10:25 AM
Patricia Keefe
Patricia Keefe

The TJX Haul: Largest Ever AND The Perfect Crime?

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - whi

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - which hackers stole over a period of roughly two years from computer systems at its U.S. and U.K. headquarters.Last week, $8 million in fraudulent charges, mostly via gift cards, were traced to that theft. Six people in Florida have been arrested.

No doubt about it, the TJX Co. has become the poster child of data theft, THE hacking case study, which will be anxiously pored over for years to come. No wonder there has been a noticeable uptick in the company's television and snail mail marketing efforts. By now, I imagine, the dismissive tone taken in an analyst call after the end of its last quarter - look, our sales are up for the quarter! Customers have not deserted us - has been replaced by one of concern, regret, and perhaps, fear.

Let's hope so, because the bad news continues to mount, as the details continue to slowly rise to the surface. (To read specifics, go to the TJX site here and click on the first report, the 10K filed March 28, 2007, and look at the section labeled "Computer Intrusion" on pages 10-14 on the PDF download.)

In summary, the company believes hackers loaded unauthorized software onto the computers used to process and store transaction data, making off with over 100 files filled with data from millions of customer accounts. Worse, the company has also said it thinks that hackers were able to swipe card information from its Framingham (headquarters) system while transactions were being approved. And here's more bad news: The company also believes that hackers were able to access even the files it did encrypt because they had gained access to the decryption tool! Which tells you just how professional and organized this crime ring was. And that should scare every CIO at every Fortune 1,000 company on up, on the planet. That, and the $5 million that TJX has already spent just investigating the hit - it still is unable to fully estimate its total losses. And did I mention that the perpetrators are still at large? And did you know how easily fixable some vulnerabilities are?

This was no random, get-in and get-out hit. It wasn't even a one-time targeted hit, the kind the panelists worried about at the Visa Security Summit earlier this month. This was a sustained, multi-year, multi-system, multi-pronged attack, and it was extremely successful. We're still learning how successful. For all we know, TJX discovered the breach by accident. Who knows how much longer the thefts could have ground on? Who knows how many other companies will soon find out that they too, are right now, and have been, victims of such an attack? Maybe by the same gang of cyber criminals, maybe not. (Even scarier.)

Maybe it's time to set up a Google news alert on TJX, because the company keeps dribbling out its findings - each snippet of information more horrible than the last. Or, follow the lawsuit filed by one TJX shareholder to get access to records showing how TJX dealt with the computer problems that exposed customer data. Either way, you know there's more to come. And it will behoove IT everywhere to get to know as much about what happened here as it possible can. Because the jig is up. Now there is no denying just how big time hacking has become, and just how serious, and how deep, the devastation can run, if your company does not take all reasonable precautions to prevent becoming the next victim. In order to prepare though, you have to be able to perceive what's possible, so by all means, commit the TJX heist to memory. And then commit to being just as professional and thorough in your efforts to secure your computer systems and customer data as you now know the bad guys are when breaking in. And take note of TJX's change of heart concerning its initial statements about what it was willing to do for customers (virtually nothing). Now, it is planning to send letters and offer credit monitoring in most cases to a set of 455,000 customers whose personal data - including driver's license numbers - were stolen.

BTW, another point the panelists talked about at the Visa Security Summit, was using your spiffed up security as a branding and marketing tool. Of course, this is a double-edged sword. Brag too much about how secure your systems are, and you might as well put a neon cyber target on your back. But if the study released this month by Javelin Strategy & Research is to be believed, customers are saying they will not shop at stores they perceive as having weak computer security. (They also expect notification of breaches.) I'd say the jury is still out on the TJX companies - after all, they own several of the most popular chain discount stores in the country, and their customers love a bargain. On the other hand, the damage keeps mounting on into the stratosphere.

Does your company hold such an appealing ace card? Probably not, so the IT department had better run to your CEO and board with a new security plan. And if your CEO is one of the dolts who need to be slapped with a good sound bite in order to get his or her attention, try this one: "47.5 million stolen accounts and counting." Still not fully attentive? Then come back with your corporate counsel and just repeat these names: The Secret Service, the FBI, The FTC and the state attorney generals.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-25
The Maxthon Cloud Browser application before for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.