TJX Offers One-Day Sale To Make Up For Massive Data Breach

from the how-generous dept

Until earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people's credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores' WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they'd gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn't-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Kilgore Trout, Jan 23rd, 2009 @ 2:43pm

    Wow

    Bitter much?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Blatant Coward, Jan 23rd, 2009 @ 2:48pm

    RE: Wow

    Uh! Yah, I could have got that totally cool size 65 Pleather microskirt for going to the con way off price! Fer suuuure!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Freedom, Jan 23rd, 2009 @ 2:55pm

    Wake up to the real world...

    Wake up to the real world. I would bet that more than 95% of businesses are setup in this sort of way. IT is a balancing act with limited resources. It is also an industry that literally has no standards and the core elements change on a yearly basis. Why in a perfect world every company would invest the necessary dollars, there are many that don't and won't do it. This is an especially bad example, but most companies are setup such that once you get past the front door security, you have a lot of access.

    With that said, not-encrypting the CC info is really bad. Even if the network was setup without a lot of security concerns, you'd think someone would have thought a bit on that one!

    Freedom

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Mr. Kerry D Robertson, Jan 23rd, 2009 @ 3:04pm

      Re: Wake up to the real world...

      Agreed! Until companies realize they need to beef up their IT departments, or flat out hire network security professionals, this type of thing will continue to happen.

      Most buildings that house companies have a security system and human guards.

      As more of companies and their assets are housed in cyberspace, does it not make sense to apply some of the same rules?

      Oh well. Try explaining that to a boss who thinks of a train ride when you talk to him about SSL tunneling.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Skeptical Cynic (profile), Jan 23rd, 2009 @ 3:37pm

      Re: Wake up to the real world...

      Although I agree with most of what you said it was required of all merchants since 2005 that the CC info be encrypted by Visa.

      I also want to say that TJX lost a lot of business from me after they had the breach.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Charlie, Jan 23rd, 2009 @ 3:45pm

    50% of capitol investment by US businesses is in IT. That's 1.8 trillion in 2007. I don't think this is a problem born of industry wide underinvestment in IT.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Skeptical Cynic (profile), Jan 23rd, 2009 @ 4:09pm

    One comment...

    the beatings will continue until morale improves!! Until there is teeth in consequences for data breaches they will not change.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Dung Beetle, Jan 23rd, 2009 @ 4:55pm

    It rolls downhill ya know

    from the how-generous dept -> "It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers"

    I dont think so - the banks ultimately just pass the loss on to the consumer in one way or another.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    mac, Jan 24th, 2009 @ 4:33am

    mac

    I dont think so - the banks ultimately just pass the loss on to the consumer in one way or another.MKV to RM converter

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Benjamin Wright, Jan 24th, 2009 @ 8:23am

    FTC needs to change

    The FTC treated TJX unfairly. The FTC should rethink the law of credit card security, and stop treating merchant victims of organized crime as culprits. --Ben

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      JT, Jan 24th, 2009 @ 11:01am

      Re: FTC needs to change

      Reading a bit from your article and comments... It sound like it's OK to run your business poorly from an IT/security standpoint and claim ignorance when cornered. Your comments sound like the kid on the playground pointing their finger saying "look at all these companies, they do it too". Well guess what? They're not the ones that had it happen to them.

      Part of the problem is that people will not conform or put forth ANY effort unless they're forced to. It's too bad we have to have examples in society but without them we have crime. It's no different with business, if there's not examples, they continue to do what's cheap rather than what they should do. Hopefully this makes other companies on their scale to take a look at security and determine if they're at risk for a breach and some lofty payback if it happens.

      I'm a bit sickened by you calling them "victims". Companies do all they can to cut corners and they need to be held accountable when they screw up, especially on a scale like this.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    MMXG, Jan 24th, 2009 @ 11:56am

    Networks

    My home Wireless-N network is encrypted with WPA2-AES/TKIP with a long, but memorable, pass-phrase. Router also checks MAC Addresses and requires wireless devices to be registered on the router before access is allowed. Router settings took about 2 minutes to set up, computers collectively about 10 minutes to get connected right.

    I have only ever worked in Retail and I have never taken any post-secondary IT courses. "Sheer incompetence" is an understatement, and TJX should still get that $41-million fine.

    Also, I believe "hackers" is the wrong term, they were "crackers". Hackers have pride, they want a challenge, and usually they do it just to prove they can, not to steal information for personal gain. Not unless that gain is a monthly paycheck that is. I'm curious to know if TJX' network was infected with that Downadup/Confliker worm, and if they have some less incompetent employees to make sure that's handled properly.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Retailer Joe, Jan 25th, 2009 @ 7:32pm

    Encrypting CC info

    What scary about the encryption of CC info is that the banks we work with (I work at a retailer) _cannot_ support encryption on their links...

    The PCI standards require us to keep the data encrypted while it resides on our system (or is being sent over our network), but as soon as it goes on the link to the bank, it's wide open (note that the PIN is always encrypted, but the card number and expiration date are wide open).

    We've hit the bank a couple of times about encrypting that data flow, but they claim their systems can't handle it!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Nelson Cruz, Jan 27th, 2009 @ 9:20am

    Here in Portugal we have a system that issues "virtual credit cards" that expire after 1 month and have a limit set by the user. Its called mbnet (www.mbnet.pt).

    For every single online transaction we can use a different card number, that even if it falls in the wrong hands, can't be of much use to them.

    Maybe someone in the US should copy this. :)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    iNvEStMeNt CoMpLiaNcE, Jan 28th, 2009 @ 9:22am

    that mbnet sounds promising.

    As far as TJ MAXX, its the least they could do for ruining the credit of their loyal customers

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This