Not that the company is in the clear. According to a report from Merchant Link, which provides secure systems for retail outlets, the breach has cost the company more than $130 million to secure its infrastructure, there have been 19 lawsuits filed and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.
All this seems to have driven the message home to retailers, including TJX itself. "TJX accelerated their security program and implemented the improvements needed to become PCI (Payment Card Industry)-compliant, including upgrading their wireless security and eliminating the storage of sensitive authentication data. In fact there is some discussion about TJX becoming a 'spokescompany' for PCI security," said Avivah Litan, senior security analyst for Gartner.
Perhaps, but TJX was not keen on discussing its new security plans in detail, as it did not respond to repeated requests for an interview. TJX is the parent company of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S., as well as Winners and HomeSense in Canada. Revenue for its most recent fiscal year ended January 2007 was $17.4 billion. For so large a company, though, the breach started small, with crackers hacking into wireless networks at two U.S. stores.
The stores were using the relatively weak Wired Equivalent Privacy (WEP) protocol instead of the stronger Wi-Fi Protected Access (WAP) protocol, but what really hurt is that the intruders were able to access the TJX internal systems and move around freely for almost two years. The breaches occurred from mid-2005 and ran through December 2006. It is estimated 47.5 million records were stolen.
That was TJX's bigger problem, letting the intruders roam freely for 18 months. Dr. Anton Chuvakin, a security expert with LogLogic, said TJX didn't have decent traffic logs. "What took TJX months was looking at all their systems and determining who took what data, from where, where it was sent, etc. The investigation took them months. They likely didn't have any logs, because they had to do system forensics rather than log analysis to arrive at their conclusions about who stole the data and how. If they had collected and analyzed log data centrally, the investigation would have been a piece of cake," he said in an e-mailed comment to InternetNews.com.
Brian Cleary, vice president of marketing for the enterprise access governance firm Aveksa, concurred. "They didn't have good access controls, they were not auditing access on a regular basis and not checking log files and access. It was really poor security governance," he said.
TJX's second mistake was storing vital credit card information, such as the data hidden in the card's magnetic strip, on local machines. This is particularly frustrating to banks, according to Litan, because it allows counterfeiters to make perfect duplicate cards.
Merchant Link's report specifically recommends to all clients that they eliminate the storage of sensitive personal data wherever possible by using secure third party services to keep the point of sale clean, and "certainly" do not store the data collected from a credit card's magnetic stripe.
Litan said TJX was certainly at fault for storing the magnetic stripe information but she also think banks have a bigger role to play in the design of the payment systems. "They rolled [payment systems] out before there were cybertheives and no one thought about security," she said. "The payment system architecture is legacy, outdated. They could update the arch and make them more secure or just require a PIN on every transaction. Instead, they'd rather keep it as business as usual