10:25 AM
Patricia Keefe
Patricia Keefe

The TJX Haul: Largest Ever AND The Perfect Crime?

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - whi

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - which hackers stole over a period of roughly two years from computer systems at its U.S. and U.K. headquarters.Last week, $8 million in fraudulent charges, mostly via gift cards, were traced to that theft. Six people in Florida have been arrested.

No doubt about it, the TJX Co. has become the poster child of data theft, THE hacking case study, which will be anxiously pored over for years to come. No wonder there has been a noticeable uptick in the company's television and snail mail marketing efforts. By now, I imagine, the dismissive tone taken in an analyst call after the end of its last quarter - look, our sales are up for the quarter! Customers have not deserted us - has been replaced by one of concern, regret, and perhaps, fear.

Let's hope so, because the bad news continues to mount, as the details continue to slowly rise to the surface. (To read specifics, go to the TJX site here and click on the first report, the 10K filed March 28, 2007, and look at the section labeled "Computer Intrusion" on pages 10-14 on the PDF download.)

In summary, the company believes hackers loaded unauthorized software onto the computers used to process and store transaction data, making off with over 100 files filled with data from millions of customer accounts. Worse, the company has also said it thinks that hackers were able to swipe card information from its Framingham (headquarters) system while transactions were being approved. And here's more bad news: The company also believes that hackers were able to access even the files it did encrypt because they had gained access to the decryption tool! Which tells you just how professional and organized this crime ring was. And that should scare every CIO at every Fortune 1,000 company on up, on the planet. That, and the $5 million that TJX has already spent just investigating the hit - it still is unable to fully estimate its total losses. And did I mention that the perpetrators are still at large? And did you know how easily fixable some vulnerabilities are?

This was no random, get-in and get-out hit. It wasn't even a one-time targeted hit, the kind the panelists worried about at the Visa Security Summit earlier this month. This was a sustained, multi-year, multi-system, multi-pronged attack, and it was extremely successful. We're still learning how successful. For all we know, TJX discovered the breach by accident. Who knows how much longer the thefts could have ground on? Who knows how many other companies will soon find out that they too, are right now, and have been, victims of such an attack? Maybe by the same gang of cyber criminals, maybe not. (Even scarier.)

Maybe it's time to set up a Google news alert on TJX, because the company keeps dribbling out its findings - each snippet of information more horrible than the last. Or, follow the lawsuit filed by one TJX shareholder to get access to records showing how TJX dealt with the computer problems that exposed customer data. Either way, you know there's more to come. And it will behoove IT everywhere to get to know as much about what happened here as it possible can. Because the jig is up. Now there is no denying just how big time hacking has become, and just how serious, and how deep, the devastation can run, if your company does not take all reasonable precautions to prevent becoming the next victim. In order to prepare though, you have to be able to perceive what's possible, so by all means, commit the TJX heist to memory. And then commit to being just as professional and thorough in your efforts to secure your computer systems and customer data as you now know the bad guys are when breaking in. And take note of TJX's change of heart concerning its initial statements about what it was willing to do for customers (virtually nothing). Now, it is planning to send letters and offer credit monitoring in most cases to a set of 455,000 customers whose personal data - including driver's license numbers - were stolen.

BTW, another point the panelists talked about at the Visa Security Summit, was using your spiffed up security as a branding and marketing tool. Of course, this is a double-edged sword. Brag too much about how secure your systems are, and you might as well put a neon cyber target on your back. But if the study released this month by Javelin Strategy & Research is to be believed, customers are saying they will not shop at stores they perceive as having weak computer security. (They also expect notification of breaches.) I'd say the jury is still out on the TJX companies - after all, they own several of the most popular chain discount stores in the country, and their customers love a bargain. On the other hand, the damage keeps mounting on into the stratosphere.

Does your company hold such an appealing ace card? Probably not, so the IT department had better run to your CEO and board with a new security plan. And if your CEO is one of the dolts who need to be slapped with a good sound bite in order to get his or her attention, try this one: "47.5 million stolen accounts and counting." Still not fully attentive? Then come back with your corporate counsel and just repeat these names: The Secret Service, the FBI, The FTC and the state attorney generals.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.