Risk
3/30/2007
10:25 AM
Patricia Keefe
Patricia Keefe
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The TJX Haul: Largest Ever AND The Perfect Crime?

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - whi

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - which hackers stole over a period of roughly two years from computer systems at its U.S. and U.K. headquarters.Last week, $8 million in fraudulent charges, mostly via gift cards, were traced to that theft. Six people in Florida have been arrested.

No doubt about it, the TJX Co. has become the poster child of data theft, THE hacking case study, which will be anxiously pored over for years to come. No wonder there has been a noticeable uptick in the company's television and snail mail marketing efforts. By now, I imagine, the dismissive tone taken in an analyst call after the end of its last quarter - look, our sales are up for the quarter! Customers have not deserted us - has been replaced by one of concern, regret, and perhaps, fear.

Let's hope so, because the bad news continues to mount, as the details continue to slowly rise to the surface. (To read specifics, go to the TJX site here and click on the first report, the 10K filed March 28, 2007, and look at the section labeled "Computer Intrusion" on pages 10-14 on the PDF download.)

In summary, the company believes hackers loaded unauthorized software onto the computers used to process and store transaction data, making off with over 100 files filled with data from millions of customer accounts. Worse, the company has also said it thinks that hackers were able to swipe card information from its Framingham (headquarters) system while transactions were being approved. And here's more bad news: The company also believes that hackers were able to access even the files it did encrypt because they had gained access to the decryption tool! Which tells you just how professional and organized this crime ring was. And that should scare every CIO at every Fortune 1,000 company on up, on the planet. That, and the $5 million that TJX has already spent just investigating the hit - it still is unable to fully estimate its total losses. And did I mention that the perpetrators are still at large? And did you know how easily fixable some vulnerabilities are?

This was no random, get-in and get-out hit. It wasn't even a one-time targeted hit, the kind the panelists worried about at the Visa Security Summit earlier this month. This was a sustained, multi-year, multi-system, multi-pronged attack, and it was extremely successful. We're still learning how successful. For all we know, TJX discovered the breach by accident. Who knows how much longer the thefts could have ground on? Who knows how many other companies will soon find out that they too, are right now, and have been, victims of such an attack? Maybe by the same gang of cyber criminals, maybe not. (Even scarier.)

Maybe it's time to set up a Google news alert on TJX, because the company keeps dribbling out its findings - each snippet of information more horrible than the last. Or, follow the lawsuit filed by one TJX shareholder to get access to records showing how TJX dealt with the computer problems that exposed customer data. Either way, you know there's more to come. And it will behoove IT everywhere to get to know as much about what happened here as it possible can. Because the jig is up. Now there is no denying just how big time hacking has become, and just how serious, and how deep, the devastation can run, if your company does not take all reasonable precautions to prevent becoming the next victim. In order to prepare though, you have to be able to perceive what's possible, so by all means, commit the TJX heist to memory. And then commit to being just as professional and thorough in your efforts to secure your computer systems and customer data as you now know the bad guys are when breaking in. And take note of TJX's change of heart concerning its initial statements about what it was willing to do for customers (virtually nothing). Now, it is planning to send letters and offer credit monitoring in most cases to a set of 455,000 customers whose personal data - including driver's license numbers - were stolen.

BTW, another point the panelists talked about at the Visa Security Summit, was using your spiffed up security as a branding and marketing tool. Of course, this is a double-edged sword. Brag too much about how secure your systems are, and you might as well put a neon cyber target on your back. But if the study released this month by Javelin Strategy & Research is to be believed, customers are saying they will not shop at stores they perceive as having weak computer security. (They also expect notification of breaches.) I'd say the jury is still out on the TJX companies - after all, they own several of the most popular chain discount stores in the country, and their customers love a bargain. On the other hand, the damage keeps mounting on into the stratosphere.

Does your company hold such an appealing ace card? Probably not, so the IT department had better run to your CEO and board with a new security plan. And if your CEO is one of the dolts who need to be slapped with a good sound bite in order to get his or her attention, try this one: "47.5 million stolen accounts and counting." Still not fully attentive? Then come back with your corporate counsel and just repeat these names: The Secret Service, the FBI, The FTC and the state attorney generals.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.