Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse
from the stunning-incompetence dept
In the last few years, every time a massive data breach is reported, you can be assured of one thing: a few weeks after the initial report comes out, a second report will come out admitting that the breach was worse than previously expected. We saw it with Choicepoint. We saw it with the VA. It seems to always happen. In fact, with the now infamous TJX breach, we'd already mentioned that the problems were worse than originally announced -- making it the largest such breach ever reported. This wasn't surprising once you found out just how incompetent the company was -- failing to comply with nearly all of the credit card company's security guidelines and leaving their entire system wide open to anyone who could hack a simple insecure WEP WiFi system (something that's quite easily done). The data from the breach (unlike many other widely announced breaches) has already been used in numerous frauds, costing upwards of $60 million. With such astounding incompetence and a breach so large, should it come as any surprise that even the updated breach numbers weren't complete? That's right, thanks to documents being filed in the lawsuits against TJX, it's now coming out that the breach has impacted even more people than was earlier announced. Of course, the question still remains whether or not the punishment the company receives will matter. It doesn't seem like anything is really done to stop companies from being so careless, and there's no indication that's going to change in this case either.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
Heh. No reason to delete... thanks for pointing out the mistake. It's now been fixed.
[ link to this | view in chronology ]
What the !@#$ are you talking about?
Have you ever heard of the new Payment Card Industry (PCI) standards Visa/Mastercard et all are enforcing? They pretty much forcing anyone who processes credit cards to adhere to a certain set of security standards or you pay big $$ fines.
[ link to this | view in chronology ]
Re:
Hm, I didn't see fines like that discussed in the PCI standards...
[ link to this | view in chronology ]
Re:
They can't/won't enforce their existing standards.
What makes you think they'll enforce their "new" standards?
And the Visa/MC penalties? What a joke.
After the largest databreach ever, was TJX banned from Visa/MC?
Nope.
[ link to this | view in chronology ]
Re: Re:
After the largest databreach ever, was TJX banned from Visa/MC?
Nope.
No, Visa/MC just ban companies that follow the law of their country that the RIAA don't like. Ie. allofmp3.com....
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
consequences and repercussions
[ link to this | view in chronology ]
Consequences
From the corp perspective, damages imposed by the courts will also depend on the litigating parties. There has been evidence displayed that the faults in TJXs security was weak and nothing substantive was done to curb them then either by PCI or other member organizations. So the depth of the scope can be limited to when the PCI 1.0 standard was ratified and when TJX filed a Report of Compliance that stated they were compliant (which I fail to see given their status). If they did file and they are found to have falsified their filing, then the hammer can really be dropped on them.
The really big issue here isn't really the security but governance. There has been evidence of IT insiders within TJX crying 'wolf' only to have management fail to undertake the necessary risk assessments conducted to fully quantify the risks involved. There are no laws against poor management but there is recourse in the form of market confidence. If anything will hurt TJX it will come from the folks that hold their stock. If they started to dump their stocks then the company management will also take a severe beating as it is likely that they also have some skin tied up in the company's valuation.
My 0.02c.
[ link to this | view in chronology ]
Umm...
Does that mean we have WEP WiFi with self-esteem issues? Or perhaps that it should be UNsecure?
[ link to this | view in chronology ]
Re: Umm...
Sad to say, I probably have a more secure network at home.
[ link to this | view in chronology ]
Big deal...
[ link to this | view in chronology ]
TJX Message
http://www.tjx.com/tjx_message.html
freak3dot
[ link to this | view in chronology ]
Who committed the biggest crime?
[ link to this | view in chronology ]
[ link to this | view in chronology ]