Now Maybe TJX Will Take Data Security Seriously
from the when-you-put-it-that-way dept
While personal data leaks continue to occur at a pretty regular clip, very few companies or government agencies take the problem very seriously. This is mostly because after the initial bout of bad PR, the repercussions are minimal, so few groups bother to spend the time and resources needed to put proper preventative measures in place. Perhaps, though, that will begin to change as the costs of these data leaks and breaches become more publicized. For instance, TJX, the retailer that suffered the largest breach of credit-card data ever, reported this week that its second-quarter costs related to that breach came in at more than 10 times its initial estimates, and added up to 25 cents per share in the quarter. The raw figure of $117 million still isn't that much, but it cut the company's earnings per share in half from the year-ago quarter -- and that's bound to upset the company's investors. They're likely to be even more annoyed if they look into the details of the breach: earlier reports highlighted the company's security incompetence, but a story this week made things look even worse. The breach was apparently perpetrated by using poorly secured in-store kiosks, which were on the corporate network and not behind firewalls. Attackers stuck USB keys in the kiosks and loaded software that allowed them to be controlled remotely, and used as gateways onto the network. While it certainly doesn't look like TJX was paying a lot of attention to security, a 25 cent per share loss will make investors take notice -- and that, hopefully, will force companies to take data leaks and security more seriously.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data leaks, security
Companies: tjx
Reader Comments
Subscribe: RSS
View by: Time | Thread
Loss
[ link to this | view in chronology ]
But then, is that really the problem, or is the problem trusting computers so much with finances?
One thing can be certain - computers will never be 100% secure. If you can code in security, you can code something to get around it. It's just the nature of the computer. It only does what you tell it to do. And despite Corporate and Government's arrogance - the best programmers don't always work for them.
[ link to this | view in chronology ]
Simple Analysis
20 People * 0.5 hour * ~50$/person/hour = $500
20 People * 10 minutes per day securing laptop =~ $50k/year
1 lost unsecured laptop with sensitive data =~ $10,000,000 - $1,000,000,000
Of course I'm talking about laptops with engineering documents, analyses, failure reports, ect. not costumer financial data, but all we need to do is make consumer financial breaches cost that much to the company and they will change their practices. I'd personally like to see free credit monitoring for life with reports every time there is an update to credit history along with 100% protection from fraud. This should be insured against the CEO and board of directors personal finances or the company should be required to set up a significant fund to provide these services in case the company goes under.
I'm allowed to hope ... right?
[ link to this | view in chronology ]
Yeah right...
[ link to this | view in chronology ]
Please for the love of God, tell me you're joking!
I mean, I would rather QUIT a job if they were forcing me to overlook HUGE GAPS in security like this, then be FIRED after the fact and made to look like a completely incompetent idiot!
This is BASIC security here, anyone with ANY knowledge of networking knows, you don't put an unprotected computing device out in the public and leave it on your intranet! Man, if I didn't have these back problems, I'd be applying for a job at TJX, where apparently anyone can get a job in the IT dept!
[ link to this | view in chronology ]
Re: Please for the love of God, tell me you're jok
But before we write this off to total stupidity, another (speculated) physical attack vector described in the article was a doctored credit card reader placed on a checkout counter. That type thing has to be worrisome to a lot of retailers.
Fortunately, some of the downstream crooks behaved the way you'd expect of street criminals, producing multiple $400 gift cards at Wal-Mart to get around the store policy of requiring IDs for $500 cards.
[ link to this | view in chronology ]
Furthermore, criminal charges could be filed...
Of course, I suppose our Attorney General is too busy pursuing other things at the moment, but seriously, someone should be made to stand up and take full responsibility for this fiasco!
[ link to this | view in chronology ]
dumb security
Even big money companies do stupid things. A few years ago, when I was a client at Smith Barney, I used an online account. The account was secured by a username, password, and PIN. When I logged on I found they stuffed a cookie in my browser with the username and PIN in the clear! The web site described the password content so it limited the brute force range.
The next article should be stories about smart people doing dumb things. The one I like best is how companies save thousands on computer security. They do not hire the staff and believe that unless there is an identified breach, they are safe and secure.
[ link to this | view in chronology ]
Hmmmmmm,
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Comment
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Formax FD 6100
[ link to this | view in chronology ]
encryption
Formax FD 6100
[ link to this | view in chronology ]