- Artificial Intelligence
- Generative AI
- Cloud Computing
- CPUs and Processors
- Data Center
- Edge Computing
- Enterprise Storage
- Virtualization
- Enterprise Buyer’s Guides
- Internet of Things
- Network Management Software
- Network Security
- United States
- Newsletters
- Foundry Careers
- Terms of Service
- Privacy Policy
- Cookie Policy
- Copyright Notice
- Member Preferences
- About AdChoices
- E-commerce Links
- Your California Privacy Rights
Our Network
- Computerworld
TJX security breach aftermath: a case study in what to do wrong
Retailer needs to disclose more information before it is forced to.
Late week I wrote about what retailer TJX had done wrong leading up to its recent widely reported security lapse.This week’s column is about what TJX has done wrong since the lapse was discovered.
In spite of full-page ads in the Boston Globe and Boston Herald in the last two days, the extent of the security lapse is still not known because TJX has steadfastly refused to provide any concrete information. The lack of information provides fertile ground for speculation — for example, published reports last week that as many as 30% of all New Englanders may have been impacted. On Jan. 26, TJX announced it had hired John Gilbert, formerly with Dunkin’ Donuts, as chief marketing officer. Maybe he is smart enough to understand that stonewalling is the worst possible reaction to a problem. Everything will come out in the end, and in this case it may come out with the president of TJX testifying on national TV in front of Congress. It is far better to provide more information than is being requested so it does not look like you are covering up.
Maybe TJX feels it cannot do this because it is covering up. Originally TJX maintained that it delayed making a public announcement at the request of law enforcement only to later admit the delay was in part a “business decision” and now, in the ads, the company says it was “in the best interest of our customers.” Yeah — the best interest of customers was to keep them in the dark until they finished their Christmas shopping. In the end, TJX only admitted to a problem after the first Wall Street Journal report.
TJX has still not said how many cards were exposed, yet some information must exist because banks are quite busy contacting their customers and replacing cards (including my wife’s). At the very least, TJX could tell its customers — the folks whose trust it has to retain in order to stay in business — what TJX told the banks. Delaying will increase rather than decrease the pain when the numbers do come out.
Unlike most organizations that have had similar, although far smaller, breaches, TJX has not said it would protect customers by buying credit watch services for them. I expect the company will have to do so at some point but because it is delaying so long, it’s clear that protecting customers has not been a concern for TJX and it will only do so when forced.
TJX has not admitted that it was not compliant with the PCI security standards nor has the company committed to becoming compliant in the new ads. Visa’s security requirements say that merchants the scale of TJX had to be compliant with the security standards by Sept. 30, 2004. If Visa had any courage it would give TJX a short fixed period of time to become compliant (say, 30 days from the breach discovery) or be stopped from accepting Visa cards.
The PCI standard requires merchants to “limit storage amount and retention time [of cardholder data] to that which is required for business, legal, and/or regulatory purposes.” TJX has not said it has or will destroy the data retained in excess of this standard.
In short, TJX has said squat of any consequence. It will continue to be raked over the coals for that. It would have been so easy to do what Johnson & Johnson did after the 1982 Tylenol deaths — get in front of the issue and stay there. But TJX decided to hide its head in the sand instead — a very poor decision, but a good case study in what not to do.
Disclaimer: I can only guess if the Harvard Business School will a develop a case study about TJX or what one would say, so the above review must be mine.
Related content
Network jobs watch: hiring, skills and certification trends, top network and data center events 2024, main line health readies networks for 'at home' hospitals, juniper offers ai pricing incentives, education programs, newsletter promo module test.
Bradner is a consultant with Harvard University's University Information Systems. Reach him at [email protected]. Bradner forum Get Bradner in your inbox.
More from this author
Eight-hundred-and-nine columns down, none to go, ip commission report: surprisingly clueful, federal requirement for open access: seeing what you paid for, internet taxes: is the inevitable about to happen, opendaylight: the next penguin, cloud services: computus interruptus, privacy as product differentiation. is it time, critical infrastructure protection: maybe thinking good thoughts will make us safe, show me more, vmware by broadcom: product, service and support news.
AI test bed proposal for DoE a good first step: Analyst
Data center construction skyrockets as vacancies drop
Has the hype around ‘Internet of Things’ paid off? | Ep. 145
Episode 1: Understanding Cisco’s Converged SDN Transport
Episode 2: Pluggable Optics and the Internet for the Future
How to see how many days passed since the beginning of the Linux epoch
How to use the pv command
How to use the stat command
Podcast - 12 Years Later: How the TJX Hack Changed Security and Compliance
In this episode of Defrag This, we’re taking a look back at one of the most monumental events in hacker history—the 2007 hack of TJX companies, which was, at the time, the biggest breach of consumer data in the history of the United States.
To help us explore the TJX hack, break down what happened, and explore what the hack meant for security and compliance culture in the US, we were lucky enough to enlist the help of Mike Drasher, Senior Integrations Engineer here at Ipswitch, and former Infrastructure Engineer at TJX. Back in 2007, Mike was actually the first person to notice the suspicious application on TJX’s network that led to the discovery of the attack.
Now, if you’re thinking “why haven’t I heard of this?” I don’t blame you. Twelve years is a long time by any measure, but it’s ancient history in terms of cybersecurity history. So here’s a quick breakdown of the attack.
The Biggest Hack in US History
First discovered in 2007, this breach of TJX Corporations, the Boston-based parent company of TJ Maxx, Marshalls, and Boston Market was, at the time, the biggest breach of consumer data in the history of the United, with up to 94 million records breached.
Though the hack wasn’t discovered until 2007, hackers had first gained access to the TJX network in 2005 through a WiFi connection at a retail store, and were eventually able to install a sniffer program that could recognize and capture sensitive cardholder data as it was transmitted over the company's networks unencrypted. The hackers used that program exfiltrate millions of credit and debit card numbers over an 18-month period, until finally being discovered in January of 2007.
The Hackers
The TJX hackers were a group of 10 individuals, based all over the world, led by Albert Gonzalez, who was working as an informant for the Secret Service at the time of the crime. Gonzalez had previously been indicted for his role in the ShadowCrew cybercrime forum, but the charges were dropped after he cooperated with investigators and provided information on his coconspirators. Obviously, that wasn’t enough to convince Gonzalez to stop his illicit activities though, and the hacker even wrote on a hacking forum that his goal was to earn $15M, buy a yacht and retire. Gonzalez went on to be involved in several other hacks, including the TJX attack, the hack of Dave & Busters, and the Heartland Payment Systems attack.
Gonzalez would eventually be arrested on charges stemming from the Dave & Busters hack. He was eventually convicted to 20 years in federal prison for his part in the TJX attack, as well as the hack of Dave and Busters, and the Heartland Payment Systems hack. That sentence is still the lengthiest ever imposed for hacking or identity-theft.
Compliance Implications
At the time of the hack, PCI DSS, the Payment Card Industry Data Security Standard, was a brand new thing, having just been implemented in June of 2005, and companies were still coming to terms with the regulation, and struggling to figure out compliance. For those of you keeping up with GDPR, that may sound pretty familiar. While TJX firmly denies that it was at all negligent in allowing the attack to happen, the company was accused of being non-compliant with 9 of the 12 principles of PCI DSS in court.
TJX eventually paid 9.7 million to 41 states in a settlement, and the hack prompted credit bureaus to seek legislation requiring retailers to be responsible for the compromised customer information saved in their systems. There was no new legislation in the US, but security became a much more prominent part of corporate culture in the wake of the TJX and Heartland Payment Systems hacks. Now, over 10 years later, we’re finally starting to see legislation gain steam across the globe, with the adoption of the GDPR, and the consideration of other data protection bills in brazil, the UK, and states across the US.
Jeff Edwards
Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.
- The White Hat Gives Hacking a Good Name
- Application Development
- Digital Experience
- Company and Community
- Security and Compliance
- Kemp Loadmaster
- WhatsUp Gold
Sitefinity Training and Certification Now Available.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
More From Progress
Latest Stories in Your Inbox
Subscribe to get all the news, info and tutorials you need to build better business apps and sites
Progress collects the Personal Information set out in our Privacy Policy and the Supplemental Privacy notice for residents of California and other US States and uses it for the purposes stated in that policy.
You can also ask us not to share your Personal Information to third parties here: Do Not Sell or Share My Info
By submitting this form, I understand and acknowledge my data will be processed in accordance with Progress' Privacy Policy .
I agree to receive email communications from Progress Software or its Partners , containing information about Progress Software’s products. I understand I may opt out from marketing communication at any time here or through the opt out option placed in the e-mail communication received.
By submitting this form, you understand and agree that your personal data will be processed by Progress Software or its Partners as described in our Privacy Policy . You may opt out from marketing communication at any time here or through the opt out option placed in the e-mail communication sent by us or our Partners.
We see that you have already chosen to receive marketing materials from us. If you wish to change this at any time you may do so by clicking here .
Thank you for your continued interest in Progress. Based on either your previous activity on our websites or our ongoing relationship, we will keep you updated on our products, solutions, services, company news and events. If you decide that you want to be removed from our mailing lists at any time, you can change your contact preferences by clicking here .
T.J. Maxx theft believed largest hack ever
A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information.
For the first time since disclosing the theft more than two months ago, the parent company of nearly 2,500 discount stores put a number on how much card data was compromised — and it’s a number TJX Cos. acknowledges could go still higher.
Experts say TJX’s disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.
“It’s not clear when information was deleted, it’s not clear who had access to what, and it’s not clear whether the data kept in all these files was encrypted, so it’s very hard to know how big this was,” said Deepak Taneja, chief executive of Aveska, a Waltham, Mass.-based firm that advises companies on information security.
The case has led banks to reissue cards to customers as a precaution against further fraud beyond cases detected as far away as Sweden and Hong Kong, according to the Massachussets Bankers Association, which is tracking fraud reports linked to Framingham, Mass.-based TJX, parent company of stores across North America and the United Kingdom.
The only arrests believed tied to the case involve a gift card scam in which 10 people are suspected of buying data from the TJX hackers to purchase Wal-Mart gift cards in northern Florida. The group — who aren’t believed to have committed the TJX hack — then used the cards to buy $1 million worth of electronics and jewelry at Wal-Mart’s Sam’s Club stores, according to Gainesville, Fla., police.
Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the Securities and Exchange Commission after business hours Wednesday. TJX did not estimate the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003, to June 28, 2004.
TJX said about three-quarters of the 45.7 million cards had either expired at the time of the theft, or the stolen information didn’t include security code data from the cards’ magnetic stripes. Starting in September 2003, TJX began masking the codes by storing them in computers as asterisks rather than numbers, the company said.
The filing also said another 455,000 customers who returned merchandise without receipts had their data stolen, including driver’s license numbers.
With at least 46 million consumer records accessed, the TJX case outranks the previous largest case tracked by the Privacy Rights Clearinghouse: a June 2005 disclosure by credit card processor CardSystems that hackers accessed accounts of 40 million card holders.
Clearinghouse director Beth Givens said her San Diego-based consumer advocacy organization’s list includes data breaches disclosed after a 2003 California law required companies to notify consumers.
The TJX case “will probably serve as a case study for computer security and business students for years to come,” Givens said. “This one could be considered a worst-case scenario.” One reason for that, she said, is because of TJX’s disclosure Wednesday that it believes the hacker or hackers “had access to the decryption tool for the encryption software utilized by TJX.”
TJX also said the hacker or hackers used technology last year that could have enabled them to steal card data during the approval process, when data is transmitted to the card issuer without encryption.
TJX also remains uncertain of the theft’s size because it deleted much of the transaction data in the normal course of business between the time of the breach and the time TJX detected it.
“There is a lot of information we don’t know, and may never be able to know, which is why this investigation has been so laborious,” TJX spokeswoman Sherry Lang said.
TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from transactions dating to January 2003. TJX didn’t find out about the breach until last Dec. 18, when it learned of “suspicious software on our computer systems.”
The company then hired outside investigators and notified federal authorities before issuing a Jan. 17 news release. TJX says the monthlong delay in disclosing the breach allowed it to work with security experts to contain the problem.
TJX said in the filing that “substantially all stolen data” from transactions in the period Nov. 24, 2003, to June 28, 2004, were deleted. Lang said the company was investigating why information stolen earlier in 2003 wasn’t routinely deleted.
Deleting such information after transactions “should be standard practice” to guard against theft, said Taneja, the security expert, but many firms nevertheless don’t follow through. TJX’s filing says the company “does not know who took this action, and whether there were one or more intruders involved.”
How far scams like the one in Florida may have spread because of the TJX breach is unknown. “It’s been all over the world,” said Bruce Spitzer, spokesman for the Massachusetts Bankers Association. “It’s the downstream transactions we’ve been hearing about,” involving thieves who buy stolen data from others, often hackers in other countries.
On Jan. 24, 60 of the 205 banks in the state association reported they had been contacted by credit card companies about cards that had been compromised. The next time the association conducts such a survey, Spitzer expects “it will be near 100 percent” based on recent reports from member banks.
A spokesman for the American Bankers Association said the group had not been tracking such data.
TJX faces an investigation by the Federal Trade Commission, which could fine the company, and lawsuits accusing the firm of failing to safeguard private data.
TJX is the parent company of stores including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright in the U.S., Winners and HomeSense in Canada and T.K. Maxx in Britain.
- Generative AI
- Office Suites
- Collaboration Software
- Productivity Software
- Augmented Reality
- Emerging Technology
- Remote Work
- Artificial Intelligence
- Operating Systems
- IT Leadership
- IT Management
- IT Operations
- Cloud Computing
- Computers and Peripherals
- Data Center
- Enterprise Applications
- Vendors and Providers
- Enterprise Buyer’s Guides
- United States
- Netherlands
- United Kingdom
- New Zealand
- Newsletters
- Foundry Careers
- Terms of Service
- Privacy Policy
- Cookie Policy
- Copyright Notice
- Member Preferences
- About AdChoices
- E-commerce Affiliate Relationships
- Your California Privacy Rights
Our Network
- Network World
One year later: Five takeaways from the TJX breach
The retailer has survived the massive data theft, but the card industry remains unsettled.
One year ago today, The TJX Companies Inc. disclosed what has turned out to be the largest information security breach involving credit and debit card data — thus far, at least.
The data compromise at the Framingham, Mass.-based retailer began in mid-2005, with system intrusions at two Marshalls stores in Miami via poorly protected wireless LANs. The intruders who broke into TJX’s payment systems remained undetected for 18 months, during which time they downloaded a total of 80GB of cardholder data.
TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. Even that number may be far too low: A group of banks that is suing the retailer claimed in an October court filing that information about 94 million cards was exposed during the serial intrusions.
The sheer size of the data theft puts TJX in a league of its own among companies hit by such incidents, and the breach has made it something of a poster child for sloppy data security practices among retailers. In addition, the breach highlighted several familiar issues and some not-so-familiar ones.
Here, on the one-year anniversary of the breach becoming known, are five takeways for security managers:
Breach disclosures don’t always affect revenue or stock prices …
Despite being the biggest, costliest and perhaps most written-about breach ever, customer and investor confidence in TJX has remained largely unshaken. TJX’s stock was worth about $30 per share when the breach was disclosed, and its closing price today was just over $29. Meanwhile, the retailer said this month that in the 48-week period that ended Jan. 5, its consolidated comparable-store sales increased 4% from the year-earlier level.
Clearly, TJX’s customers weren’t as concerned about the breach as many observers had expected they would be. Much of that no doubt has to do with the fact that consumers realize they themselves won’t have to pay for any fraud that might result from payment card compromises, said Avivah Litan, an analyst at Gartner Inc.
… but they can be costly
TJX has said that in the 12 months since the breach was disclosed, it has spent or set aside about $250 million in breach-related costs. That includes the costs associated with fixing the security flaws that led to the breach, as well as dealing with all of the claims, lawsuits and fines that followed the breach.
For instance, settlements reached by TJX include offers of free credit-monitoring services for three years to consumers whose driver’s license numbers were exposed in the breach, plus cash reimbursements, vouchers and a promised three-day customer appreciation event this year, during which the company plans to offer 15% discounts on all goods.
“I think a lot of companies are seeing how costly these breaches can get,” said Forrester Research Inc. analyst Khalid Kark. As a result, there’s a lot more awareness in the executive suite about the need for security controls, Kark said. He previously estimated that the breach at TJX could end up costing the company $1 billion over the next few years.
PCI remains a work in progress
The breach brought to light the fact that many retailers, including top-tier ones like TJX, had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI. The rules took effect in June 2005, and required merchants — especially ones such as TJX that process a high volume of card transactions annually — to implement 12 broad security controls for protecting customer data.
But court documents filed by the banks that are suing TJX allege that the company wasn’t compliant with nine of the mandated controls during the period when the intrusions were taking place. And TJX was by no means alone. In response to the slow adoption of the PCI controls, Visa Inc. threatened to start imposing hefty fines and higher transaction fees on merchants if they didn’t become compliant by the end of last September.
Visa won’t disclose whether it has fined any merchants since then, but there is ample anecdotal evidence that it has.
The card payment process has issues
The TJX breach exposed a fundamental rift, with banks and credit card companies on one side and merchants on the other. In several states, credit unions and smaller banks have lobbied the legislatures to pass new laws requiring retailers to reimburse them for the costs involved in notifying customers of breaches and reissuing cards.
But the lobbying attempts failed everywhere except in Minnesota, which last May approved the Plastic Card Security Act — a law that holds breached entities financially responsible if they were storing prohibited card data on their systems.
In fighting the state bills, retailers have argued that the commissions they pay to card companies on each transaction are supposed to cover fraud-related costs, making any additional payments a double penalty. They also said that the only reason they store payment card data is because they’re required to by the credit card companies. In October, the National Retail Federation (NRF) asked Visa and the other card companies to drop that requirement .
The NRF’s request is echoed by Litan, who long has argued for fundamental changes in the card industry’s payment process, via the introduction of measures such as one-time passwords and all PIN-based transactions.
The bad guys remain hard to catch
For all the attention paid to the breach by TJX, and all the hired forensics experts and law enforcement authorities on the case, the perpetrators thus far haven’t been tracked down. Some individuals who allegedly used card numbers stolen in the breach have been arrested. But the hackers themselves have remained frustratingly out of reach, as is the case in most breaches.
“The crooks are still at it,” Litan said. “They probably will strike again. They’re laughing all the way to the bank.”
Related content
Court blocks us net neutrality reinstatement, now, spain's competition authority is reviewing apple's app store, us, european authorities promise effective competition in the ai sector, new uk government downplays ai regulation in program for the next year, from our editors straight to your inbox.
Jaikumar Vijayan is a freelance technology writer specializing in computer security and privacy topics. Disclosure: He also writes for Hewlett-Packard's marketing website TechBeacon.
More from this author
Tips for negotiating with cyber extortionists, tech groups press congress to pass usa freedom act, home depot confirms breach, pressure builds on faa to release drone rules, data shows home depot breach could be largest ever, home depot breach could potentially be as big as target’s, backoff malware infections are more widespread than thought, tesla recruits hackers to boost vehicle security, most popular authors.
Show me more
The phrase 'open source ai' gets a definition.
Facebook and Spotify warn Europe could lag in AI due to complex regulations
The best Notion templates for business productivity
Podcast: End users need to switch their data security strategy
Podcast: Is the gold rush for AI talent slowing down?
Podcast: Google loses antitrust, and the world yawns
Why the AI money spigot is slowing down
Tech news roundup: The hackers are winning, it's time to switch security strategy
Is there still a gold rush for AI talent?
94 million customer records breached at major US retailer
In March 2007, when TJX disclosed that at least 45.7 million customers' credit cards had been compromised this breach was considered one of the biggest retail data breaches of all time. In October 2007, court filings related to the breach revealed at least 94 million customers had been affected, more than twice the amount in the original company statement.
In 2010, an attacker was jailed for 20 years for his role in the hacking and data breach.
Book a consultation
Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:
- The TJX Companies, Inc.
We've done the analysis so you can make the decisions
$489.99 When purchasing a minimum of 5 Case Studies $699.99 if buying less than 5.
- Detailed cause & effect analysis
- Lessons learnt catalogued
- Preventive controls extracted
Related Topics
- Application Security
- Cybersecurity Careers
- Cloud Security
- Cyberattacks & Data Breaches
- Cybersecurity Analytics
- Cybersecurity Operations
- Data Privacy
- Endpoint Security
- ICS/OT Security
- Identity & Access Mgmt Security
- Insider Threats
- Mobile Security
- Physical Security
- Remote Workforce
- Threat Intelligence
- Vulnerabilities & Threats
- Middle East & Africa
- Upcoming Events
- Newsletters
- Whitepapers
- Partner Perspectives:
- > Microsoft
No Excuse: Security Lessons From T.J. MAXX Data Breach No Excuse: Security Lessons From T.J. MAXX Data Breach
Maybe the company should change its name to T.J. LAX -- lax security practices let the hacked retailer's data breach go from bad to worse to bad beyond belief while nobody did anything to remedy the situation.
September 28, 2007
Maybe the company should change its name to T.J. LAX -- lax security practices let the hacked retailer's data breach go from bad to worse to bad beyond belief while nobody did anything to remedy the situation.That's the finding of a Canadian investigation into T.J. MAXX parent company TJX and its security procedures -- or lack of them -- that let a data breach persist for well over a year, with customer records compromised throughout that time.
The small to midsized business security lessons to be learned? The ones you probably already know. Among the investigators' findings:
Watch for wireless weakspots : Indications are that the company breach may have taken place via insecure wireless networks at T.J. MAXX retailers. Any entry into your network is enough to compromise everything.
Upgrade promptly and efficiently : TJX took two years to convert its systems from weak to strong encryption. That's far too long -- more than long enough for two years' or so worth of customer data to be grabbed, in fact.
Systems exist to be monitored : Better monitoring -- i.e., constant, thorough, aggressive -- would have alerted the company to the breach sooner.
Acquire only the information you need and get rid of it when you're done : MAXX was acquiring driver's license numbers when refunding non-receipted items. That's an unnecessary data-get -- and exposed another customer record to hacking. Take only the information a transaction requires, and retain it only as long as your business and appropriate compliance/regulatory rules require.
Industry standards exist for industry reasons : Incredibly, the company was processing millions of credit card transactions without adhering to Payment Card Industry (PCI) standards.
Every one of these lapses was easily remedied, but more than that, every one of them was a breach of good business practice as well as good data security practice.
Take a look at your business with the lessons of T.J. LAX, uh, MAXX in mind.
About the Author
Keith Ferrell
Contributor
You May Also Like
Securing Your Cloud Assets
Determining Exposure and Risk In The Event of a Breach
Developing a Cyber Risk Assessment for the C-Suite
Catch the Threat Before it Catches you: Proactive Ransomware Defense
How to Evaluate Hybrid-Cloud Network Policies and Enhance Security
[Virtual Event] The Essential Guide to Cloud Management
Black Hat Europe - December 9-12 - Learn More
SecTor - Canada's IT Security Conference Oct 22-24 - Learn More
Editor's Choice
Threat Hunting's Evolution:From On-Premises to the Cloud
State of Enterprise Cloud Security
Managing Third-Party Risk Through Situational Awareness
2024 InformationWeek US IT Salary Report
2021 Digital Transformation Report
Purple AI Datasheet
SecOps Checklist
Boston Beer Company Transforms OT Security & Reduces Costs
OT Threat Intelligence Report: Fuxnet ICS Malware
Decode the New SEC Cybersecurity Disclosure Ruling
The TJX data breach: Why loss estimates are overblown
George Ou outlines the perils of failing to secure your wireless network via the TJX data breach, but don't expect a massive financial hit from this security lapse.
Ou cites a bevy of estimates regarding TJX's financial hit due to the loss of at least 45.7 million data and credit card numbers. The range for these losses: $1 billion to $4.5 billion. Many assume a cost of $100 per lost record or more.
I'll believe it when I see it.
Thus far, TJX has taken a pre-tax charge of $5 million due to the computer intrusion. According to TJX's annual report this tally "includes costs incurred to investigate and contain the computer intrusion, strengthen computer security and systems, and communicate with customers, as well as technical, legal, and other fees."
TJX says it doesn't have enough information to "reasonably estimate losses we may incur." Of course that hasn't stopped folks from guessing at total losses.
Just to be safe TJX has stopped buying back its stock. In the end, TJX's balance sheet is healthier than ever. J.P. Morgan analyst Brian Tunick is projecting TJX's cash position to top $1 billion in 2008 due to better inventory management. TJX ended 2006 with $857 million in cash and is expected to end 2007 with $809 million, according to Tunick's estimates.
The problem with these big loss estimates from analysts and other observers is that they assume a brand hit and customer loss. In this Information Week story , "brand impairment" is cited as part of the reason why TJX could take a $4.5 billion hit due to its data breach.
So far, TJX's brand is just swell. Customers are still shopping--same store sales rose 6 percent in March. That sales tally doesn't exactly jive jibe with a Javelin Strategy & Research study that found three in four consumers will stop shopping a merchant if a data breach occurs. The disconnect: Consumers say they will stop shopping, but in reality they keep coming back if the price is right. Bottom line: If customers didn't abandon TJX at the height of its bad press they aren't leaving now.
Maybe these big loss estimates account for forgone market capitalization. The problem with that assumption: TJX shares are about where they were when the data breach went public.
Or maybe class action lawsuits will add up to big numbers. After all, TJX failed to secure its network for more than a year. "We are vigorously defending the litigation and claims asserted against us," says TJX.
So let's assume TJX gets its tail handed to it in court. TJX spends $50 million on lawyers and winds up settling for $200 million in a worst case scenario after many appeals. Naturally, only the lawyers get anything.
The subtotal thus far is roughly $300 million.
To be sure the consultant fees are going to be huge for TJX so let's factor in another $200 million.
That brings us to $500 million.
But unless postage on those "we're sorry to inform you" letters to customers add up to $500 million it's going to be tough to get to that magical $1 billion loss level everyone is talking about.
Now this whole TJX episode makes some people cringe--they just can't believe that there's not severe pain inflicted when customer data is lost. Certainly George Ou wants to see TJX suffer a bit. But the initial outrage wears off quickly.
Overall, TJX will be seen as a victim--albeit a negligent one. And TJX customers don't get irate because most of them won't take a financial hit. After all, credit card companies eat fraudulent charges in most cases. Of course, identity theft is a risk, but that'll be a small number out of that 45.7 million. These estimates surrounding data breaches just don't add up to the reality.
How to disable ACR (and greatly reduce ads) on every TV model - and why you should
Samsung's new projectors bring a 130-inch display into your home - no big tv needed, i replaced my samsung galaxy s24 ultra with the pixel 9 pro xl for two weeks - and can't go back.
Related Topics
- Digital Transformation
- IT Staffing & Careers
- IT Management
- IT Strategy
Recent in Leadership
- Cybersecurity
- Risk Management
- Incident Response
Recent in Resilience
- Responsible AI
- IT Automation
- AI Innovations
Recent in ML & AI
- Data Privacy
- Data Governance
Recent in Data
- Data Centers
- Cloud Computing
Recent in Infrastructure
- Software Platforms
- Operating Systems
Recent in Software
- Newsletters
- Reports/Research
- Online Events
- Live Events
- White Papers
- Advertise With Us
- Cyber Resilience
Estimates Put T.J. Maxx Security Fiasco At $4.5 Billion Estimates Put T.J. Maxx Security Fiasco At $4.5 Billion
The data breach at the major retailer will cost the company $100 per lost record, according to database security firm IPLocks.
May 2, 2007
The security breach at TJX Companies Inc. could cost the company $100 per lost record, or a total of $4.5 billion, according to the calculations of a database security company.
IPLocks, a compliance and database security company, is basing the estimate on the accumulated costs of fines, legal fees, notification expenses and brand impairment, according to Adrian Lane, the company's chief technology officer. He added that $100 per lost record is an average figure for major data breaches, but they calculated expenses particular to TJX and came out with the same figure.
The Ponemon Institute, a think tank focused on record privacy and data protection, expects the TJX breach costs to be even higher. They cite costs in the range of $182.00 per record, based on research from November 2006 of the cost of breaches incurred in 31 separate incidents. For TJX, this translates to $8.6 billion.
"The effectiveness of the people who stole the information is critical here," said Lane in an interview with InformationWeek . "They did it for a long time. They sold [the stolen information] out to multiple sources. Those credit card numbers are showing up in foreign countries. This is not just a U.S. security breach anymore."
Just last week, TJX was the subject of a class-action law suit seeking "tens of millions of dollars." The Massachusetts Bankers Association, which represents 207 financial institutions, announced that it is filing the suit in federal court in Boston. The news came less than a month after TJX disclosed in a Securities and Exchange Commission filing that more than 45 million credit and debit card numbers may have been stolen from its IT systems over an 18-month period.
The MBA also said in a release that the Connecticut Bankers Association, the Maine Association of Community Banks, and individual banks are joining as co-plaintiffs. Together, the three associations represent nearly 300 banks. Other banks can still join the suit.
TJX is the parent company of T.J. Maxx, Marshall's, HomeGoods, and other retailers. The security breach, which was announced in January, is the largest customer data breach on record.
"There are still so many unknowns with this breach that reliable assessments are truly impossible, but our estimate of more than $1 billion is not unreasonable given the total number of affected credit cards and the long time period over which the breaches occurred," said Lane. "As an example, the ChoicePoint breach cost approximately $100 per record..."
The IPLocks and Ponemon estimates fall in line with figures that Forrester Research released earlier this month . The industry analyst firm calculated that the average security breach can cost a company between $90 and $305 per lost record. Forrester reported that analysts arrived at that number by surveying 28 companies that had some type of data breach.
Lane added that he hopes companies see these kinds of costs and learn a lesson from TJX's troubles.
"We keep seeing these breaches but we don't see the call to arms," he said. "They're not taking care with that data. If you're going to earn a profit on it, you need to protect it."
About the Author
Sharon Gaudin
Contributor
You May Also Like
Integrating Virtual Prototyping into Diverse PLM Landscapes
Protect AI apps, models, and data from build to runtime and beyond
Maximizing cloud potential: Building and operating an effective Cloud Center of Excellence (CCoE)
2024 InformationWeek US IT Salary Report
2024 State of Networking Report
2022 State of ITOps and SecOps
SANS Institute Survey: The State of Cloud Security
Editor's Choice
State of ITSM in Hospitality
ESM Key Lessons
Enterprise Service Management: Key Lessons & Best Practices
2024 IT Service Management Vendor Rankings & Quadrant
TeamDynamix eBook - Enterprise Service Management
[Virtual Event] The Essential Guide to Cloud Management
State of ITSM in Manufacturing
TJX says 45.7 million customer records were compromised
Filing with the SEC reveals scope of the breach is far wider than previously believed.
The scope of the breach, which was initially disclosed in January , is far wider than previously believed.
"This is the largest security breach we've ever had worldwide," said Avivah Litan, an analyst with research firm Gartner. "There was a case at CardSystems where 40 million records were exposed, but this one looks like it was a case where the information was stolen."
TJX, which operates such discount retail chains as T.J. Maxx and Marshalls in the U.S., released additional details of the breach in a filing with the Securities and Exchange Commission .
In its filing, TJX noted cyberthieves first accessed its computer systems in July 2005 and installed software to harvest such sensitive customer information as account information, names and addresses, drivers' license numbers and military and state identification. The breach continued through mid-January 2007.
Accounts and transactions affected included credit and debit card transactions, as well as checks and returned merchandise without receipts at the company's Marshalls, T.J. Maxx, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. Credit card transactions at TJX's Winners and HomeSense stores in Canada, as well as credit and debit card transactions at its T.K. Maxx stores in Ireland and the U.K. were also compromised.
TJX rang up a pre-tax charge of $5 million in the fourth quarter to deal with the computer breach, which included the costs associated with investigating the issues, improving its security systems and notifying customers.
Those costs are likely to increase, given the multiple lawsuits customers have filed and investigations launched by a number of government agencies. According to the SEC filing, a multistate investigation is currently under way that encompasses 30 states, and the Federal Trade Commission is also reviewing whether TJX violated laws pertaining to consumer protection. In Canada, several privacy commissioner offices in various provinces are also reviewing the matter.
The security breach involving CardSystems , a third-party processor of payment data for banks and merchants, resulted in the exposure of credit card numbers for 40 million accounts--a figure comparable to the TJX case. Other notable cases include data broker ChoicePoint , which affected an estimated 145,000 Americans, and the University of California at Los Angeles , in which 800,000 people had their information compromised after a security breach.
In the case of TJX, Litan suspects it was a case where attackers gained access through a wireless regional hub for the company's store controllers that handle the point-of-sale system. From there, the attackers may have been able to work their way into TJX's central system, she noted.
"Most retailers aren't looking at their point-of-sale system," Litan said. "Most enterprises tend to forget about the devices hanging off of their networks. What happened here may not be all that uncommon."
PCI compliance after the TJX data breach
The massive tjx data breach reinforced the need for stricter controls when handling credit card information. in this tip, joel dubin reexamines the need for the pci data security standard and advises how to ease the pci compliance burden..
The recent TJX Companies Inc. data breach refocused attention on credit card security, retailers and the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS is to the credit card industry what Sarbanes-Oxley (SOX) has been to publicly held companies. It's pushing them to comply with the PCI Security Standards Council guidelines, the most recent of which was drafted in September 2006. It forces card issuers and processors to invest in the necessary compliance technology and training or face crippling consequences. Those who don't can be heavily fined or barred from issuing or accepting cards from any council members. And, because the council consists of a consortium of five powerful card companies -- Visa, MasterCard, American Express, Discover and JCB -- not complying can effectively ban a bank from issuing cards or a merchant from accepting them.
PCI DSS is not groundbreaking; it is simply a set of information security standards no different than those at any large bank or publicly held corporation. But it has molded security throughout the credit card industry lifecycle, from how banks issue cards to how retailers accept them.
During the TJX breach, hackers stole an undetermined number of credit card accounts, some of which dated back to 2003; as a result, dozens of banks reported incidents of fraud from the compromised cards. Also, because TJX had stored old account information instead of deleting it, the company violated a PCI requirement, which mandates that a company remove data it no longer needs.
In total, there are twelve PCI DSS-required controls. They cover access management, network security, incident response, network monitoring and testing and information security policies. PCI DSS critics claim, in some cases, that it's too restrictive; it interferes with how companies set up firewalls and antivirus software, for example, and is too vague in other areas like incident response and network monitoring.
Additionally, these twelve controls are grouped together under six PCI DSS "control objectives." They include:
- Build and maintain a secure network -- Ensure firewalls are installed and that changes to rules are adequately logged. Web servers that must access the Internet should be in a DMZ . Database servers holding customer account information should be inside the company's network, protected by a firewall. Note: For the most part, these requirements are already part of the networking staff's routine job responsibilities.
- Protect cardholder data -- Stored account numbers must be encrypted or truncated, and customer data must be disposed of when no longer needed. This was the fatal mistake in the TJX case. Encryption over public networks for data in motion should be done using SSL .
- Maintain a vulnerability management program -- This control covers a wide range of requirements. It requires antivirus software on all servers and workstations, and recommends everyone follow guidelines from the Open Web Application Security Project ( OWASP ) for developing Web applications.
- Implement strong access control measures -- Restrict access to systems with account numbers and ensure user accounts are audited to remove outdated or malicious accounts. Stored passwords should also be encrypted.
- Regularly monitor and test networks --Require regular vulnerability scans, reviews of server logs and the installation of intrusion detection or prevention systems (IDS and IPS).
- Maintain an information security policy -- Draft an information security policy that covers access control, network and physical security, and application and system development. It's important to keep the policy updated as systems and needs change, and to make sure it's distributed to system users.
The standard also requires that PCI compliance be certified by two separate outside consultancies. And with that in mind, numerous consultants now offer PCI compliance services.
IMAGES
COMMENTS
This article will examine one case where failing to protect data assets was clear: the 2007 data breach of TJX. It will summarize the data breach and how TJX handled the breach's discovery ...
Late week I wrote about what retailer TJX had done wrong leading up to its recent widely reported security lapse.This week's column is about what TJX has done wrong since the lapse was discovered.
In filings with the U.S. Securities and Exchange Commission, TJX Companies Inc. said 45.6 million credit and debit card numbers were stolen from one of its systems -- the largest data breach ever ...
Podcast - 12 Years Later: How the TJX Hack Changed Security and Compliance. In this episode of Defrag This, we're taking a look back at one of the most monumental events in hacker history—the 2007 hack of TJX companies, which was, at the time, the biggest breach of consumer data in the history of the United States.
The TJX case "will probably serve as a case study for computer security and business students for years to come," Givens said. "This one could be considered a worst-case scenario."
A year after retailer TJX disclosed a massive security breach and credit card data theft, the payment card industry is still in a state of flux over security issues.
Case study of TJX Companies' data breach from March 2007 where data for at least 94 million customers was compromised. In 2010, an attacker was jailed for 20 years for his role in the hacking and data breach.
Maybe the company should change its name to T.J. LAX -- lax security practices let the hacked retailer's data breach go from bad to worse to bad beyond belief while nobody did anything to remedy ...
When TJX announced the intrusion in January 2007, it admitted that hackers had compromised nearly 46 million debit and credit card numbers, the largest-ever data breach in the United States.
George Ou outlines the perils of failing to secure your wireless network via the TJX data breach, but don't expect a massive financial hit from this security lapse. Ou cites a bevy of estimates ...
TJX, which is the parent company of retailers like T.J. Maxx, Marshalls, and HomeGoods, reported in its second-quarter earnings Tuesday that the company had to absorb a $118 million charge related to the massive security breach. For the second quarter, which ended July 28, the breach cost 25 cents per share -- 10 times more than the 2 cents to 3 cents company executives estimated just three ...
The security breach at TJX Companies Inc. could cost the company $100 per lost record, or a total of $4.5 billion, according to the calculations of a database security company.
TJX Companies said 45.7 million accounts were compromised over nearly a two-year period, in an update Wednesday of an investigation into a data breach of customer records.
The massive TJX data breach reinforced the need for stricter controls when handling credit card information. In this tip, Joel Dubin reexamines the need for the PCI Data Security Standard and advises how to ease the PCI compliance burden.
In this article, we will discuss the TJX Data Breach, how it happened, what info was leaked, and what to do if affected.
We discuss the difficulties of data breach discovery, investigation and prosecution with respect to legislation and international cooperation. An earlier incident, TJX data breach in 2007, is presented as the precedent for arresting and sentencing criminals committing financial cybercrimes.
Harvard Business Review: Case Analysis -Security Breach at TJX (908E03-PDF-ENG) from Strategic Role of IT perspective Presenting an analysis of the HBR case Security Breach at TJX (908E03-PDF-ENG) from Strategic Role of IT perspective
In 2007, TJ Maxx, a multinational clothing and home goods retailer, experienced a significant data breach. The incident involved unauthorized access to the company's database, which contained sensitive information from a large number of customers.
Berger Montague served as co-lead counsel and obtained a settlement valued at over $200 million in this data breach litigation. Learn more.
This case study will identify best-practices that organizational leaders in a number of industries might adopt and apply within their companies to benefit from the many lessons learned after studying TJX's many challenges and successes. KEYWORDS: TJX Companies, data breach, information security, TJ Maxx, Marshalls, HomeGoods
This instructional case provides students the opportunity to assess internal control risks within an organization's information system using a "real-world" problem following COSO (SEC-recommended ICF) and/or COBIT as a guide.