Evan Schuman's StorefrontBacktalk

The TJX hearings in the U.S. House of Representatives have been delayed again—I’ve lost count of how often they’ve been postponed—and are now penciled in for November.

Various hot issues of the day have been pushing it back, suggesting that House leaders don’t consider the world’s worst data breach that big of a deal. But the proposed TJX settlement highlights the critical need for federal legislation to address the data breach problem.…

When U.S. District Court Judge William G. Young last week told lawyers that he had some serious concerns about the proposed TJX settlemenT, he also took issue with part of the initial proposed settlement that would allow for consumers to turn the vouchers into cash by selling them.

In a courtroom exchange with TJX attorney Harvey J. Wolkoff, Wolkoff tried to argue to the judge that EBay is an easy way for a consumer to turn the vouchers into cash.

Replied Young: “Too hard for me, Mr. Wolkoff. Too hard for me. These are consumers. People know how to cash checks. Saying ‘Go to eBay and negotiate it’ won’t cut it.” Read more.…

The federal judge overseeing the consumer portion of the TJX case is concerned about the proposed settlement and wants to see TJX vouchers replaced by cash.

U.S. District Court Judge William G. Young told attorneys late Thursday that he “had a lot of questions and concerns” about the settlement, which provided for wronged consumers to be given $30 TJX vouchers, according to Thomas G. Shapiro, an attorney representing some of the consumer plaintiffs who was present in the courtroom. Read more.…

TJX is still retaining customer data for far too long—18 months—and for the wrong reasons, although it's current wireless efforts appear adequate, according to a report issued Tuesday by the Office of the Privacy Commissioner of Canada and the office of the Information and Privacy Commissioner of Alberta.

Even after deciding in September 2005 to move to WPA, the report said, it didn't complete the rollout until mid-January 2007, which was the exact point when TJX announced to the world the largest retail data breach ever.

The Canadian privacy officials were not pleased with TJX's encryption efforts. "There were flaws. TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time," the report said, adding, "While TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA."

When TJX announced Friday night that it had worked out a settlement for all of the consumers lawsuits that had been filed against it, it provided an anticlimactic ending to much of this databreach saga.

But in many ways, this resolution—with a settlement offer that will cause TJX very little material pain—was inevitable. Despite the background of the most massive databreach in retail history, where credit card data of some 46 million consumers fell into unauthorized hands, TJX had virtually nothing to fear from the U.S. judicial system. Read more.…

With a $6.5 million check for attorney fees and limited $10/hour hassle reimbursements for customers, TJX announced a deal Friday to make all of their consumer lawsuits go away.

The details from the show the $17 billion retailer's attempts to address consumer injuries. But given the huge scale of this breach, the compensation to any one consumer is likely to be minimal.

TJX has agreed to compensate consumers for any time they lost "as a result of the intrusion," but those calculations will assume a rate of $10/hour. Read more.

Only TJX could take a lawsuit settlement from the worst retail data breach ever and try and turn it into an upsell situation.

TJX's multi-part settlement of all of the consumer lawsuits against it for its massive data breach is a fascinating denouement to the TJX saga. What makes this latest twist so delicious is that TJX has played this debacle the way a retailer should, assuming the retailer is Niccolo Machiavelli.

When admitting to a massive databreach impacting some 46 million of your customers and when also conceding by implication that much of it was your fault given inadequate security measures, most companies would be chagrined, embarrassed and perhaps even a little bit ashamed. But not our heros.

There are some errors that are too delicious to not share and also too wonderful to even need any sarcastic comments. (This is said by someone who believes that one should never be stingy with sarcasm.)

It seems that TJX, in an SEC filing this week, dubbed themselves “in bold capital letters at the top of the filing: The Perfect Company,” according to this Boston Globe story with one of my favorite headlines ever.(“TJX Cos. to SEC: Perfect We Are Not”)

Said TJX senior excuse maker Sherry Lang: “The leading financial services vendor who handled the filing of this form has admitted that the error occurred at its facility and they are looking into it. A corrected Form 8K will be filed shortly.”…

One of the Miami residents charged with trying to sell stolen TJX credit card data has been sentenced to five years in prison and ordered to pay $600,000 in restitution, the Florida state Attorney General announced Thursday.

Irving Escobar and several others were charged with using counterfeit credit cards that they manufactured using the stolen data from the TJX breach. "Authorities believe Escobar and his codefendants acquired the stolen data and used it to re-code the counterfeit credit cards which were then used to purchase the gift cards," according to a statement from the AG's office.

U.S. postal inspectors are investigating if there is a Ukranian connection to the TJX data heist, according to this Boston Globe story. The 24-year-old suspect was arrested weeks ago in the Turkish resort city of Kemer, according to this Associated Press story.

It’s not news that authorities have suspected Eastern European cyber thief syndicates as being involved in the TJX incident, given it’s massive scope (info from more than 45 million cards taken), sophisticated methods and long (multi-year) duration. But the investigators have identified a specific Ukranian–Maksym Yastremskiy–as having “sold card numbers through online forums hosted overseas, sometimes in Cyrillic or that were password protected. He is likely the largest seller of stolen TJX numbers.”

Prices ranged from $20 to $100 per stolen card, and the cards were sold in batches of up to 10,000, depending on factors like the credit limits of the consumer accounts being traded, the story said. …

When the $17 billion retailer reported that pre-tax $168 million possible hit for its data breach, did it see it as anything more than a cost of doing business? And a minor cost at that?

With all of the numbers that TJX issued in its Tuesday earnings statement, the one that has generated the most attention was a $168 million estimated hit associated with the data breach announced in January, which saw consumer information from an estimated 46 million debit and credit cards walk out the door.First, the optimistic side. TJX did not, in fact, say that it actually has spent—or necessarily will spend—anything more than a tiny fraction of those dollars. The overwhelmingly largest charge—a $107 million after-tax figure for the chain's second 2008 fiscal quarter—was merely a "reserve," a nestegg for what TJX fears its costs may be. Theoretically, its costs might be much lower.

How did the TJX breach start? Reports that the attack began using a wireless entry point have been confirmed by multiple investigators, but reports that circulated in March that the attacks began via an in-store employment kiosk have re-emerged.

Could both be true? It’s unlikely, as both entry attempts were reprotedly successful, raising the question of why the second was attempted. Could TJX have actually been the victim of two simultaneous and unrelated attacks, one using wireless and the other a jobs kiosks that was not firewall-protected?

The latest kiosks reports have the terminals being opened and the bad guys using USB drives to load software. Read more.…

We looked at the top security topics of the week on Friday, in an audiocast with Avivah Litan, Gartner’s security analyst, and Chris Hinsz, the newest member of the PCI Security Standards Council, who happens to hail from Motorola. Readers can listen to the entire 30-minute audiocast or check out just the segments that interest them most: An analysis of the latest Visa PCI statistics, with thoughts on improving the credit cards themselves and the key reasons why forbidden data is still being retained; How TJX is faring after the disclosure of the retail industry’s largest data breach; The latest information about the insider security threat and how the records stolen from Fidelity National Information Services and Certegy is now at 8.5 million records, which is a lot more than was originally revealed.…

For those who still argue that TJX is being bloodied by their data breach problems, here’s the latest tidbit, with a major financial firm increasining its stock price target for TJX, “encouraged by the discount retailer’s strong business trends and defensive business model.”

The Credit Suisse boost came when analyst Paul Lejuez raised his price target by $3 to $35, implying an upside of around 8 percent from Friday’s $27.31 closing price, according to this Forbes.com story. “With strong current business trends, a myriad of initiatives to continue to improve productivity and reduce the expense structure, and a defensive business model, TJX (nyse: TJX – news – people ) is well-positioned to beat expectations and outperform the group,” Lejuez wrote in a client note.…

Is the dark cloud of multiple investigations still looming over TJX and its imfamous data breach? Yes, but it’s going to have some time to breath over the summer. While the various lawsuits and state probes continue, the threat of U.S. congressional hearings–threatened months ago–appears to be delayed until at least September, according to a congressional source who has asked that her name not be used.

Those hearings have been on the subcommittee plans for months, but have repeatedly been delayed. Although high hopes had existed for July hearings, the source said that other legislative priorities has forced “all other committement business to come to a halt.” With the August recess, that leaves September/October as the next possible timeframe. …

After more than $75 million in bogus credit card charges, several Cuban nationals in Florida have been arrested with more than 200,000 credit card account numbers, many of which came from the TJX and Polo Ralph Lauren data breaches, according to U.S. Secret Service officials, commenting on Monday's announced arrests.

The numbers were sent to the Florida defendants—who specialized in manufacturing bogus credit cards complete with embossing, logos, holograms and properly encoded magnetic strips—from a group of Eastern European residents who specialized in collecting the stolen credit card numbers, the Secret Service said.

That Eastern European group of fiduciary Fagans obtained those numbers from many different sources, but many of the numbers were traced back to two specific major retail data breaches: last year's TJX breach and a 2005 Polo Ralph Lauren breach, said a Secret Service case agent involved in the investigation and who asked that his name not be used.

Connecticut state legislators have backed off a plan–pushed by bank lobbyists and opposed by retail groups–to make retailers who are found to be at fault in data security efforts pay all bank costs, according to this fascinating Hartford Business Journal story.

Despite lobbyist arguments that TJX was merely a victim of the cyber thieves who orchestrated the data heist, Connecticut state Sen. Bob Duff wasn’t buying it. “I still blame TJX. They should be blamed, they should be sued, they should be fined,” he said.

But Duff did yield to the argument that such a bill would financially desrtroy small retailers and ultimately backed off. The Hartford Business Journal story gives us a great–and rare–peek behind the scenes at one state’s legislative maneuverings.…

TJX reported Tuesday that, in the three months leading up to April 28, it spent another $12 million dealing with the data breach the company announced in January. That's on top of $5 million TJX said it spend in the immediately previous three months to deal with the breach.

These figures, while not trivial, are dramatically below some industry projections of billion-plus-dollar losses. Customer loyalty—and apathy—is proving to be the key difference.Read more...

Throughout the five-month public history of the TJX data breach fallout, the industry has repeatedly tried to simplify it, to label one cause as the explanation, whether it was incompetent IT execution, an inside job, an open wireless port or some other clean explanation. But the TJX situation is complex, complicated and defies a simple explanation, just as their intruders were a lot more sophisticated, creative, relentless, daring and professional than anyone in the industry wants to believe.

A 5-second glance at the latest details has led many people to dismiss this as another wireless problem. The truth is that TJX offered intruders a generous smorgasbord of security holes, enabling the intruders to plant a trojan horse, steal an encryption key, sidestep less-than-diligently-monitored traffic logs and be able to grab credit card data before it was to be encrypted. So let's not paint TJX as security Eagle Scouts who happened to let their guards down on wireless.

The Wall Street Journal is reporting that the TJX break-in started in July 2005 with a wireless hack of a Marshalls in St. Paul, Minn, where the thieves “pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers [POS presumably]and the store’s computers. That helped them hack into the central database of Marshalls’ parent, TJX, to repeatedly purloin information about customers.”

The news that the attack was wireless is not unexpected, as wireless attacks have become very popular means of attacking retail chains and because hints that the TJX attacks were wirelessly based have been frequent. But the level of specifics in the Journal story are surprising. Read more.…

The U.S. House of Representatives has decided to turn up the heat on TJX, with plans now confirmed to hold a hearing on the TJX data breach in May.

Details are sketchy, with witness lists and an exact date within May still being finalized, but the House subcommittee on Commerce, Trade and Consumer Protection has decided to indeed explore the circumstances surrounding the info theft. The class-action civil lawsuits against TJX are looking to go to trial in about a year (May 8, 2008), with the discovery process about six months away. Will the Congressional testimony offer any nuggets of gold for plaintiff counsel? About 100 lawyers certainly hope so.…

In another in a lengthy line of lawsuits against TJX involving the massive data breach that it announced in January, the Massachusetts Bankers Association (MBA) sued the retail chain on Tuesday for "negligent misrepresentation" because it had said that it had been "safeguarding and disposing of cardholder data," a statement the bankers group said was false at the time it was made.

(The Register in the U.K. also covered this story. I mention that only to sadly say that they can get away with headlines that I can't. Their head: "TJX finds self at bottom of 300-bank pig pile.") MBA CEO Daniel Forte said his association hopes to make this a much broader issue than one retailer and one very large data breach. "If we're successful against TJX, the nation's major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required," Forte said.

Security publicity is always a delicate animal. There are many reasons for that, but the biggest is that retailers don’t want to advertise the exact firewall or encryption package they are using, for fear of it giving clues to cyber thieves how to break in.

But for Ingrian Networks, which already had the distinction of its encryption software having been purchased by databreach badboy CardSystems, when TJX ponied up for its encryption package, they couldn’t resist announcing it prominently on their Web site.

Then the breach happened and the TJX reference magically and quietly disappeared. Ingrian officials are quick to point that TJX had yet to install their software at the time of their infamous breaches.…