return transactions.”
The breach, which apparently includes data all the way back to 2003, has all the elements of a company simply not doing its job to protect customer data.
TJX has not been very forthcoming with information, but it appears the data breach was widespread over the companys many retail operations and involved customer records that were retained beyond a reasonable time span and not encrypted. While this story could have been written five or six years ago, when hackers and data breaches were just beginning their quick rise along with the rise of online shopping, it is stunning that this story could be taking place in early 2007.
Or maybe the story isnt stunning but is simply a case of companies failing to take notice of the digital world in which they live and are unwilling to put in place the policies and fund the projects that keep them off the front page and actually committed to maintaining customer data by deed as well as by word.
Recently, I met with Schaun Wolfe, the president and CEO of Message-Gate, which provides e-mail governance systems for companies including Boeing, Bank of America, Lehman Brothers and others. As those who watch e-mail procedures and blunders for a living, executives at MessageGate compiled a list of what they considered the top 10 e-mail blunders of 2006.
You can find the entire list here, but here are three of my favorites. First, a company found that its top e-mail sender was not an employee but a copy/fax machine that swamped the e-mail system with the message that it was low on toner. Second, a financial services company discovered employees were disclosing customers personal financial information through unsecured e-mail as they sought to close loans by sharing credit reports directly with loan applicants. And third, a company found that the unusual messaging pattern of one employee was due to the employee running a disc jockey business on the corporate server.
Now those three cases arent as serious as TJXs blunder in not securing, encrypting and protecting customer data, but they all fall into the same category of corporate computing mistakes. In many ways, corporate management is unprepared to operate in the digital world. However, the fault doesnt lie entirely with management that is so afraid of technology that it appoints a CIO to “handle the tech” and then fires him or her when the tech messes up. The fault also lies with the rest of the technology staff who live with the digital data zipping around a company and do not send up a signal flare to the upper corporate ranks when they see a small problem that could easily become a big corporate problem if not resolved.
Im sure that the breach at TJX will not be the last at a big company, and Im also sure that continued customer outcries over their privacy being treated in a cavalier fashion will result in additional, rigorous state and federal privacy legislation. My advice to technology professionals in the corporate world is not to wait for legislation or figure that it is someone elses job to lock down the corporate customer database. You should be the one to both raise the alert and have a plan in place to keep personal data secure. The customer information you save may be your own.
Editorial Director Eric Lundquist can be reached at email@example.com.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis.