by Carlo Longino

Filed Under:
data leaks, security


Now Maybe TJX Will Take Data Security Seriously

from the when-you-put-it-that-way dept

While personal data leaks continue to occur at a pretty regular clip, very few companies or government agencies take the problem very seriously. This is mostly because after the initial bout of bad PR, the repercussions are minimal, so few groups bother to spend the time and resources needed to put proper preventative measures in place. Perhaps, though, that will begin to change as the costs of these data leaks and breaches become more publicized. For instance, TJX, the retailer that suffered the largest breach of credit-card data ever, reported this week that its second-quarter costs related to that breach came in at more than 10 times its initial estimates, and added up to 25 cents per share in the quarter. The raw figure of $117 million still isn't that much, but it cut the company's earnings per share in half from the year-ago quarter -- and that's bound to upset the company's investors. They're likely to be even more annoyed if they look into the details of the breach: earlier reports highlighted the company's security incompetence, but a story this week made things look even worse. The breach was apparently perpetrated by using poorly secured in-store kiosks, which were on the corporate network and not behind firewalls. Attackers stuck USB keys in the kiosks and loaded software that allowed them to be controlled remotely, and used as gateways onto the network. While it certainly doesn't look like TJX was paying a lot of attention to security, a 25 cent per share loss will make investors take notice -- and that, hopefully, will force companies to take data leaks and security more seriously.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    Chuck Norris' Enemy (deceased), Aug 16th, 2007 @ 6:44am


    They'll just write it off as a loss on their taxes...if they pay any. I am sure they will have to go through the motions of improving security. Whether or not it actually gets better will be fun to see.

    reply to this | link to this | view in thread ]

  2. identicon
    Overcast, Aug 16th, 2007 @ 6:45am

    Any company that doesn't take the time to insure security of customer financial data deserves everybit of loss they get.

    But then, is that really the problem, or is the problem trusting computers so much with finances?

    One thing can be certain - computers will never be 100% secure. If you can code in security, you can code something to get around it. It's just the nature of the computer. It only does what you tell it to do. And despite Corporate and Government's arrogance - the best programmers don't always work for them.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, Aug 16th, 2007 @ 7:44am

    Simple Analysis

    We just had a meeting where we went over laptop security ..

    20 People * 0.5 hour * ~50$/person/hour = $500
    20 People * 10 minutes per day securing laptop =~ $50k/year

    1 lost unsecured laptop with sensitive data =~ $10,000,000 - $1,000,000,000

    Of course I'm talking about laptops with engineering documents, analyses, failure reports, ect. not costumer financial data, but all we need to do is make consumer financial breaches cost that much to the company and they will change their practices. I'd personally like to see free credit monitoring for life with reports every time there is an update to credit history along with 100% protection from fraud. This should be insured against the CEO and board of directors personal finances or the company should be required to set up a significant fund to provide these services in case the company goes under.

    I'm allowed to hope ... right?

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, Aug 16th, 2007 @ 8:56am

    Yeah right...

    We all know the only "improvements" TJX did was fire a few low level peons to keep up appearances with the shareholders.

    reply to this | link to this | view in thread ]

  5. identicon
    Bob, Aug 16th, 2007 @ 11:56am

    Please for the love of God, tell me you're joking!

    What damn fool administrator with ANY backbone would ever agree to allow his/her network to be compromised in this manner?

    I mean, I would rather QUIT a job if they were forcing me to overlook HUGE GAPS in security like this, then be FIRED after the fact and made to look like a completely incompetent idiot!

    This is BASIC security here, anyone with ANY knowledge of networking knows, you don't put an unprotected computing device out in the public and leave it on your intranet! Man, if I didn't have these back problems, I'd be applying for a job at TJX, where apparently anyone can get a job in the IT dept!

    reply to this | link to this | view in thread ]

  6. identicon
    Bob, Aug 16th, 2007 @ 12:01pm

    Furthermore, criminal charges could be filed...

    In this case especially, the local authorities could file Criminal Negligence charges considering that TJX disregarded the most basics of networking security.

    Of course, I suppose our Attorney General is too busy pursuing other things at the moment, but seriously, someone should be made to stand up and take full responsibility for this fiasco!

    reply to this | link to this | view in thread ]

  7. identicon
    nonuser, Aug 16th, 2007 @ 5:46pm

    Re: Please for the love of God, tell me you're jok


    But before we write this off to total stupidity, another (speculated) physical attack vector described in the article was a doctored credit card reader placed on a checkout counter. That type thing has to be worrisome to a lot of retailers.

    Fortunately, some of the downstream crooks behaved the way you'd expect of street criminals, producing multiple $400 gift cards at Wal-Mart to get around the store policy of requiring IDs for $500 cards.

    reply to this | link to this | view in thread ]

  8. identicon
    Gary, Aug 17th, 2007 @ 1:21pm

    dumb security

    Security is a tedious job that should be left to the professionals. It is not a guarantee, but so many people think they "get it" that they do dumb shit stuff like allowing USB access or letting public access terminals have full run on internal networks.

    Even big money companies do stupid things. A few years ago, when I was a client at Smith Barney, I used an online account. The account was secured by a username, password, and PIN. When I logged on I found they stuffed a cookie in my browser with the username and PIN in the clear! The web site described the password content so it limited the brute force range.

    The next article should be stories about smart people doing dumb things. The one I like best is how companies save thousands on computer security. They do not hire the staff and believe that unless there is an identified breach, they are safe and secure.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous, Aug 21st, 2007 @ 8:09am


    Think this sounds like someone read a past issue 2600 magazine (2600.org), and saw the article about in store Kiosks. Again all sources were close to the investigation(sure....), and using a SEC Filing, “suspicious software” WOW! the company was hacked, what can be expected. This sounds like someone is on the FUD bandwagon, from a USB management software company. This is bad enough without people jumping and trying to make it bigger than it is along with making a dollar.

    reply to this | link to this | view in thread ]

  10. identicon
    Industrial Shredders, Jan 11th, 2009 @ 10:50pm

    Identity theft has brought great tensions to the corporate world causing many companieslosses each year. Everyone is scared of their personal information not leaked out tosome strangers. Not only offices but individuals at home should also purchase onefor safety.

    reply to this | link to this | view in thread ]

  11. identicon
    Keren, Apr 28th, 2009 @ 2:19am


    I´m using this discryptor.net software. I think that really makes ma data secure.

    reply to this | link to this | view in thread ]

  12. identicon
    Mitch Brosin, Nov 23rd, 2009 @ 7:18am

    Now, a couple of years later, TJX has yet to pay off any significant amount of customers over their lackluster data protection efforts. But, their name has paid an ultimate price. TJX name value is below the basement and I understand that company credit card applications are at all time lows. Behold the power of a hack to shatter consumer confidence in a brand.

    reply to this | link to this | view in thread ]

  13. identicon
    Formax, Jan 20th, 2010 @ 7:53pm

    Many companies are setting up encrypted disk drives - whereas the raw hard drive is not readable. It is a great technology - but I'm sure someone already knows how to break it..

    Formax FD 6100

    reply to this | link to this | view in thread ]

  14. identicon
    formax, Jan 20th, 2010 @ 7:57pm


    Encryped hard drives are the best defense against this.

    Formax FD 6100

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.