Depths Of TJX's Incompetence Continues To Astound

from the leave-the-front-door-open dept

The TJX credit-card data breach — the largest ever — was sort of amazing, in that it went on for a few years before it was detected and disclosed. It was established at the outset that the company didn’t comply with credit-card companies’ strict security guidelines, but a story in today’s Wall Street Journal spells out the depths of TJX’s incompetence when it came to security. Investigators believe that the hackers used directional antennas to intercept signals sent over the WiFi networks at the company’s stores, which were encrypted only with the easily cracked WEP standard, since TJX never bothered to update to WPA. You wouldn’t think that would be too much of a problem, because apart from the network being encrypted, the company had installed other layers of encryption and security, right? Wrong. Once the hackers had gained access to the TJX network through a single store, they used keyloggers to get access to the company’s central database at its headquarters, and they established their own accounts and the major theft began. Again, TJX made this easier on the crooks by transmitting credit-card data to banks without encryption. Banks continue to see claims from fraudulent activities related to the theft, and they’re left holding the bag — so it’s little wonder some of them have sued TJX in hopes of recovering damages. This illustrates one of the biggest problems when it comes to identity theft and data protection: companies responsible for leaks and losses aren’t typically the ones that have to deal with or pay for the fallout. For instance, in this case, TJX’s financial liability has thus far been limited, and any fines it will have to pay will likely be minimal, despite its ridiculously shoddy security. The company has no incentive to enact better security if it feels no repercussions from a breach, so why should it bother? These misaligned incentives exacerbate the problem, and don’t help anyone.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Depths Of TJX's Incompetence Continues To Astound”

Subscribe: RSS Leave a comment
sam says:

you know guys…

the parnoid guys who claim that no one needs to know a damn thing about them might be on to something…

someone posited awhile ago, that there should potentially be 10-20 ID numbers that you can have allocated to you, each one being completely separate from the others, and that something like the NSA should be the gatekeepers to the database. (although i’m not sure i want the gov’t in charge…) the idea being that one number might be for medical issues, one for soc sec issues, one for credit issues, etc… and that some might simply be throw aways… ie if someone snatched it, you could toss it, and start fresh…

this is the ugly side of being digital.. you have no assurance that any part in the chain is actually secure. and the chain is only as strong as it’s weakest link…


Dam says:

So Long TJX

When I heard about this recent revelation, I couldn’t believe it. One has to wonder what kind of IT chain of command there is in such a large business that an easily cracked encryption scheme like WEP would be used for mission critical tasks.

The banks are taking the brunt of this because of all the cancelled accounts and the need to reissue new cards, as well as the administrative overhead of dealing with TJX’s total stupidity.

I am not happy to see this incident play out like it has, but since it has, it will be a boon to my business – providing systems support for small businesses. All I have to do is show a client the headlines – it’ll be a slam dunk sale!

I’m not much into predictions, but I’ll go out on a limb here and predict that within eighteen months, TJX will either be in bankruptcy or be seeking Chapter 11 protection.

They really blew it. The sad thing for me is I know a couple of folks at the Framingham office. Maybe I ought to advise them to polish up their resumes.

user says:

Re: So Long TJX

If anyone should wonder why they didn’t bother with protecting customer information it is because they are a sleezier version of Walmart. They got massive subsidies and incentives a few years ago to build their giant distribution center in my area on the basis that it would create semi-decent jobs. When it opened it turned out they were on par or less than Walmart wages and benefits. When few were interested in working there they started busing in illegals from other areas.

Anonymous Coward says:

Re: #5

They are actually subject to huge fines from the card associations (Visa, MC, etc.)

As someone who works in IT in a Fortune-300 retail company, it’s really stinking hard to comply with the PCI (Payment Card Industry) requirements. Here’s some reasons:

– PCI is new. Its rules didn’t exist 5 years ago.
– PCI is ever changing. There’s not a set of rules you can point at and say, “That’s PCI.” It’s all a matter of “can the people trying at the moment break it?”
– Legacy systems are brittle and change slowly.

Fred Flint says:

What About the Auditors?

No one here has asked who audits TJX and why that accounting firm isn’t being lambasted in the media and sued for failing to report such obvious, gaping security holes in several issues of TJX year-end audit reports.

Real Information Systems Audit has existed since at least 1990 and I’m not talking about accountants asking questions, I’m talking about systems people who know what they’re doing and get paid to find exactly these kinds of problems and at the very least report the problems to the public and suggest improvements to the company.

Of course, as soon as they made such a negative report, they’d probably lose a multi-million dollar, multiple-year account, so often they either ignore or cover up such problems. Since they are so-called “professionals”, they get to make up “rules” like GAAP that make them responsible for nothing at all – although that didn’t work at all with Enron.

Did the auditors find these problems and did they report them in the public, year-end audit report? If so, senior management and the Board of Directors didn’t perform much due diligence about getting things fixed and they ought to be fired and/or sued as well. If so, shareholders who read the year-end reports and ignored them, have no-one but themselves to blame if they lost money on their stocks.

If the auditors didn’t find this mess over all those years, someone ought to hold them to account.

Rob Newby (user link) says:


To “Anonymous Coward” Re:#5 who posted:

“As someone who works in IT in a Fortune-300 retail company, it’s really stinking hard to comply with the PCI (Payment Card Industry) requirements. Here’s some reasons:

– PCI is new. Its rules didn’t exist 5 years ago.
– PCI is ever changing. There’s not a set of rules you can point at and say, “That’s PCI.” It’s all a matter of “can the people trying at the moment break it?”
– Legacy systems are brittle and change slowly.”

PCI doesn’t have to be hard, there are plenty of people out there to help. If it’s too hard, your systems are either too full of holes and need rebuilding, or your budget for security is set unrealistically low.

There’s free advice available here. Please drop us a line and we’ll do what we can to help you out. Sometimes it’s just a matter of trying a new tack with business management to approve budget.

PCI is not new however, it’s been around since 2001 as PCIDSS v1.0, and in its current form (v1.1) since 2004, a set of rules which you can download here, so hasn’t really changed that much. If you are being told that the goalposts are moving, get some better advice.

I will agree that legacy systems are brittle, but that’s really why you should be concerned about their security and be prepared to either fix the security or replace them. That’s just a business dicussion.

A good QSA should be able to solve you tons of headaches around PCI. If not, kick them out and get someone else in, there are plenty of people trying to get in on the act. You can download a list of these in your region from the VISA website.

Karen Baran says:

TJMAX incompetency

I have had two separate incidences of ID theft involving TJ Max. I think there should be a class action lawsuit against thes company. If there not punished this will continue.
My checking acct. # and driver license were stolen in one instance, and I had to cancel and replace my credit card in the other instance.
Thanks for listening, Karen

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...