Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    Protecting Data Requires Constant Vigilance

    By
    Eric Lundquist
    -
    March 29, 2007
    Share
    Facebook
    Twitter
    Linkedin

      The hack attack on the TJX computer systems was sophisticated, spectacularly successful and thwarted the security and encryption systems that were in place at the time of the crime. Thats my opinion on the attack following the reading of an SEC filing that, for the first time, provided some detail of how at least some of the information regarding nearly 46 million credit card users was put at risk over an 18-month period.

      The full filing can be found at here. The customer information breach has been well-covered by eWEEKs Evan Schuman, but details of the breach have been lacking as government investigators and private firms hired by the company to review its security procedures have tried to unravel just what happened. The section of the filing under the title of Computer Intrusion provides additional detail about how, during a lengthy period from an apparent initial intrusion in July 2005 until December 2006, a computer intruder had extensively penetrated the companys systems.

      /zimages/5/28571.gifTJX says the intruder had access to the companys encryption key. Click here to read more.

      In the filing the company states, “On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006, that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems.”

      Why do I think the hacker was a pro? Three reasons. One is the length of the intrusion. Eighteen months is a long time to have illegal access.

      Two, the intruder (or intruders) did a good job of covering his (or her, or their) tracks as indicated by this statement from the filing, “In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006. Given the scale and geographic scope of our business and computer systems and the time frames involved in the Computer Intrusion, our investigation has required a substantial period of time to date and is not completed. We are continuing to try to identify information stolen in the Computer Intrusion through our investigation, but, other than the information provided below, we believe that we may never be able to identify much of the information believed stolen.”

      And three, despite some encryption and data wiping policies in place (at least according to the SEC filing), the intruder was sufficiently computer-savvy to know when unencrypted data would travel in the clear. From the SEC filing, “Through our investigation, we have identified approximately 100 files that we believe the Intruder, during this period, stole from our Framingham system (the vast majority of which we believe the Intruder created) and that we suspect included customer data. However, due to the technology utilized by the Intruder, we are unable to determine the nature or extent of information included in these files. Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the Computer Intrusion during 2006 could have enabled the Intruder to steal payment card data from our Framingham system during the payment card issuers approval process, in which data (including the track 2 data) is transmitted to payment card issuers without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.”

      The bottom line for CIOs and information security managers: You can never let your guard down. You can divide up your data, wipe your data and encrypt your data, but that does not necessarily mean your data is safe from intrusion. Constant vigilance of your systems, your procedures and your people working on those systems is the price of computer security today. If you are not willing to pay that price, you may just find yourself in the daily headlines.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Eric Lundquist
      Since 1996, Eric Lundquist has been Editor in Chief of eWEEK, which includes domestic, international and online editions. As eWEEK's EIC, Lundquist oversees a staff of nearly 40 editors, reporters and Labs analysts covering product, services and companies in the high-technology community. He is a frequent speaker at industry gatherings and user events and sits on numerous advisory boards. Eric writes the popular weekly column, 'Up Front,' and he is a confidant of eWEEK's Spencer F. Katt gossip columnist.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×