RealTime IT News

How TJX Became a Lesson In Proper Security

The TJX security breach is threatening to rank as one of the most expensive lessons in corporate data security policies.

With the retailer facing anywhere from $500 million to nearly $1 billion in expenses, not to mention a black eye with the public over how their credit card data is secured, this experience should serve as a lesson to other retail outlets on securing their networks. How well they are learning is the question.

The latest chapter in this still-unfinished book is a settlement between TJX Companies and Visa U.S.A. Under the agreement, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. TJX has already taken the charge for the settlement, and by settling with Visa holders, staves of potential lawsuits.

Additionally, Visa will suspend and rescind a portion of the data breach fines it levied on TJX's U.S. acquirer that remain eligible for appeal. Visa and TJX agreed to the suspended and rescinded fines in part because it would increase the funds available in the alternative recovery program.

Not that the company is in the clear. According to a report from Merchant Link, which provides secure systems for retail outlets, the breach has cost the company more than $130 million to secure its infrastructure, there have been 19 lawsuits filed and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.

All this seems to have driven the message home to retailers, including TJX itself. "TJX accelerated their security program and implemented the improvements needed to become PCI (Payment Card Industry)-compliant, including upgrading their wireless security and eliminating the storage of sensitive authentication data. In fact there is some discussion about TJX becoming a 'spokescompany' for PCI security," said Avivah Litan, senior security analyst for Gartner.

Perhaps, but TJX was not keen on discussing its new security plans in detail, as it did not respond to repeated requests for an interview. TJX is the parent company of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S., as well as Winners and HomeSense in Canada. Revenue for its most recent fiscal year ended January 2007 was $17.4 billion. For so large a company, though, the breach started small, with crackers hacking into wireless networks at two U.S. stores.

The stores were using the relatively weak Wired Equivalent Privacy (WEP) protocol instead of the stronger Wi-Fi Protected Access (WAP) protocol, but what really hurt is that the intruders were able to access the TJX internal systems and move around freely for almost two years. The breaches occurred from mid-2005 and ran through December 2006. It is estimated 47.5 million records were stolen.

That was TJX's bigger problem, letting the intruders roam freely for 18 months. Dr. Anton Chuvakin, a security expert with LogLogic, said TJX didn't have decent traffic logs. "What took TJX months was looking at all their systems and determining who took what data, from where, where it was sent, etc. The investigation took them months. They likely didn't have any logs, because they had to do system forensics rather than log analysis to arrive at their conclusions about who stole the data and how. If they had collected and analyzed log data centrally, the investigation would have been a piece of cake," he said in an e-mailed comment to InternetNews.com.

Brian Cleary, vice president of marketing for the enterprise access governance firm Aveksa, concurred. "They didn't have good access controls, they were not auditing access on a regular basis and not checking log files and access. It was really poor security governance," he said.

TJX's second mistake was storing vital credit card information, such as the data hidden in the card's magnetic strip, on local machines. This is particularly frustrating to banks, according to Litan, because it allows counterfeiters to make perfect duplicate cards.

Merchant Link's report specifically recommends to all clients that they eliminate the storage of sensitive personal data wherever possible by using secure third party services to keep the point of sale clean, and "certainly" do not store the data collected from a credit card's magnetic stripe.

Litan said TJX was certainly at fault for storing the magnetic stripe information but she also think banks have a bigger role to play in the design of the payment systems. "They rolled [payment systems] out before there were cybertheives and no one thought about security," she said. "The payment system architecture is legacy, outdated. They could update the arch and make them more secure or just require a PIN on every transaction. Instead, they'd rather keep it as business as usual and keep collecting revenue streams."

She explained that banks make more money on standard credit card transactions instead of PIN-based transactions, such as with a debit card. PINs are always encrypted and never stored when used, and would eliminate a majority of the potential problems because without a PIN, a card is useless.

John Livingston, chairman and CEO of asset management firm Absolute, concurred that companies need to smarten up about business in the Internet era. "As we adopt new technologies, there's a whole set of new procedures, policies and practices that need to take place," he told InternetNews.com. "The companies that are doing these transactions need to be educated. But there are solutions to all these things. It's not impossible to transmit secure data, it just takes dollars and a commitment from the company to make it happen."

Absolute recommends a layered approach of technologies and policies. "You want to identify and control all the sensitive data. You need to make sure it's stored in a secure facility, you need to put the policy and procedure in place to make sure it's safe," said Livingstone.

Litan said some companies have not learned the lesson of TJX's experience and have been reluctant to make significant investments in such security measures because they see no return on investment. "It's a calculated risk, I guess. They just don't want to spend time on boring security projects. There's no ROI in security, it's basically cost avoidance," she said.

But Cleary said some firms got the message. "The ones that value their brand and are a bit more forward thinking are willing to do what it takes," he said. "When you look at cost containment, you wouldn't make decisions on your home insurance that way. Why you would risk the business to that degree makes no sense and is not in the shareholder's best interests."

He added "I think there were a lot of pages of publications [covering the story] that were ripped out and handed to CIOs and Chief Security Officers and asked 'This won't happen to us, right?' This has elevated the concerns about having good security governance in place all the way to the board level."