TJX Offers One-Day Sale To Make Up For Massive Data Breach

from the how-generous dept

Fri, Jan 23rd 2009 1:51pm — Carlo Longino

Until earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people's credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores' WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they'd gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn't-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, sale, security
Companies: tjx

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Kilgore Trout, 23 Jan 2009 @ 2:43pm

Wow
Bitter much?
[ link to this | view in chronology ]
Blatant Coward, 23 Jan 2009 @ 2:48pm

RE: Wow
Uh! Yah, I could have got that totally cool size 65 Pleather microskirt for going to the con way off price! Fer suuuure!
[ link to this | view in chronology ]
Freedom, 23 Jan 2009 @ 2:55pm

Wake up to the real world...
Wake up to the real world. I would bet that more than 95% of businesses are setup in this sort of way. IT is a balancing act with limited resources. It is also an industry that literally has no standards and the core elements change on a yearly basis. Why in a perfect world every company would invest the necessary dollars, there are many that don't and won't do it. This is an especially bad example, but most companies are setup such that once you get past the front door security, you have a lot of access.

With that said, not-encrypting the CC info is really bad. Even if the network was setup without a lot of security concerns, you'd think someone would have thought a bit on that one!

Freedom
[ link to this | view in chronology ]
- Mr. Kerry D Robertson, 23 Jan 2009 @ 3:04pm
  
  Re: Wake up to the real world...
  Agreed! Until companies realize they need to beef up their IT departments, or flat out hire network security professionals, this type of thing will continue to happen.
  
  Most buildings that house companies have a security system and human guards.
  
  As more of companies and their assets are housed in cyberspace, does it not make sense to apply some of the same rules?
  
  Oh well. Try explaining that to a boss who thinks of a train ride when you talk to him about SSL tunneling.
  [ link to this | view in chronology ]
- Skeptical Cynic (profile), 23 Jan 2009 @ 3:37pm
  
  Re: Wake up to the real world...
  Although I agree with most of what you said it was required of all merchants since 2005 that the CC info be encrypted by Visa.
  
  I also want to say that TJX lost a lot of business from me after they had the breach.
  [ link to this | view in chronology ]
  - Skeptical Cynic (profile), 23 Jan 2009 @ 3:42pm
    
    Re: Re: Wake up to the real world...
    Ok there was a limit that you had to have so much in annual charges before the requirements
    [ link to this | view in chronology ]
Charlie, 23 Jan 2009 @ 3:45pm

50% of capitol investment by US businesses is in IT. That's 1.8 trillion in 2007. I don't think this is a problem born of industry wide underinvestment in IT.
[ link to this | view in chronology ]
- Skeptical Cynic (profile), 23 Jan 2009 @ 3:52pm
  
  Re:
  True, too true. I work in IT.
  [ link to this | view in chronology ]
Skeptical Cynic (profile), 23 Jan 2009 @ 4:09pm

One comment...
the beatings will continue until morale improves!! Until there is teeth in consequences for data breaches they will not change.
[ link to this | view in chronology ]
Dung Beetle, 23 Jan 2009 @ 4:55pm

It rolls downhill ya know
from the how-generous dept -> "It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers"

I dont think so - the banks ultimately just pass the loss on to the consumer in one way or another.
[ link to this | view in chronology ]
mac, 24 Jan 2009 @ 4:33am

mac
I dont think so - the banks ultimately just pass the loss on to the consumer in one way or another.MKV to RM converter
[ link to this | view in chronology ]
Benjamin Wright, 24 Jan 2009 @ 8:23am

FTC needs to change
The FTC treated TJX unfairly. The FTC should rethink the law of credit card security, and stop treating merchant victims of organized crime as culprits. --Ben
[ link to this | view in chronology ]
- JT, 24 Jan 2009 @ 11:01am
  
  Re: FTC needs to change
  Reading a bit from your article and comments... It sound like it's OK to run your business poorly from an IT/security standpoint and claim ignorance when cornered. Your comments sound like the kid on the playground pointing their finger saying "look at all these companies, they do it too". Well guess what? They're not the ones that had it happen to them.
  
  Part of the problem is that people will not conform or put forth ANY effort unless they're forced to. It's too bad we have to have examples in society but without them we have crime. It's no different with business, if there's not examples, they continue to do what's cheap rather than what they should do. Hopefully this makes other companies on their scale to take a look at security and determine if they're at risk for a breach and some lofty payback if it happens.
  
  I'm a bit sickened by you calling them "victims". Companies do all they can to cut corners and they need to be held accountable when they screw up, especially on a scale like this.
  [ link to this | view in chronology ]
MMXG, 24 Jan 2009 @ 11:56am

Networks
My home Wireless-N network is encrypted with WPA2-AES/TKIP with a long, but memorable, pass-phrase. Router also checks MAC Addresses and requires wireless devices to be registered on the router before access is allowed. Router settings took about 2 minutes to set up, computers collectively about 10 minutes to get connected right.

I have only ever worked in Retail and I have never taken any post-secondary IT courses. "Sheer incompetence" is an understatement, and TJX should still get that $41-million fine.

Also, I believe "hackers" is the wrong term, they were "crackers". Hackers have pride, they want a challenge, and usually they do it just to prove they can, not to steal information for personal gain. Not unless that gain is a monthly paycheck that is. I'm curious to know if TJX' network was infected with that Downadup/Confliker worm, and if they have some less incompetent employees to make sure that's handled properly.
[ link to this | view in chronology ]
Retailer Joe, 25 Jan 2009 @ 7:32pm

Encrypting CC info
What scary about the encryption of CC info is that the banks we work with (I work at a retailer) _cannot_ support encryption on their links...

The PCI standards require us to keep the data encrypted while it resides on our system (or is being sent over our network), but as soon as it goes on the link to the bank, it's wide open (note that the PIN is always encrypted, but the card number and expiration date are wide open).

We've hit the bank a couple of times about encrypting that data flow, but they claim their systems can't handle it!
[ link to this | view in chronology ]
Nelson Cruz, 27 Jan 2009 @ 9:20am

Here in Portugal we have a system that issues "virtual credit cards" that expire after 1 month and have a limit set by the user. Its called mbnet (www.mbnet.pt).

For every single online transaction we can use a different card number, that even if it falls in the wrong hands, can't be of much use to them.

Maybe someone in the US should copy this. :)
[ link to this | view in chronology ]
iNvEStMeNt CoMpLiaNcE, 28 Jan 2009 @ 9:22am

that mbnet sounds promising.

As far as TJ MAXX, its the least they could do for ruining the credit of their loyal customers
[ link to this | view in chronology ]