Kill me now. The latest data hack at the TJX companies has me, and a lot of other people I know, on the edge of their seats. We shop a lot at the TJX family of companies -- T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright and Bob's Stores -- and yesterday's announcement that the company had been hit hard by a data hack is not sitting well.

Patricia Keefe, Contributor

January 18, 2007

7 Min Read

Kill me now. The latest data hack at the TJX companies has me, and a lot of other people I know, on the edge of their seats. We shop a lot at the TJX family of companies -- T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright and Bob's Stores -- and yesterday's announcement that the company had been hit hard by a data hack is not sitting well.Especially the part the about how December data was definitely stolen (can you say intensive Christmas shopping?), and most especially, the scary part where the company admits that it "does not know if it will be able to identify additional information of specific customers that may have been taken."

I don't know what good it will do me if my data was stolen, and I don't know that it was (but like I said -- I shop there a lot), so I canceled my card and got a new one. I imagine others are doing the same. It provides some level of relief. In my case, this is the third possible data breach I have been exposed to in the last 12 months.

The TJX press release seems to indicate they're doing all the right things, at least in terms of standard operating procedure once a hack is discovered. Who knows what it was doing security-wise before? Now we have to wonder.

Were they doing the right things prior to the hack, like adequately securing their data, and then regularly checking those defenses. Maybe they did, maybe they didn't. The company so far won't say whether all that data was encrypted. So what does that tell you? And what possible excuse could they have had for not having done so, if that's the case?

You can be sure that whatever money IT or its business counterparts think they can save by sidestepping encryption is never going to make up for the financial costs associated with the ensuing fallout from a data hack: legal fees, negative publicity, lost sales, and the intangible of lost consumer confidence.

The thing that TJX and other companies have to realize is that a lot more was lost here than just customer data. Trust is gone. And once it's gone, it's real hard to get it back. And if you can't get it back, it's going to get harder and harder for businesses to deploy technology in ways designed to cut costs and save money. Each and every incident of data theft piles onto the consumer's collective memory of the last. The reverberations can cut deep for businesses.

For example, we're still seeing surveys that cite unease among online and would-be online shoppers. We don't feel safe, and hmmm, why is that? Our spam filters continue to miss spam, our security packages continue to leak embarrassing and unsettling security vulnerabilities, and the people who collect our data continue to lose it, rushing in to secure the barn door after the proverbial horses have left.

For example, TJX was quick to note that it has " ... significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions ... " Future intrusions? If this level of security was available and needed, why wasn't this system installed prior to the data hack?

The TJX Companies Chairman Ben Cammarata, meanwhile, issued a statement about how "deeply concerned" the company is about the "difficulties" the "event" may cause customers, urging them to "carefully review their credit card and debit card statements and other account information for unauthorized use. We want to assure our customers that this issue has the highest priority at TJX." So much so, they rushed these tips out to us! I sure feel all safe, warm, and fuzzy all over, how about you?

If we can't trust TJX's security, and we still want to shop there, we could be tempted to just use paper checks, or better yet, cash. This in turn will probably result in smaller purchases per trip. None of this is good for TJX, though shoppers may leave feeling good on two accounts -- they found some good deals, and they lessened their financial risk of having to pay an added, incalculable financial price.

And how many consumers continue to resist the siren call of online accounts for everything -- utility bills, mortgages, bank accounts, credit cards, you name it. Every consumer lost is cash lost out of some company's pocket -- your company, even. More important, how are we supposed to advance to electronic wallets and a digital cash economy if consumers don't feel safe? For example, do you really want a cell phone that contains all your personal information and access to your various credit and other accounts? I certainly don't -- you'd have to staple that thing to your body 12 ways every time you head out the door. Lose it, and you are doomed. Or don't lose it, but switch to a different phone, and now you have to worry about all that data that was on the old phone. Was it really wiped? (Not worried? Buy some used hard drives off eBay, check out the contents, and tell me what you find). Suddenly, all that convenience just is not worth the threat of unending financial and personal data hell. Just ask anyone who has been the victim of simple identity theft. Consumers have to feel safe before they'll be willing to make life convenient, and cheaper, for businesses.

So it is in the best interests of American businesses to work harder on safeguarding trust, and that effort has to start with the IT department.

Consider that every announcement about a data hack today is accompanied by the rote parallel announcement of a Web page where spooked customers can go to learn basic security tips, and ahem, how to avoid identity theft. (No, "shop somewhere else" is never suggested). Talk about too little, too late! If there is anywhere "the max for the minimum" will never pay off, it's with security. So how about taking these steps instead:

  • Add that information to your Web site now, before you get hit. Once a year, insert a reminder in customer credit card statements.

  • Conduct a security audit of your defenses now, to make sure they are as strong as they can be. Don't wait until after an intrusion occurs, and then expect a pat on the back for the effort.

  • If you haven't done it yet, encrypt all customer data ASAP. Stop playing with fire with your customers' financial security, and your store of consumer good will.

  • Get a handle on the flotsam and jetsam of your mobile systems, handhelds, and portable data sticks and devices. What's out there? Where is it? And what's on it? Formulate protective policies that will keep sensitive data off these easily stolen and lost devices.

  • Contribute ideas toward, lobby for, and then adhere to the tenets of, a national standard for data security. You certainly don't want a bunch of political hacks with a tenuous understanding of technology setting these guidelines, so get together with your peers, or industry IT groups, and work up some guidelines up for the political hacks to work with. The silver lining here is the creation of a vertical industry standard for data protection that you can take to your business peers.

I'm sure you can think of a lot more that could be done and needs to be done. Whatever that might be, let the TJX hack spur your company into taking some definitive steps toward protecting customer trust. The cost is negligible considering that the rewards are priceless.

About the Author(s)

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights