10:25 AM
Patricia Keefe
Patricia Keefe

The TJX Haul: Largest Ever AND The Perfect Crime?

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - whi

The California Secretary of State web site gets to keep it's title as number one in the race to be the longest running data breach. It left three years of files exposing personal data up online, practically for the taking. But the TJX Companies take the cake when it comes to known harm. The company has the dubious distinction of having the largest ever number of stolen credit and debit cards - 45.7 million - which hackers stole over a period of roughly two years from computer systems at its U.S. and U.K. headquarters.Last week, $8 million in fraudulent charges, mostly via gift cards, were traced to that theft. Six people in Florida have been arrested.

No doubt about it, the TJX Co. has become the poster child of data theft, THE hacking case study, which will be anxiously pored over for years to come. No wonder there has been a noticeable uptick in the company's television and snail mail marketing efforts. By now, I imagine, the dismissive tone taken in an analyst call after the end of its last quarter - look, our sales are up for the quarter! Customers have not deserted us - has been replaced by one of concern, regret, and perhaps, fear.

Let's hope so, because the bad news continues to mount, as the details continue to slowly rise to the surface. (To read specifics, go to the TJX site here and click on the first report, the 10K filed March 28, 2007, and look at the section labeled "Computer Intrusion" on pages 10-14 on the PDF download.)

In summary, the company believes hackers loaded unauthorized software onto the computers used to process and store transaction data, making off with over 100 files filled with data from millions of customer accounts. Worse, the company has also said it thinks that hackers were able to swipe card information from its Framingham (headquarters) system while transactions were being approved. And here's more bad news: The company also believes that hackers were able to access even the files it did encrypt because they had gained access to the decryption tool! Which tells you just how professional and organized this crime ring was. And that should scare every CIO at every Fortune 1,000 company on up, on the planet. That, and the $5 million that TJX has already spent just investigating the hit - it still is unable to fully estimate its total losses. And did I mention that the perpetrators are still at large? And did you know how easily fixable some vulnerabilities are?

This was no random, get-in and get-out hit. It wasn't even a one-time targeted hit, the kind the panelists worried about at the Visa Security Summit earlier this month. This was a sustained, multi-year, multi-system, multi-pronged attack, and it was extremely successful. We're still learning how successful. For all we know, TJX discovered the breach by accident. Who knows how much longer the thefts could have ground on? Who knows how many other companies will soon find out that they too, are right now, and have been, victims of such an attack? Maybe by the same gang of cyber criminals, maybe not. (Even scarier.)

Maybe it's time to set up a Google news alert on TJX, because the company keeps dribbling out its findings - each snippet of information more horrible than the last. Or, follow the lawsuit filed by one TJX shareholder to get access to records showing how TJX dealt with the computer problems that exposed customer data. Either way, you know there's more to come. And it will behoove IT everywhere to get to know as much about what happened here as it possible can. Because the jig is up. Now there is no denying just how big time hacking has become, and just how serious, and how deep, the devastation can run, if your company does not take all reasonable precautions to prevent becoming the next victim. In order to prepare though, you have to be able to perceive what's possible, so by all means, commit the TJX heist to memory. And then commit to being just as professional and thorough in your efforts to secure your computer systems and customer data as you now know the bad guys are when breaking in. And take note of TJX's change of heart concerning its initial statements about what it was willing to do for customers (virtually nothing). Now, it is planning to send letters and offer credit monitoring in most cases to a set of 455,000 customers whose personal data - including driver's license numbers - were stolen.

BTW, another point the panelists talked about at the Visa Security Summit, was using your spiffed up security as a branding and marketing tool. Of course, this is a double-edged sword. Brag too much about how secure your systems are, and you might as well put a neon cyber target on your back. But if the study released this month by Javelin Strategy & Research is to be believed, customers are saying they will not shop at stores they perceive as having weak computer security. (They also expect notification of breaches.) I'd say the jury is still out on the TJX companies - after all, they own several of the most popular chain discount stores in the country, and their customers love a bargain. On the other hand, the damage keeps mounting on into the stratosphere.

Does your company hold such an appealing ace card? Probably not, so the IT department had better run to your CEO and board with a new security plan. And if your CEO is one of the dolts who need to be slapped with a good sound bite in order to get his or her attention, try this one: "47.5 million stolen accounts and counting." Still not fully attentive? Then come back with your corporate counsel and just repeat these names: The Secret Service, the FBI, The FTC and the state attorney generals.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.