Risk
3/30/2007
10:25 AM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

The TJX Haul: Largest Ever AND The Perfect Crime?

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - whi

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - which hackers stole over a period of roughly two years from computer systems at its U.S. and U.K. headquarters.Last week, $8 million in fraudulent charges, mostly via gift cards, were traced to that theft. Six people in Florida have been arrested.

No doubt about it, the TJX Co. has become the poster child of data theft, THE hacking case study, which will be anxiously pored over for years to come. No wonder there has been a noticeable uptick in the company's television and snail mail marketing efforts. By now, I imagine, the dismissive tone taken in an analyst call after the end of its last quarter - look, our sales are up for the quarter! Customers have not deserted us - has been replaced by one of concern, regret, and perhaps, fear.

Let's hope so, because the bad news continues to mount, as the details continue to slowly rise to the surface. (To read specifics, go to the TJX site here and click on the first report, the 10K filed March 28, 2007, and look at the section labeled "Computer Intrusion" on pages 10-14 on the PDF download.)

In summary, the company believes hackers loaded unauthorized software onto the computers used to process and store transaction data, making off with over 100 files filled with data from millions of customer accounts. Worse, the company has also said it thinks that hackers were able to swipe card information from its Framingham (headquarters) system while transactions were being approved. And here's more bad news: The company also believes that hackers were able to access even the files it did encrypt because they had gained access to the decryption tool! Which tells you just how professional and organized this crime ring was. And that should scare every CIO at every Fortune 1,000 company on up, on the planet. That, and the $5 million that TJX has already spent just investigating the hit - it still is unable to fully estimate its total losses. And did I mention that the perpetrators are still at large? And did you know how easily fixable some vulnerabilities are?

This was no random, get-in and get-out hit. It wasn't even a one-time targeted hit, the kind the panelists worried about at the Visa Security Summit earlier this month. This was a sustained, multi-year, multi-system, multi-pronged attack, and it was extremely successful. We're still learning how successful. For all we know, TJX discovered the breach by accident. Who knows how much longer the thefts could have ground on? Who knows how many other companies will soon find out that they too, are right now, and have been, victims of such an attack? Maybe by the same gang of cyber criminals, maybe not. (Even scarier.)

Maybe it's time to set up a Google news alert on TJX, because the company keeps dribbling out its findings - each snippet of information more horrible than the last. Or, follow the lawsuit filed by one TJX shareholder to get access to records showing how TJX dealt with the computer problems that exposed customer data. Either way, you know there's more to come. And it will behoove IT everywhere to get to know as much about what happened here as it possible can. Because the jig is up. Now there is no denying just how big time hacking has become, and just how serious, and how deep, the devastation can run, if your company does not take all reasonable precautions to prevent becoming the next victim. In order to prepare though, you have to be able to perceive what's possible, so by all means, commit the TJX heist to memory. And then commit to being just as professional and thorough in your efforts to secure your computer systems and customer data as you now know the bad guys are when breaking in. And take note of TJX's change of heart concerning its initial statements about what it was willing to do for customers (virtually nothing). Now, it is planning to send letters and offer credit monitoring in most cases to a set of 455,000 customers whose personal data - including driver's license numbers - were stolen.

BTW, another point the panelists talked about at the Visa Security Summit, was using your spiffed up security as a branding and marketing tool. Of course, this is a double-edged sword. Brag too much about how secure your systems are, and you might as well put a neon cyber target on your back. But if the study released this month by Javelin Strategy & Research is to be believed, customers are saying they will not shop at stores they perceive as having weak computer security. (They also expect notification of breaches.) I'd say the jury is still out on the TJX companies - after all, they own several of the most popular chain discount stores in the country, and their customers love a bargain. On the other hand, the damage keeps mounting on into the stratosphere.

Does your company hold such an appealing ace card? Probably not, so the IT department had better run to your CEO and board with a new security plan. And if your CEO is one of the dolts who need to be slapped with a good sound bite in order to get his or her attention, try this one: "47.5 million stolen accounts and counting." Still not fully attentive? Then come back with your corporate counsel and just repeat these names: The Secret Service, the FBI, The FTC and the state attorney generals.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4497
Published: 2015-08-29
Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token...

CVE-2015-4498
Published: 2015-08-29
The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early point i...

CVE-2014-9651
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

CVE-2015-1171
Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.