Now Maybe TJX Will Take Data Security Seriously

from the when-you-put-it-that-way dept

While personal data leaks continue to occur at a pretty regular clip, very few companies or government agencies take the problem very seriously. This is mostly because after the initial bout of bad PR, the repercussions are minimal, so few groups bother to spend the time and resources needed to put proper preventative measures in place. Perhaps, though, that will begin to change as the costs of these data leaks and breaches become more publicized. For instance, TJX, the retailer that suffered the largest breach of credit-card data ever, reported this week that its second-quarter costs related to that breach came in at more than 10 times its initial estimates, and added up to 25 cents per share in the quarter. The raw figure of $117 million still isn’t that much, but it cut the company’s earnings per share in half from the year-ago quarter — and that’s bound to upset the company’s investors. They’re likely to be even more annoyed if they look into the details of the breach: earlier reports highlighted the company’s security incompetence, but a story this week made things look even worse. The breach was apparently perpetrated by using poorly secured in-store kiosks, which were on the corporate network and not behind firewalls. Attackers stuck USB keys in the kiosks and loaded software that allowed them to be controlled remotely, and used as gateways onto the network. While it certainly doesn’t look like TJX was paying a lot of attention to security, a 25 cent per share loss will make investors take notice — and that, hopefully, will force companies to take data leaks and security more seriously.

Filed Under: ,
Companies: tjx

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Now Maybe TJX Will Take Data Security Seriously”

Subscribe: RSS Leave a comment
Overcast says:

Any company that doesn’t take the time to insure security of customer financial data deserves everybit of loss they get.

But then, is that really the problem, or is the problem trusting computers so much with finances?

One thing can be certain – computers will never be 100% secure. If you can code in security, you can code something to get around it. It’s just the nature of the computer. It only does what you tell it to do. And despite Corporate and Government’s arrogance – the best programmers don’t always work for them.

Anonymous Coward says:

Simple Analysis

We just had a meeting where we went over laptop security ..

20 People * 0.5 hour * ~50$/person/hour = $500
20 People * 10 minutes per day securing laptop =~ $50k/year

1 lost unsecured laptop with sensitive data =~ $10,000,000 – $1,000,000,000

Of course I’m talking about laptops with engineering documents, analyses, failure reports, ect. not costumer financial data, but all we need to do is make consumer financial breaches cost that much to the company and they will change their practices. I’d personally like to see free credit monitoring for life with reports every time there is an update to credit history along with 100% protection from fraud. This should be insured against the CEO and board of directors personal finances or the company should be required to set up a significant fund to provide these services in case the company goes under.

I’m allowed to hope … right?

Bob (user link) says:

Please for the love of God, tell me you're joking!

What damn fool administrator with ANY backbone would ever agree to allow his/her network to be compromised in this manner?

I mean, I would rather QUIT a job if they were forcing me to overlook HUGE GAPS in security like this, then be FIRED after the fact and made to look like a completely incompetent idiot!

This is BASIC security here, anyone with ANY knowledge of networking knows, you don’t put an unprotected computing device out in the public and leave it on your intranet! Man, if I didn’t have these back problems, I’d be applying for a job at TJX, where apparently anyone can get a job in the IT dept!

nonuser says:

Re: Please for the love of God, tell me you're jok


But before we write this off to total stupidity, another (speculated) physical attack vector described in the article was a doctored credit card reader placed on a checkout counter. That type thing has to be worrisome to a lot of retailers.

Fortunately, some of the downstream crooks behaved the way you’d expect of street criminals, producing multiple $400 gift cards at Wal-Mart to get around the store policy of requiring IDs for $500 cards.

Bob (user link) says:

Furthermore, criminal charges could be filed...

In this case especially, the local authorities could file Criminal Negligence charges considering that TJX disregarded the most basics of networking security.

Of course, I suppose our Attorney General is too busy pursuing other things at the moment, but seriously, someone should be made to stand up and take full responsibility for this fiasco!

Gary says:

dumb security

Security is a tedious job that should be left to the professionals. It is not a guarantee, but so many people think they “get it” that they do dumb shit stuff like allowing USB access or letting public access terminals have full run on internal networks.

Even big money companies do stupid things. A few years ago, when I was a client at Smith Barney, I used an online account. The account was secured by a username, password, and PIN. When I logged on I found they stuffed a cookie in my browser with the username and PIN in the clear! The web site described the password content so it limited the brute force range.

The next article should be stories about smart people doing dumb things. The one I like best is how companies save thousands on computer security. They do not hire the staff and believe that unless there is an identified breach, they are safe and secure.

Anonymous Coward says:


Think this sounds like someone read a past issue 2600 magazine (, and saw the article about in store Kiosks. Again all sources were close to the investigation(sure….), and using a SEC Filing, “suspicious software” WOW! the company was hacked, what can be expected. This sounds like someone is on the FUD bandwagon, from a USB management software company. This is bad enough without people jumping and trying to make it bigger than it is along with making a dollar.

Mitch Brosin (profile) says:

Now, a couple of years later, TJX has yet to pay off any significant amount of customers over their lackluster data protection efforts. But, their name has paid an ultimate price. TJX name value is below the basement and I understand that company credit card applications are at all time lows. Behold the power of a hack to shatter consumer confidence in a brand.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...