March 29, 2007 at 8:59 PM ET
As details continue to emerge about the massive data hack at TJX, this much has become clear: Hackers had the run of the place for quite some time while company officials tripped over each other trying to secure customers' personal information. The image of the “Keystone Cops” comes to mind.
Before you chuckle, know that TJX -- the parent company of T.J. Maxx, Marshall’s and other stores in North America and the United Kingdom -- is hardly alone. A soon-to-be-released survey shows that fully 61 percent of company techs don't think the sensitive information in the control of their firms is safe from hackers.
TJX’s SEC filing on Thursday created as many questions as it answered, but it does offer telling glimpses of how things worked inside the company.
Some files were encrypted, some weren't. Some transmissions were encrypted, some weren't. Worst of all, the encryption didn't really work, the firm admits, because "the intruder had access to the decryption tool for the encryption software." That probably occurred because the tool was stored on the same computer as the encrypted file -- a common flaw, said to Gartner security researcher Avivah Litan.
Then there's this: Company officials deleted files after they were stolen, meaning it doesn't really know how much data was taken. The files were not deleted in response to the crime, mind you, just as part of normal business operations.
For example, hackers managed to steal data from transactions that occurred between November 2003 and April 2004. Since the intrusions occurred from 2005-2006, that means the company kept the data hanging around for about two years. But those files were subsequently deleted, so there's no way to know exactly how many consumers had their data compromised.
That's ironic. Had the company just deleted the data in the first place, there'd be no hacking.
TJX deserves harsh criticism for keeping data hanging around its servers so long, particularly data such as driver’s licenses produced by 455,000 consumers who sought refunds from the company. Consumers don't expect companies to hoard their credit card numbers, driver's licenses and other data infinitely.
Perhaps the only thing worse than keeping the data for years is deleting the data after it’s been stolen, making a mess out of forensics efforts. What chaos! All this means we still don't really know what was taken and may never know. We also have no idea who stole the data, but we know this much. "They hit the jackpot," says Litan.
One theory: Wireless hacking
She has a theory about how the data was stolen. She believes hackers managed to penetrate TJX’s computers through an exposed wireless network used to run retail operations. Hackers outside a store managed to break into the "controller" computer that manages the store's cash registers.
From there, criminals were able to connect to computers all around TJX's global network, simply by guessing their Internet addresses. "Once you get into a controller, you can get into headquarters," she said.
TJX said it had no additional details about how the hack occurred. But privacy consultant Larry Ponemon said Litan’s scenario is certainly a possibility; he's consulted with other retailers who had exposed wireless networks.
Meanwhile, the notion that hacking such critical data is easy is pervasive among security professionals. Ponemon is about to publish survey results that indicate 61 percent of computer security workers say their companies are not safe from hackers. The study also offers a clue as to why.
CEOs, techies disagree
Half of all executives told Ponemon that compliance with computer security regulations, such as Visa’s Payment Card Industry standards, is a critical priority for their companies. But only 10 percent of the hands-on tech workers agree. In other words, while CEOs say they take security seriously, the techies know the truth. And the truth is, your data is there for the taking.
"That's quite a gap," Ponemon said. "The average person who does … (security) day and day out knows that if you are smart enough you can hack your way into sensitive data." Why is that? "When faced with something that generates revenue, or spending on security, companies always go with the revenue generation," Ponemon said. "No one wants to spend money on security."
TJX may find it has to spend the money anyway. Until recently, companies that leaked data got off lightly because the cost of resulting credit card fraud was often borne by banks and other merchants.
Not any more. Visa USA now has a policy called Account Data Compromise Recovery that allows merchants and banks to seek compensation from the data leaker. In addition to fraud recovery, the plan allows banks to recover $1 per stolen card as reimbursement for operational costs.
If the pool of leaked cards obtained from TJX ends up at more than 45 million, as the company has stated, that would be a pretty big bill -- and a pot of money that could have funded a pretty sizable computer security effort.