TJX is back in the news, and in a big way. The reason for the brouhaha is the new estimated number of credit card accounts compromised when TJX security was breached last year. The new number is 94 million, double the original TJX estimates of 46 million, as reported in a court filing. The new estimate was provided by the bank group that is suing TJX in order to recoup costs involving the notification and issuance of new credit cards for affected customers.
In light of the above, obviously a lot of people are asking if the new estimate is real, or if it has been inflated in order to induce a bigger, and faster, settlement. I guess there is an incentive to inflate it, but at the same time people have multiple credit card numbers. Perhaps TJX is consolidating some of their findings based on the number of people affected, whereas the Bank group is reporting a pure number of accounts affected? Anyway, most commentators don’t seem to know what to make of the new number.
There are some other salient points about the court filing. To begin with, TJX failed nine of the twelve PCI compliance requirements, including the keeping of Track 2 information, which is explicitly banned under PCI. Supposedly the company knew it was a violation, but continued to do so anyway—perhaps the forensic analysts that were hired had access to C-level e-mails?
Of course, the entire thing started when hackers were able to steal customer data due to weak, and outdated, encryption practices that TJX was employing at the time (which, apparently, management was aware of). Based on certain reports, supposedly more than 80 GB of cardholder data was stolen. However, it looks like administrators wouldn’t have known about it—and clearly did not know about it, as subsequent events revealed—because they had minimal monitoring and capturing of transaction logs, according to the analysts that were hired to review the matter.
How could the company had been so brazen? Opinions in the blogosphere abound from “there are too many critical legacy applications that cannot comply with PCI requirements” (not brazen) to “why the heck not? Everybody does the same thing, TJX only happened to get caught” (extremely brazen). I think, in many ways, all of the opinions are valid.
The truth is that TJX will be made an example of for future reference, just like WorldCom and Enron (don’t defraud investors with off-balance sheet transactions, for the latter). I think with TJX we have entered the perfect storm where retailers, customers, and credit card companies will try to hash out their respective roles in preventing—more realistically, minimizing—what we saw with TJX. It would be easy to point fingers at TJX, but complete culpability cannot lie with the retailer alone.
For example, to a degree I blame the customers who shop at TJX. Despite the security breach, customers keep shopping there, and if TJX’s 10Q is to be believed, they’re shopping there more than ever. I can tell you right now that this will not incentivize TJX to pay attention to security practices. Indeed, they used that fact as an argument in rationalizing their settlement with lawyers representing customers: our customers still shop with us, so it doesn’t look like they were severely affected by the data breach, so we’re going to offer thirty dollars worth of coupons to potentially affected customers. Meanwhile, one of the customers might have had a second mortgage in the six figures opened under his name.
Credit card companies, supposedly, require merchants to keep a copy of credit card numbers for up to 18 months, which is to be used in case a customer decides to contest charges; apparently there is enough of an onus that earlier this month the National Retail Federation issued an open letter to credit card companies stating that merchants shouldn’t be in charge of storing sensitive account data. The NRF’s message to credit card companies was essentially, “it’s your data. We don’t want it. You protect it.”
While this thing is being settled in court (or possibly out of court), I think any business can appreciate the need for safeguarding data. As pointed out numerous times by numerous professionals, make sure that you have the correct level of encryption. Also, it seems pretty obvious that there’s a need to monitor the situation. With services such as AlertBoot, you can easily encrypt your computers or your data or both, and combine it with powerful, easy-to-use reporting. Plus, there are a myriad of security options that you can explore to ensure that your company is protected.