Blunt Advice for IT Follows TJX Breach
Although many details are unknown, TJX’s breach reminds us once again that a lack of security can cost dearly.
- By Chris DeVoney
You can’t help but shudder when measuring the security mess at TJX. CxOs and IT security staff at companies all over the country must be thinking, "Am I next?"
TJX Companies, Inc. is the parent of discount chains including TJ Maxx, Marshalls, Homegoods, Bob’s Stores, Homesense in Canada, and TK Maxx in the UK. In January 2007, the company publicly announced a breach of their systems was discovered the previous month.
In March, the company made a fuller, but not complete, disclosure that the 17-month intrusions may have leaked an unprecedented 45.7 million customer payment cards. Still unknown is what additional information may have gone down the wire, but the encryption keys used in TJX’s payment card processing were known to be compromised.
In its defense, TJX has done many things right since discovering the breach, including quickly contacting law enforcement, of which the U.S. Secret Service requested the disclosure hold to continue their investigation. TJX has met with or informed law enforcement and regulatory agencies on both sides of the border and ocean, met with banks and processing companies, and hired IBM and General Dynamics to investigate the break-in and provide security assistance.
Even so, the tort line starts at U.S. District Court Judge William G. Young’s bench in Boston with the first consumer suit, Paula Mace v TJX, filed in January. The eye-opener came in late April when banking associations from Connecticut, Maine, and Massachusetts, plus a few other banks, joined the line with a multimillion claim for losses.
Data breach lawsuits are not new—recall the consumer suits against payment processor Creditsystems Inc. for its 2005 mess involving 40 million cards. To date, however, BJ’s Wholesale Club is the only merchant targeted by card issuers for a 2003-2004 data security breach. The BJ's suits, which the company estimates at $13 million in potential liability, are in various stages of litigation.
An Enormous Financial Toll
Although the past is not an indication of future performance, Avivah Litan, vice president and security analyst at Gartner Group, sees changes for merchants. She thinks the TJX incident "will drive major security spending as retailers realize the potentially enormous financial toll from such breaches."
Jon Oltsik, senior analyst at the Enterprise System Group, is more blunt. "In business, you always weigh your risks. You can live with risk of a company information breach, but companies with multiple systems and multiple branches handling customers just have to look at TJX. Anyone who is still not handling confidential customer information with the utmost care is really playing with fire."
In the TJX suit, one cost bankers are seeking to recoup is card replacement, listed as $15 maximum for each card. Presume only one-fifth of the cards were still valid and the average replacement cost was only $5. That’s still over $45 million, the price of a low-end Boeing 737. Take the remaining claims, including recovery of the fraudulent charges covered by the banks, other expenses, and the usual fees. Now you can supersize that 737.
Every payment card merchant is bound by the Payment Card Industry’s (PCI) Data Security Standard. The standard, which lists 12 requirements and subpoints, is located at https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
A quick scan should reveal a few that TJX missed (here’s one hint: requirement 10, track and monitor access to cardholder data).
TJX isn’t alone. The payment card industry classifies merchants into four groups. Level one has only 300 companies, but each has over six million payment card transactions a year. Here’s the bad news: only 36 percent of those companies were PCI security certified by the end of 2006. More companies may be compliant, but only that number had completed the necessary audits. Furthermore, only 15 percent of the level-two members, companies with one to six million transactions a year, have that PCI certification.
Understandably, securing the information is difficult and costly. BJ’s has 172 locations and 22,200 employees; TJX has almost 2,500 stores and 125,000 employees. Lots of retail customers, lots of employees, lots of data.
How to Avoid Joining This Club
Litan of Gartner offers this advice to any merchant: "Implement good, sound security and don't be driven by compliance but by what makes sense for your company. Pay attention to your store systems—there are lots of attack vectors in the stores that most retailers are not thinking about."
Her top three action points: Don’t store data you don’t need, isolate credit card information from other data, and keep looking at point-of-sale (POS) systems as thieves are targeting the POS controllers.
ESG’s Oltsik also focuses on the network. "If you read between the lines, the hackers even found the network topology and encryptions keys. Those tracks should have been obvious.
"For companies, it’s understanding what your network looks like, determining and investigating anomalous behavior quickly, understanding and interpreting the resulting data, and knowing where to look for more."
Oltsik had some dramatic advice: any company whose IT group is understaffed or lacking expertise should look at outsourcing security. "Too often in the past, people looked at security as core to the company. We are beyond the point where that makes sense. Security is no different than functions like customer call centers. If it makes sense from an expertise or cost basis, get rid of it," he recommends.
PCI certification doesn’t grant immunity from legal actions and whether performed inside or outside, payment card security must be taken seriously. It means a commitment in money and time for automation, people, processes, and audits. If not, expect your company’s name to appear after the "v" at a U.S. District Court bench in the future and some stern-looking, deep-pocketed plaintiffs to be eyeing your financials near the head of the line.