TJX Offers One-Day Sale To Make Up For Massive Data Breach
from the how-generous dept
Until earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people's credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores' WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they'd gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn't-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Wow
[ link to this | view in chronology ]
RE: Wow
[ link to this | view in chronology ]
Wake up to the real world...
With that said, not-encrypting the CC info is really bad. Even if the network was setup without a lot of security concerns, you'd think someone would have thought a bit on that one!
Freedom
[ link to this | view in chronology ]
Re: Wake up to the real world...
Most buildings that house companies have a security system and human guards.
As more of companies and their assets are housed in cyberspace, does it not make sense to apply some of the same rules?
Oh well. Try explaining that to a boss who thinks of a train ride when you talk to him about SSL tunneling.
[ link to this | view in chronology ]
Re: Wake up to the real world...
I also want to say that TJX lost a lot of business from me after they had the breach.
[ link to this | view in chronology ]
Re: Re: Wake up to the real world...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
One comment...
[ link to this | view in chronology ]
It rolls downhill ya know
I dont think so - the banks ultimately just pass the loss on to the consumer in one way or another.
[ link to this | view in chronology ]
mac
[ link to this | view in chronology ]
FTC needs to change
[ link to this | view in chronology ]
Re: FTC needs to change
Part of the problem is that people will not conform or put forth ANY effort unless they're forced to. It's too bad we have to have examples in society but without them we have crime. It's no different with business, if there's not examples, they continue to do what's cheap rather than what they should do. Hopefully this makes other companies on their scale to take a look at security and determine if they're at risk for a breach and some lofty payback if it happens.
I'm a bit sickened by you calling them "victims". Companies do all they can to cut corners and they need to be held accountable when they screw up, especially on a scale like this.
[ link to this | view in chronology ]
Networks
I have only ever worked in Retail and I have never taken any post-secondary IT courses. "Sheer incompetence" is an understatement, and TJX should still get that $41-million fine.
Also, I believe "hackers" is the wrong term, they were "crackers". Hackers have pride, they want a challenge, and usually they do it just to prove they can, not to steal information for personal gain. Not unless that gain is a monthly paycheck that is. I'm curious to know if TJX' network was infected with that Downadup/Confliker worm, and if they have some less incompetent employees to make sure that's handled properly.
[ link to this | view in chronology ]
Encrypting CC info
The PCI standards require us to keep the data encrypted while it resides on our system (or is being sent over our network), but as soon as it goes on the link to the bank, it's wide open (note that the PIN is always encrypted, but the card number and expiration date are wide open).
We've hit the bank a couple of times about encrypting that data flow, but they claim their systems can't handle it!
[ link to this | view in chronology ]
For every single online transaction we can use a different card number, that even if it falls in the wrong hands, can't be of much use to them.
Maybe someone in the US should copy this. :)
[ link to this | view in chronology ]
As far as TJ MAXX, its the least they could do for ruining the credit of their loyal customers
[ link to this | view in chronology ]