As a holder of thousands of retail stores worldwide, what is the worst possible part of your IT infrastructure to have a breach? The systems that hold your customer's credit card and other transaction data.
What would be the worst time to have a breach? The height of the holiday shopping season.
That's the nightmare that the Framingham, Massachusetts based TJX Companies, Inc. had to disclose this past week.
According to a press release issued this past Wednesday, an intruder accessed TJX's computer systems that process and store information related to customer transactions for its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The company has also expressed concern that the breach might affect customers of its T.K. Maxx brand in the U.K. and Ireland as well as Bob's Stores in the U.S. The information stolen may include credit and debit card sales transaction data from 2003 as well as data from mid-May through Dec. 2, 2006.
According to the Privacy Rights ClearingHouse, this brings the number of customer records that have been lost or stolen since the February 2005 ChoicePoint data theft to more than 100 million.
An article on informationweek.com acknowledged that while the company has identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers isn't yet known.
While there is still a lot yet to be learned about this specific breach, there are some initial observations that can be made.
The timing of the attack - Hacking has turned into a professional enterprise. The timing of the attack was at the height of the retail shopping season when the greatest amount of fresh data would be available and the exact system was pinpointed to extract that data. Recent media reports indicate some hackers are even targeting attacks based on specific roles within an organization.
The delay in public announcement - According to the press release, the breach was discovered in mid-December, yet it went undisclosed at the request of law enforcement officials. The frustration is that gives hackers 30 additional days to sell the information or use the card for some other fraudulent means creates additional losses for credit card companies like Visa and Mastercard and a hassle for consumers to straighten out.
The consequences - In addition to the loss of consumer trust, the Ponemon Institute estimates 20% of consumers stop doing business with an organization following a data breach and another 40% consider it, you can be sure Visa, Mastercard and the TJX Companies' auditors will all be lining up to investigate the information security controls to see if any lax IT practices led to the hacker's ability to exploit the systems involved.
Internal vs. external security - A lot of organizations have placed the majority of their information security emphasis on external vulnerabilities. As hackers become more sophisticated, information security must be multi-layered. Most analyst surveys in recent years show the majority of breaches actually come from internal threats - untouched by external security efforts.
It is yet to be determined what steps TJX might have taken to further secure their information, but it is doubtful that they had simply left this data unprotected. This breach should be a call for even greater vigilence in ensuring the protection of privileged data. The hackers are certainly not letting up in their efforts, we can't either.
Comments