Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse

from the stunning-incompetence dept

In the last few years, every time a massive data breach is reported, you can be assured of one thing: a few weeks after the initial report comes out, a second report will come out admitting that the breach was worse than previously expected. We saw it with Choicepoint. We saw it with the VA. It seems to always happen. In fact, with the now infamous TJX breach, we’d already mentioned that the problems were worse than originally announced — making it the largest such breach ever reported. This wasn’t surprising once you found out just how incompetent the company was — failing to comply with nearly all of the credit card company’s security guidelines and leaving their entire system wide open to anyone who could hack a simple insecure WEP WiFi system (something that’s quite easily done). The data from the breach (unlike many other widely announced breaches) has already been used in numerous frauds, costing upwards of $60 million. With such astounding incompetence and a breach so large, should it come as any surprise that even the updated breach numbers weren’t complete? That’s right, thanks to documents being filed in the lawsuits against TJX, it’s now coming out that the breach has impacted even more people than was earlier announced. Of course, the question still remains whether or not the punishment the company receives will matter. It doesn’t seem like anything is really done to stop companies from being so careless, and there’s no indication that’s going to change in this case either.

Filed Under: ,
Companies: tjx

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse”

Subscribe: RSS Leave a comment
Anonymous Coward says:

“Of course, the question still remains whether or not the punishment the company receives will matter. It doesn’t seem like anything is really done to stop companies from being so careless, and there’s no indication that’s going to change in this case either.”

What the !@#$ are you talking about?

Have you ever heard of the new Payment Card Industry (PCI) standards Visa/Mastercard et all are enforcing? They pretty much forcing anyone who processes credit cards to adhere to a certain set of security standards or you pay big $$ fines.

Shamalama says:

consequences and repercussions

Losing the ability to process payment cards, or at least the major two, can cause a pretty significant financial hit to most of these companies. Although I doubt people are quick to pull out the charge card at TJX these days anyway. I say pull their ability to do in house processing and give the process to a competent vendor or even an arm of the CC companies themselves and make offenders pay ridiculous fee’s. Hmm… unless they start passing that on to the consumer as a “convenience fee”. OK: Cash only, then probation with vendor, then triple factor authentication at the point of sale with terminal on regularly audited secure/compliant network. Eh screw that. Just implant the zero liability paypass chip in my *&%$@! and let the CC comps pay the fee’s (with my ridiculous interest) should some bastard scan my *&$@#!. This is why I want to see a presidential candidate come out on a ticket to change the national currency to women and beer. Not only could we then get beer from the bank but we wouldnt have to carry around a wallet because.. crap.I should go to sleep.

Michael E (user link) says:


I don’t know how much TJX will actually get fined based on the scope of the breach to end consumers. With what I’ve been reading on the matter, TJX will throw out cupons and the like to consumers affected by the breach. This is kind of amusing to me as they have also claimed that they could not have notified the end consumer since they don’t have that information… So how are they going to send out those cupons then?

From the corp perspective, damages imposed by the courts will also depend on the litigating parties. There has been evidence displayed that the faults in TJXs security was weak and nothing substantive was done to curb them then either by PCI or other member organizations. So the depth of the scope can be limited to when the PCI 1.0 standard was ratified and when TJX filed a Report of Compliance that stated they were compliant (which I fail to see given their status). If they did file and they are found to have falsified their filing, then the hammer can really be dropped on them.

The really big issue here isn’t really the security but governance. There has been evidence of IT insiders within TJX crying ‘wolf’ only to have management fail to undertake the necessary risk assessments conducted to fully quantify the risks involved. There are no laws against poor management but there is recourse in the form of market confidence. If anything will hurt TJX it will come from the folks that hold their stock. If they started to dump their stocks then the company management will also take a severe beating as it is likely that they also have some skin tied up in the company’s valuation.

My 0.02c.

Anonymous Coward says:

Big deal...

Forget the fines forget being banned from Visa/Master the only thing that will happen is that a few peons (MAYBE a manager) will get fired and have a gag order put on them (so they can’t tell what really happened), some free credit monitoring and some discount coupons will be given to customers, a then the upper management and share holders will continue to rake in several million a year.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...