The Wagons Are Circling For TJX

Written by Evan Schuman
February 1st, 2007

An occasional well-publicized data breach for a large company is a terrible thing for that chain, but it just might be a good thing for the industry.

When TJX Companies Inc.?the $16 billion global retail chain that owns T.J. Maxx and Marshall’s, among many other brands?disclosed this week that it had “suffered an unauthorized intrusion into its computer systems” in December, it seemed to be forthcoming.

After all, the chain issued what appeared to be a detailed statement about the incident. Detailed or not, it was certainly longer than the typical “we’ve been penetrated” statement.

The statement said the company had retained the services of both General Dynamics and IBM to both help investigate and to upgrade security systems to ostensibly prevent another similar intrusion.

But a closer reading of the statement raises quite a few questions, none of which the company has tried to answer.

To be fair, criminal security breaches are among the most sensitive and tricky things to discuss publicly. How specific does one dare get before revealing too much? The culprit is still out there and concealing how much is known about the crime can often help catch the bad guy.

That said, the “we don’t want to help the bad guy” rationale is quite convenient when there might be questions about whether the retailer was sufficiently careful about protecting data and systems.

Let’s start with the timing. If the chain was so concerned about quickly alerting potentially at-risk customers, why did it wait until Jan. 17 to reveal an intrusion that it said happened a full month earlier? (“Mid-December 2006” is how the statement described it) I hope to avoid thinking that an immediate announcement might have hurt those crucial holiday sales.

Company officials have said the delay was due to both law enforcement requests and “business issues.” Asking law enforcement whether information should be released is like asking an in-house lawyer whether a particular course is safe from lawsuits. Law enforcement always want people to say as little as possible about a crime. As for the business concerns, not sure what that could be other than the holiday sales issues referenced.

How safe were it’s systems? The carefully-worded statement said, “With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores.”

That’s sounds great, but why didn’t this $16 billion retailer with more than 2,300 stores?which The Wall Street Journal said might have exposed more than 40 million cards in this incident?already have a security package that was “appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores”? Were it’s systems last month adequate and now they’re overkill? Or are they now adequate and they were insufficient last month?

There’s also the PCI implications, courtesy of Visa, Mastercard and other card players. What exactly was captured? The chain said the “intrusion involves the portion of TJX?s computer network that handles credit card, debit card, check, and merchandise return transactions” and that also impacted was “store information related to customer transactions” including driver’s license information.

Does that include card application data, with everything from household income to prior addresses and name of employer? Getting back to PCI, does it include CVC numbers, which are technically not allowed to be stored? How much of the data was encrypted?

A banking group this week specifically accused TJX of having kept data improperly, but it’s not clear what proof the group has for its claims. That said, the TJX statement certainly opens the door to such concerns.

Another question might be a wording issue. “TJX has specifically identified some customer information that has been stolen from its systems,” said the statement. The colloquial interpretation of the term could mean the typical intrusion effort, where the byte-bandit bypasses security and then copies files and leaves. Technically, some security experts say, the phrase “stolen from its systems” should refer to a malicious and destructive act, such as when an intruder copies files and then deletes them or materially changes them.

Were the files actually stolen and they no longer exist within the TJX system? Even if that had been the case?which seems unlikely?hopefully backups would be sufficiently removed to not be impacted.

The geographies mentioned in the statement also are interesting. Quoting again from their statement: This incident impacted “customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada, and may involve customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could also extend to TJX?s Bob?s Stores in the U.S.” The data from all of those geographies were stored in one place? That would be unusual, said Mark Rasch, a former federal prosecutor specializing in technology crimes. Rasch wondered whether the breach impacted a third-party card processor that all of the TJX units shared?

As CardSystems learned when they were victimized by an intrusion, protecting future customers is important, but what will ultimately save?or destroy?a company’s credibility and trustworthiness is how it handled systems right before the attack.

If IT execs can’t get the funding for proper security, they need to point to retailers who get hurt and then suddenly have the public spotlight shone on how well they protected their customer data. I absolutely hope the facts ultimately show that TJX was an ideal corporate citizen and that it had done everything reasonable to do to protect itself.

For the industry, however, it’s sometimes not a bad thing for a company to get beaten up for less-than-ideal procedures. If nothing else, it gives a reason for margin-fearing execs to cough up the cash, just in case.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.