Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/18/2007
03:04 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

Trust: It's A Terrible Thing To Waste

Kill me now. The latest data hack at the TJX companies has me, and a lot of other people I know, on the edge of their seats. We shop a lot at the TJX family of companies -- T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright and Bob's Stores -- and yesterday's announcement that the company had been hit hard by a data hack is not sitting well.

Kill me now. The latest data hack at the TJX companies has me, and a lot of other people I know, on the edge of their seats. We shop a lot at the TJX family of companies -- T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright and Bob's Stores -- and yesterday's announcement that the company had been hit hard by a data hack is not sitting well.Especially the part the about how December data was definitely stolen (can you say intensive Christmas shopping?), and most especially, the scary part where the company admits that it "does not know if it will be able to identify additional information of specific customers that may have been taken."

I don't know what good it will do me if my data was stolen, and I don't know that it was (but like I said -- I shop there a lot), so I canceled my card and got a new one. I imagine others are doing the same. It provides some level of relief. In my case, this is the third possible data breach I have been exposed to in the last 12 months.

The TJX press release seems to indicate they're doing all the right things, at least in terms of standard operating procedure once a hack is discovered. Who knows what it was doing security-wise before? Now we have to wonder.

Were they doing the right things prior to the hack, like adequately securing their data, and then regularly checking those defenses. Maybe they did, maybe they didn't. The company so far won't say whether all that data was encrypted. So what does that tell you? And what possible excuse could they have had for not having done so, if that's the case?

You can be sure that whatever money IT or its business counterparts think they can save by sidestepping encryption is never going to make up for the financial costs associated with the ensuing fallout from a data hack: legal fees, negative publicity, lost sales, and the intangible of lost consumer confidence.

The thing that TJX and other companies have to realize is that a lot more was lost here than just customer data. Trust is gone. And once it's gone, it's real hard to get it back. And if you can't get it back, it's going to get harder and harder for businesses to deploy technology in ways designed to cut costs and save money. Each and every incident of data theft piles onto the consumer's collective memory of the last. The reverberations can cut deep for businesses.

For example, we're still seeing surveys that cite unease among online and would-be online shoppers. We don't feel safe, and hmmm, why is that? Our spam filters continue to miss spam, our security packages continue to leak embarrassing and unsettling security vulnerabilities, and the people who collect our data continue to lose it, rushing in to secure the barn door after the proverbial horses have left.

For example, TJX was quick to note that it has " ... significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions ... " Future intrusions? If this level of security was available and needed, why wasn't this system installed prior to the data hack?

The TJX Companies Chairman Ben Cammarata, meanwhile, issued a statement about how "deeply concerned" the company is about the "difficulties" the "event" may cause customers, urging them to "carefully review their credit card and debit card statements and other account information for unauthorized use. We want to assure our customers that this issue has the highest priority at TJX." So much so, they rushed these tips out to us! I sure feel all safe, warm, and fuzzy all over, how about you?

If we can't trust TJX's security, and we still want to shop there, we could be tempted to just use paper checks, or better yet, cash. This in turn will probably result in smaller purchases per trip. None of this is good for TJX, though shoppers may leave feeling good on two accounts -- they found some good deals, and they lessened their financial risk of having to pay an added, incalculable financial price.

And how many consumers continue to resist the siren call of online accounts for everything -- utility bills, mortgages, bank accounts, credit cards, you name it. Every consumer lost is cash lost out of some company's pocket -- your company, even. More important, how are we supposed to advance to electronic wallets and a digital cash economy if consumers don't feel safe? For example, do you really want a cell phone that contains all your personal information and access to your various credit and other accounts? I certainly don't -- you'd have to staple that thing to your body 12 ways every time you head out the door. Lose it, and you are doomed. Or don't lose it, but switch to a different phone, and now you have to worry about all that data that was on the old phone. Was it really wiped? (Not worried? Buy some used hard drives off eBay, check out the contents, and tell me what you find). Suddenly, all that convenience just is not worth the threat of unending financial and personal data hell. Just ask anyone who has been the victim of simple identity theft. Consumers have to feel safe before they'll be willing to make life convenient, and cheaper, for businesses.

So it is in the best interests of American businesses to work harder on safeguarding trust, and that effort has to start with the IT department.

Consider that every announcement about a data hack today is accompanied by the rote parallel announcement of a Web page where spooked customers can go to learn basic security tips, and ahem, how to avoid identity theft. (No, "shop somewhere else" is never suggested). Talk about too little, too late! If there is anywhere "the max for the minimum" will never pay off, it's with security. So how about taking these steps instead:

  • Add that information to your Web site now, before you get hit. Once a year, insert a reminder in customer credit card statements.
  • Conduct a security audit of your defenses now, to make sure they are as strong as they can be. Don't wait until after an intrusion occurs, and then expect a pat on the back for the effort.
  • If you haven't done it yet, encrypt all customer data ASAP. Stop playing with fire with your customers' financial security, and your store of consumer good will.
  • Get a handle on the flotsam and jetsam of your mobile systems, handhelds, and portable data sticks and devices. What's out there? Where is it? And what's on it? Formulate protective policies that will keep sensitive data off these easily stolen and lost devices.
  • Contribute ideas toward, lobby for, and then adhere to the tenets of, a national standard for data security. You certainly don't want a bunch of political hacks with a tenuous understanding of technology setting these guidelines, so get together with your peers, or industry IT groups, and work up some guidelines up for the political hacks to work with. The silver lining here is the creation of a vertical industry standard for data protection that you can take to your business peers.
  • I'm sure you can think of a lot more that could be done and needs to be done. Whatever that might be, let the TJX hack spur your company into taking some definitive steps toward protecting customer trust. The cost is negligible considering that the rewards are priceless.

     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
    Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/14/2020
    Lock-Pickers Face an Uncertain Future Online
    Seth Rosenblatt, Contributing Writer,  8/10/2020
    Hacking It as a CISO: Advice for Security Leadership
    Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
    In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-17475
    PUBLISHED: 2020-08-14
    Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
    CVE-2020-0255
    PUBLISHED: 2020-08-14
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
    CVE-2020-14353
    PUBLISHED: 2020-08-14
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
    CVE-2020-17464
    PUBLISHED: 2020-08-14
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
    CVE-2020-17473
    PUBLISHED: 2020-08-14
    Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.