Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse

from the stunning-incompetence dept

Mon, Oct 29th 2007 6:19pm — Mike Masnick

In the last few years, every time a massive data breach is reported, you can be assured of one thing: a few weeks after the initial report comes out, a second report will come out admitting that the breach was worse than previously expected. We saw it with Choicepoint. We saw it with the VA. It seems to always happen. In fact, with the now infamous TJX breach, we'd already mentioned that the problems were worse than originally announced -- making it the largest such breach ever reported. This wasn't surprising once you found out just how incompetent the company was -- failing to comply with nearly all of the credit card company's security guidelines and leaving their entire system wide open to anyone who could hack a simple insecure WEP WiFi system (something that's quite easily done). The data from the breach (unlike many other widely announced breaches) has already been used in numerous frauds, costing upwards of $60 million. With such astounding incompetence and a breach so large, should it come as any surprise that even the updated breach numbers weren't complete? That's right, thanks to documents being filed in the lawsuits against TJX, it's now coming out that the breach has impacted even more people than was earlier announced. Of course, the question still remains whether or not the punishment the company receives will matter. It doesn't seem like anything is really done to stop companies from being so careless, and there's no indication that's going to change in this case either.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, security
Companies: tjx

15 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

GrammarMan, 29 Oct 2007 @ 6:51pm

Quick... first sentence, change "the breach was worse that" to "the breach was worse than" and then delete my comment! :p
[ link to this | view in chronology ]
- Mike (profile), 29 Oct 2007 @ 7:33pm
  
  Re:
  Quick... first sentence, change "the breach was worse that" to "the breach was worse than" and then delete my comment! :p
  
  Heh. No reason to delete... thanks for pointing out the mistake. It's now been fixed.
  [ link to this | view in chronology ]
Anonymous Coward, 29 Oct 2007 @ 8:32pm

"Of course, the question still remains whether or not the punishment the company receives will matter. It doesn't seem like anything is really done to stop companies from being so careless, and there's no indication that's going to change in this case either."

What the !@#$ are you talking about?

Have you ever heard of the new Payment Card Industry (PCI) standards Visa/Mastercard et all are enforcing? They pretty much forcing anyone who processes credit cards to adhere to a certain set of security standards or you pay big $$ fines.
[ link to this | view in chronology ]
- Anonymous Coward, 29 Oct 2007 @ 10:11pm
  
  Re:
  Really? Fines in upwards of US$60M then to keep it in scale with the losses suffered by consumers affected by the negligence of TJX?
  
  Hm, I didn't see fines like that discussed in the PCI standards...
  [ link to this | view in chronology ]
- MrWizard, 30 Oct 2007 @ 3:49am
  
  Re:
  You've got to be kidding.
  They can't/won't enforce their existing standards.
  What makes you think they'll enforce their "new" standards?
  
  And the Visa/MC penalties? What a joke.
  After the largest databreach ever, was TJX banned from Visa/MC?
  Nope.
  [ link to this | view in chronology ]
  - Chris, 30 Oct 2007 @ 6:13am
    
    Re: Re:
    After the largest databreach ever, was TJX banned from Visa/MC?
    Nope.
    
    No, Visa/MC just ban companies that follow the law of their country that the RIAA don't like. Ie. allofmp3.com....
    [ link to this | view in chronology ]
    - Anonymous Coward, 30 Oct 2007 @ 7:04am
      
      Re: Re: Re:
      Somehow I knew it was the RIAA's fault.
      [ link to this | view in chronology ]
Shamalama, 29 Oct 2007 @ 11:09pm

consequences and repercussions
Losing the ability to process payment cards, or at least the major two, can cause a pretty significant financial hit to most of these companies. Although I doubt people are quick to pull out the charge card at TJX these days anyway. I say pull their ability to do in house processing and give the process to a competent vendor or even an arm of the CC companies themselves and make offenders pay ridiculous fee's. Hmm... unless they start passing that on to the consumer as a "convenience fee". OK: Cash only, then probation with vendor, then triple factor authentication at the point of sale with terminal on regularly audited secure/compliant network. Eh screw that. Just implant the zero liability paypass chip in my *&%$@! and let the CC comps pay the fee's (with my ridiculous interest) should some bastard scan my *&$@#!. This is why I want to see a presidential candidate come out on a ticket to change the national currency to women and beer. Not only could we then get beer from the bank but we wouldnt have to carry around a wallet because.. crap.I should go to sleep.
[ link to this | view in chronology ]
Michael E, 30 Oct 2007 @ 3:28am

Consequences
I don't know how much TJX will actually get fined based on the scope of the breach to end consumers. With what I've been reading on the matter, TJX will throw out cupons and the like to consumers affected by the breach. This is kind of amusing to me as they have also claimed that they could not have notified the end consumer since they don't have that information... So how are they going to send out those cupons then?

From the corp perspective, damages imposed by the courts will also depend on the litigating parties. There has been evidence displayed that the faults in TJXs security was weak and nothing substantive was done to curb them then either by PCI or other member organizations. So the depth of the scope can be limited to when the PCI 1.0 standard was ratified and when TJX filed a Report of Compliance that stated they were compliant (which I fail to see given their status). If they did file and they are found to have falsified their filing, then the hammer can really be dropped on them.

The really big issue here isn't really the security but governance. There has been evidence of IT insiders within TJX crying 'wolf' only to have management fail to undertake the necessary risk assessments conducted to fully quantify the risks involved. There are no laws against poor management but there is recourse in the form of market confidence. If anything will hurt TJX it will come from the folks that hold their stock. If they started to dump their stocks then the company management will also take a severe beating as it is likely that they also have some skin tied up in the company's valuation.

My 0.02c.
[ link to this | view in chronology ]
Jeremy, 30 Oct 2007 @ 4:27am

Umm...
"...wide open to anyone who could hack a simple insecure WEP WiFi system..."

Does that mean we have WEP WiFi with self-esteem issues? Or perhaps that it should be UNsecure?
[ link to this | view in chronology ]
- Chronno S. Trigger, 30 Oct 2007 @ 6:01am
  
  Re: Umm...
  Insecure, Adg, Lacking in security or safety; "his fortune was increasingly insecure"; "an insecure future".
  
  Sad to say, I probably have a more secure network at home.
  [ link to this | view in chronology ]
Anonymous Coward, 30 Oct 2007 @ 7:25am

Big deal...
Forget the fines forget being banned from Visa/Master the only thing that will happen is that a few peons (MAYBE a manager) will get fired and have a gag order put on them (so they can't tell what really happened), some free credit monitoring and some discount coupons will be given to customers, a then the upper management and share holders will continue to rake in several million a year.
[ link to this | view in chronology ]
freak3dot, 30 Oct 2007 @ 9:10am

TJX Message
Has anyone read the letter from the President and CEO of TJX? Good for a laugh if nothing else.
http://www.tjx.com/tjx_message.html

freak3dot
[ link to this | view in chronology ]
Max Powers at http://ConsumerFight.com, 30 Oct 2007 @ 3:13pm

Who committed the biggest crime?
Let's not forget that someone else "Stole" that information from TJX. I have not seen one post putting the blame on the hacker.
[ link to this | view in chronology ]
Jeremy, 31 Oct 2007 @ 4:03am

I stand corrected.
[ link to this | view in chronology ]