Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/28/2007
12:25 PM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

No Excuse: Security Lessons From T.J. MAXX Data Breach

Maybe the company should change its name to T.J. LAX -- lax security practices let the hacked retailer's data breach go from bad to worse to bad beyond belief while nobody did anything to remedy the situation.

Maybe the company should change its name to T.J. LAX -- lax security practices let the hacked retailer's data breach go from bad to worse to bad beyond belief while nobody did anything to remedy the situation.That's the finding of a Canadian investigation into T.J. MAXX parent company TJX and its security procedures -- or lack of them -- that let a data breach persist for well over a year, with customer records compromised throughout that time.

The small to midsized business security lessons to be learned? The ones you probably already know. Among the investigators' findings:

Watch for wireless weakspots: Indications are that the company breach may have taken place via insecure wireless networks at T.J. MAXX retailers. Any entry into your network is enough to compromise everything.

Upgrade promptly and efficiently: TJX took two years to convert its systems from weak to strong encryption. That's far too long -- more than long enough for two years' or so worth of customer data to be grabbed, in fact.

Systems exist to be monitored: Better monitoring -- i.e., constant, thorough, aggressive -- would have alerted the company to the breach sooner.

Acquire only the information you need and get rid of it when you're done: MAXX was acquiring driver's license numbers when refunding non-receipted items. That's an unnecessary data-get -- and exposed another customer record to hacking. Take only the information a transaction requires, and retain it only as long as your business and appropriate compliance/regulatory rules require.

Industry standards exist for industry reasons: Incredibly, the company was processing millions of credit card transactions without adhering to Payment Card Industry (PCI) standards.

Every one of these lapses was easily remedied, but more than that, every one of them was a breach of good business practice as well as good data security practice.

Take a look at your business with the lessons of T.J. LAX, uh, MAXX in mind.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...