By Jaikumar Vijayan
January 17, 2008
One year ago today, The TJX Companies Inc. disclosed what has turned out
to be the largest information security breach involving credit and debit
card data -- thus far, at least.
The data compromise at the Framingham, Mass.-based retailer began in
mid-2005, with system intrusions at two Marshalls stores in Miami via
poorly protected wireless LANs. The intruders who broke into TJX's
payment systems remained undetected for 18 months, during which time
they downloaded a total of 80GB of cardholder data.
TJX eventually said that 45.6 million card numbers belonging to
customers in multiple countries were stolen from its systems. Even that
number may be far too low: a group of banks that is suing the retailer
claimed in an October court filing that information about 94 million
cards was exposed during the serial intrusions.
The sheer size of the data theft puts TJX in a league of its own among
companies hit by such incidents, and the breach has made it something of
a poster child for sloppy data security practices among retailers. In
addition, the breach highlighted several familiar issues and some
Here, on the one-year anniversary of the breach becoming known, are five
takeways for security managers:
Breach disclosures don't always affect revenue or stock prices ...
Despite being the biggest, costliest and perhaps most written-about
breach ever, customer and investor confidence in TJX has remained
largely unshaken. TJX's stock was worth about $30 when the breach was
disclosed, and its closing price today was just over $29. Meanwhile, the
retailer said this month that in the 48-week period that ended Jan. 5,
its consolidated comparable-store sales increased 4% from the
Clearly, TJX's customers weren't as concerned about the breach as many
observers had expected they would be. Much of that no doubt has to do
with the fact that consumers realize they themselves won't have to pay
for any fraud that might result from payment card compromises, said
Avivah Litan, an analyst at Gartner Inc.
... but they can be costly
TJX has said that in the 12 months since the breach was disclosed, it
has spent or set aside about $250 million in breach-related costs. That
includes the costs associated with fixing the security flaws that led to
the breach, as well as dealing with all of the claims, lawsuits and
fines that followed the breach.
For instance, settlements reached by TJX include offers of free
credit-monitoring services for three years to consumers whose driver's
license numbers were exposed in the breach, plus cash reimbursements,
vouchers and a promised three-day customer appreciation event this year,
during which the company plans to offer 15% discounts on all goods.
"I think a lot of companies are seeing how costly these breaches can
get," said Forrester Research Inc. analyst Khalid Kark. As a result,
there's a lot more awareness in the executive suite about the need for
security controls, Kark said. He previously estimated that the breach at
TJX could end up costing the company $1 billion over the next few years.
PCI remains a work in progress
The breach brought to light the fact that many retailers, including
top-tier ones like TJX, had not yet fully implemented the set of
security controls mandated by the major credit card companies under the
Payment Card Industry Data Security Standard, or PCI. The rules took
effect in June 2005 and required merchants, especially ones such as TJX
that process a high volume of card transactions annually, to implement
12 broad security controls for protecting customer data.
But court documents filed by the banks that are suing TJX allege that
the company wasn't compliant with nine of the mandated controls during
the period when the intrusions were taking place. And TJX was by no
means alone. In response to the slow adoption of the PCI controls, Visa
Inc. threatened to start imposing hefty fines and higher transaction
fees on merchants if they didn't become compliant by the end of last
Visa won't disclose whether it has fined any merchants since then, but
there is ample anecdotal evidence that it has.
The card payment process has issues
The TJX breach exposed a fundamental rift, with banks and credit card
companies on one side and merchants on the other. In several states,
credit unions and smaller banks have lobbied the legislatures to pass
new laws requiring retailers to reimburse them for the costs involved in
notifying customers of breaches and reissuing cards.
But the lobbying attempts failed everywhere except in Minnesota, which
last May approved the Plastic Card Security Act -- a law that holds
breached entities financially responsible if they were storing
prohibited card data on their systems.
In fighting the state bills, retailers have argued that the commissions
they pay to card companies on each transaction are supposed to cover
fraud-related costs, making any additional payments a double penalty.
They also said that the only reason they store payment card data is
because they're required to by the credit card companies. In October,
the National Retail Federation asked Visa and the other card companies
to drop that requirement.
The NRF's request is echoed by Litan, who long has argued for
fundamental changes in the card industry's payment process, via the
introduction of measures such as one-time passwords and all PIN-based
The bad guys remain hard to catch
For all the attention paid to the breach by TJX, its hired forensics
experts and law enforcement authorities, the perpetrators thus far
haven't been tracked down. Some individuals who allegedly used card
numbers stolen in the breach have been arrested. But the hackers
themselves have remained frustratingly out of reach, as is the case in
"The crooks are still at it," Litan said. "They probably will strike
again. They're laughing all the way to the bank."
Subscribe to InfoSec News