Depths Of TJX's Incompetence Continues To Astound
from the leave-the-front-door-open dept
The TJX credit-card data breach -- the largest ever -- was sort of amazing, in that it went on for a few years before it was detected and disclosed. It was established at the outset that the company didn't comply with credit-card companies' strict security guidelines, but a story in today's Wall Street Journal spells out the depths of TJX's incompetence when it came to security. Investigators believe that the hackers used directional antennas to intercept signals sent over the WiFi networks at the company's stores, which were encrypted only with the easily cracked WEP standard, since TJX never bothered to update to WPA. You wouldn't think that would be too much of a problem, because apart from the network being encrypted, the company had installed other layers of encryption and security, right? Wrong. Once the hackers had gained access to the TJX network through a single store, they used keyloggers to get access to the company's central database at its headquarters, and they established their own accounts and the major theft began. Again, TJX made this easier on the crooks by transmitting credit-card data to banks without encryption. Banks continue to see claims from fraudulent activities related to the theft, and they're left holding the bag -- so it's little wonder some of them have sued TJX in hopes of recovering damages. This illustrates one of the biggest problems when it comes to identity theft and data protection: companies responsible for leaks and losses aren't typically the ones that have to deal with or pay for the fallout. For instance, in this case, TJX's financial liability has thus far been limited, and any fines it will have to pay will likely be minimal, despite its ridiculously shoddy security. The company has no incentive to enact better security if it feels no repercussions from a breach, so why should it bother? These misaligned incentives exacerbate the problem, and don't help anyone.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
the parnoid guys who claim that no one needs to know a damn thing about them might be on to something...
someone posited awhile ago, that there should potentially be 10-20 ID numbers that you can have allocated to you, each one being completely separate from the others, and that something like the NSA should be the gatekeepers to the database. (although i'm not sure i want the gov't in charge...) the idea being that one number might be for medical issues, one for soc sec issues, one for credit issues, etc... and that some might simply be throw aways... ie if someone snatched it, you could toss it, and start fresh...
this is the ugly side of being digital.. you have no assurance that any part in the chain is actually secure. and the chain is only as strong as it's weakest link...
peace...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So Long TJX
The banks are taking the brunt of this because of all the cancelled accounts and the need to reissue new cards, as well as the administrative overhead of dealing with TJX's total stupidity.
I am not happy to see this incident play out like it has, but since it has, it will be a boon to my business - providing systems support for small businesses. All I have to do is show a client the headlines - it'll be a slam dunk sale!
I'm not much into predictions, but I'll go out on a limb here and predict that within eighteen months, TJX will either be in bankruptcy or be seeking Chapter 11 protection.
They really blew it. The sad thing for me is I know a couple of folks at the Framingham office. Maybe I ought to advise them to polish up their resumes.
[ link to this | view in chronology ]
Re: So Long TJX
[ link to this | view in chronology ]
Banks are culpable, too
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: #5
As someone who works in IT in a Fortune-300 retail company, it's really stinking hard to comply with the PCI (Payment Card Industry) requirements. Here's some reasons:
- PCI is new. Its rules didn't exist 5 years ago.
- PCI is ever changing. There's not a set of rules you can point at and say, "That's PCI." It's all a matter of "can the people trying at the moment break it?"
- Legacy systems are brittle and change slowly.
[ link to this | view in chronology ]
Why
[ link to this | view in chronology ]
Sounds like..
[ link to this | view in chronology ]
What About the Auditors?
Real Information Systems Audit has existed since at least 1990 and I'm not talking about accountants asking questions, I'm talking about systems people who know what they're doing and get paid to find exactly these kinds of problems and at the very least report the problems to the public and suggest improvements to the company.
Of course, as soon as they made such a negative report, they'd probably lose a multi-million dollar, multiple-year account, so often they either ignore or cover up such problems. Since they are so-called "professionals", they get to make up "rules" like GAAP that make them responsible for nothing at all - although that didn't work at all with Enron.
Did the auditors find these problems and did they report them in the public, year-end audit report? If so, senior management and the Board of Directors didn't perform much due diligence about getting things fixed and they ought to be fired and/or sued as well. If so, shareholders who read the year-end reports and ignored them, have no-one but themselves to blame if they lost money on their stocks.
If the auditors didn't find this mess over all those years, someone ought to hold them to account.
[ link to this | view in chronology ]
PCI and TJX
"As someone who works in IT in a Fortune-300 retail company, it's really stinking hard to comply with the PCI (Payment Card Industry) requirements. Here's some reasons:
- PCI is new. Its rules didn't exist 5 years ago.
- PCI is ever changing. There's not a set of rules you can point at and say, "That's PCI." It's all a matter of "can the people trying at the moment break it?"
- Legacy systems are brittle and change slowly."
PCI doesn't have to be hard, there are plenty of people out there to help. If it's too hard, your systems are either too full of holes and need rebuilding, or your budget for security is set unrealistically low.
There's free advice available here. Please drop us a line and we'll do what we can to help you out. Sometimes it's just a matter of trying a new tack with business management to approve budget.
PCI is not new however, it's been around since 2001 as PCIDSS v1.0, and in its current form (v1.1) since 2004, a set of rules which you can download here, so hasn't really changed that much. If you are being told that the goalposts are moving, get some better advice.
I will agree that legacy systems are brittle, but that's really why you should be concerned about their security and be prepared to either fix the security or replace them. That's just a business dicussion.
A good QSA should be able to solve you tons of headaches around PCI. If not, kick them out and get someone else in, there are plenty of people trying to get in on the act. You can download a list of these in your region from the VISA website.
[ link to this | view in chronology ]
Insider Job?
[ link to this | view in chronology ]
Ask any VoIP provider about security on their network and you will be amazed to learn there isn't any.
[ link to this | view in chronology ]
TJMAX incompetency
I have had two separate incidences of ID theft involving TJ Max. I think there should be a class action lawsuit against thes company. If there not punished this will continue.
My checking acct. # and driver license were stolen in one instance, and I had to cancel and replace my credit card in the other instance.
Thanks for listening, Karen
[ link to this | view in chronology ]