Now Maybe TJX Will Take Data Security Seriously

from the when-you-put-it-that-way dept

Thu, Aug 16th 2007 6:16am — Carlo Longino

While personal data leaks continue to occur at a pretty regular clip, very few companies or government agencies take the problem very seriously. This is mostly because after the initial bout of bad PR, the repercussions are minimal, so few groups bother to spend the time and resources needed to put proper preventative measures in place. Perhaps, though, that will begin to change as the costs of these data leaks and breaches become more publicized. For instance, TJX, the retailer that suffered the largest breach of credit-card data ever, reported this week that its second-quarter costs related to that breach came in at more than 10 times its initial estimates, and added up to 25 cents per share in the quarter. The raw figure of $117 million still isn't that much, but it cut the company's earnings per share in half from the year-ago quarter -- and that's bound to upset the company's investors. They're likely to be even more annoyed if they look into the details of the breach: earlier reports highlighted the company's security incompetence, but a story this week made things look even worse. The breach was apparently perpetrated by using poorly secured in-store kiosks, which were on the corporate network and not behind firewalls. Attackers stuck USB keys in the kiosks and loaded software that allowed them to be controlled remotely, and used as gateways onto the network. While it certainly doesn't look like TJX was paying a lot of attention to security, a 25 cent per share loss will make investors take notice -- and that, hopefully, will force companies to take data leaks and security more seriously.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data leaks, security
Companies: tjx

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Chuck Norris' Enemy (deceased), 16 Aug 2007 @ 6:44am

Loss
They'll just write it off as a loss on their taxes...if they pay any. I am sure they will have to go through the motions of improving security. Whether or not it actually gets better will be fun to see.
[ link to this | view in chronology ]
Overcast, 16 Aug 2007 @ 6:45am

Any company that doesn't take the time to insure security of customer financial data deserves everybit of loss they get.

But then, is that really the problem, or is the problem trusting computers so much with finances?

One thing can be certain - computers will never be 100% secure. If you can code in security, you can code something to get around it. It's just the nature of the computer. It only does what you tell it to do. And despite Corporate and Government's arrogance - the best programmers don't always work for them.
[ link to this | view in chronology ]
Anonymous Coward, 16 Aug 2007 @ 7:44am

Simple Analysis
We just had a meeting where we went over laptop security ..

20 People * 0.5 hour * ~50$/person/hour = $500
20 People * 10 minutes per day securing laptop =~ $50k/year

1 lost unsecured laptop with sensitive data =~ $10,000,000 - $1,000,000,000

Of course I'm talking about laptops with engineering documents, analyses, failure reports, ect. not costumer financial data, but all we need to do is make consumer financial breaches cost that much to the company and they will change their practices. I'd personally like to see free credit monitoring for life with reports every time there is an update to credit history along with 100% protection from fraud. This should be insured against the CEO and board of directors personal finances or the company should be required to set up a significant fund to provide these services in case the company goes under.

I'm allowed to hope ... right?
[ link to this | view in chronology ]
Anonymous Coward, 16 Aug 2007 @ 8:56am

Yeah right...
We all know the only "improvements" TJX did was fire a few low level peons to keep up appearances with the shareholders.
[ link to this | view in chronology ]
Bob, 16 Aug 2007 @ 11:56am

Please for the love of God, tell me you're joking!
What damn fool administrator with ANY backbone would ever agree to allow his/her network to be compromised in this manner?

I mean, I would rather QUIT a job if they were forcing me to overlook HUGE GAPS in security like this, then be FIRED after the fact and made to look like a completely incompetent idiot!

This is BASIC security here, anyone with ANY knowledge of networking knows, you don't put an unprotected computing device out in the public and leave it on your intranet! Man, if I didn't have these back problems, I'd be applying for a job at TJX, where apparently anyone can get a job in the IT dept!
[ link to this | view in chronology ]
- nonuser, 16 Aug 2007 @ 5:46pm
  
  Re: Please for the love of God, tell me you're jok
  D'oh!
  
  But before we write this off to total stupidity, another (speculated) physical attack vector described in the article was a doctored credit card reader placed on a checkout counter. That type thing has to be worrisome to a lot of retailers.
  
  Fortunately, some of the downstream crooks behaved the way you'd expect of street criminals, producing multiple $400 gift cards at Wal-Mart to get around the store policy of requiring IDs for $500 cards.
  [ link to this | view in chronology ]
Bob, 16 Aug 2007 @ 12:01pm

Furthermore, criminal charges could be filed...
In this case especially, the local authorities could file Criminal Negligence charges considering that TJX disregarded the most basics of networking security.

Of course, I suppose our Attorney General is too busy pursuing other things at the moment, but seriously, someone should be made to stand up and take full responsibility for this fiasco!
[ link to this | view in chronology ]
Gary, 17 Aug 2007 @ 1:21pm

dumb security
Security is a tedious job that should be left to the professionals. It is not a guarantee, but so many people think they "get it" that they do dumb shit stuff like allowing USB access or letting public access terminals have full run on internal networks.

Even big money companies do stupid things. A few years ago, when I was a client at Smith Barney, I used an online account. The account was secured by a username, password, and PIN. When I logged on I found they stuffed a cookie in my browser with the username and PIN in the clear! The web site described the password content so it limited the brute force range.

The next article should be stories about smart people doing dumb things. The one I like best is how companies save thousands on computer security. They do not hire the staff and believe that unless there is an identified breach, they are safe and secure.
[ link to this | view in chronology ]
Anonymous, 21 Aug 2007 @ 8:09am

Hmmmmmm,
Think this sounds like someone read a past issue 2600 magazine (2600.org), and saw the article about in store Kiosks. Again all sources were close to the investigation(sure....), and using a SEC Filing, “suspicious software” WOW! the company was hacked, what can be expected. This sounds like someone is on the FUD bandwagon, from a USB management software company. This is bad enough without people jumping and trying to make it bigger than it is along with making a dollar.
[ link to this | view in chronology ]
Industrial Shredders, 11 Jan 2009 @ 10:50pm

Identity theft has brought great tensions to the corporate world causing many companieslosses each year. Everyone is scared of their personal information not leaked out tosome strangers. Not only offices but individuals at home should also purchase onefor safety.
[ link to this | view in chronology ]
Keren, 28 Apr 2009 @ 2:19am

Comment
I´m using this discryptor.net software. I think that really makes ma data secure.
[ link to this | view in chronology ]
Mitch Brosin, 23 Nov 2009 @ 7:18am

Now, a couple of years later, TJX has yet to pay off any significant amount of customers over their lackluster data protection efforts. But, their name has paid an ultimate price. TJX name value is below the basement and I understand that company credit card applications are at all time lows. Behold the power of a hack to shatter consumer confidence in a brand.
[ link to this | view in chronology ]
Formax, 20 Jan 2010 @ 7:53pm

Many companies are setting up encrypted disk drives - whereas the raw hard drive is not readable. It is a great technology - but I'm sure someone already knows how to break it..

Formax FD 6100
[ link to this | view in chronology ]
formax, 20 Jan 2010 @ 7:57pm

encryption
Encryped hard drives are the best defense against this.

Formax FD 6100
[ link to this | view in chronology ]