SEC document offers clues on TJX security failings

By Bill Brenner, Senior News Writer 29 Mar 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Security experts aren't surprised that at least 45.7 million credit and debit cards were stolen in the TJX Companies Inc. data breach. Look at how the retail giant handled its customer data and it won't be hard to see how the bad guys made off with so much treasure, they say.

"The mistakes were many, but it started with a lack of security governance that was probably the result of the company being so big," Larry Ponemon, founder and chairman of the Elk Rapids, Mich.-based Ponemon Institute, said after reviewing details of a regulatory document the Framingham, Mass.-based retailer filed with the Securities and Exchange Commission (SEC) Wednesday.

In the document, TJX acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The company also disclosed that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.

Some experts say this represents the biggest data breach in history. By comparison, 26.5 million veterans and active duty personnel were affected by the theft of a Department of Veterans Affairs laptop and external hard drive last year. And in 2005, credit card transaction processor CardSystems Solutions Inc. acknowledged that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more to fraud.

The mistakes were many, but it started with a lack of security governance that was probably the result of the company being so big. Larry Ponemon, founder and chairman, Ponemon Institute

Ponemon said TJX was very disorganized in terms of understanding where they did and didn't have data protection in place and where the biggest security risks were. The company stumbled further in its handling of the aftermath.

"They didn't have the right people and processes in place, and it appears they sat on the information too long," he said. "They probably had an obligation to report this breach sooner to the banks that had to reissue credit cards and so on. The communication between TJX, the banks and others was not coordinated very well. This is costly for the small banks to deal with, and they need more advance notice of a breach so they can deal with it on their end."

Ponemon added that TJX appeared to lack the right mix of security technology, and that vulnerability assessments would have been helpful.

Deepak Taneja, CEO of Waltham, Mass.-based security compliance management firm Aveksa, said that if one reviews the details of TJX's SEC filing, it becomes clear that the scope of the breach is due to several years of poor security controls.

TJX data breach: Data breach at TJX could affect millions TJX gets little sympathy from blogosphere TJX breach: There's no excuse to skip data encryption Top IT execs could take heat for TJX breach Did TJX take the right steps after data breach? ID theft victim to TJX customers: Mind your data

"You have to think of security as a combination of technology, people and the right business processes," he said. "The full extent of the breach is still unknown but it seems a lot of mistakes were made with unencrypted data and information being stored after it was no longer needed. There were multiple problems. It wasn't any single mistake."

Cliff Pollan is CEO of Acton, Mass.-based Lumigent Technologies Inc., which sells database auditing tools. He said TJX also lacked the ability to monitor its network and detect sinister activity sooner.

"It looks like someone added software to the network that was routinely accessing the database and transferring information," he said. "You need to be able to know when that type of thing is happening. You need to be able to monitor network activity and act on a timely basis."

Large companies that don't want to follow TJX as the next poster child of insecurity need to keep the following things in mind, the experts said:

Companies need to have a firm grasp on what kind of data is traveling through the network and ensure that it's encrypted at every access point.

Tags: SEC and FDIC regulations,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SEC and FDIC regulations Heartland Payment Systems to vigorously defend breach claims, CEO says SEC cracks down on kickback schemes SEC: 404 budgets filled with waste SEC suspends trading of 35 companies over spam FFIEC impact so far

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Federal Deposit Insurance Corporation (FDIC)  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary