Now Maybe TJX Will Take Data Security Seriously
from the when-you-put-it-that-way dept
While personal data leaks continue to occur at a pretty regular clip, very few companies or government agencies take the problem very seriously. This is mostly because after the initial bout of bad PR, the repercussions are minimal, so few groups bother to spend the time and resources needed to put proper preventative measures in place. Perhaps, though, that will begin to change as the costs of these data leaks and breaches become more publicized. For instance, TJX, the retailer that suffered the largest breach of credit-card data ever, reported this week that its second-quarter costs related to that breach came in at more than 10 times its initial estimates, and added up to 25 cents per share in the quarter. The raw figure of $117 million still isn’t that much, but it cut the company’s earnings per share in half from the year-ago quarter — and that’s bound to upset the company’s investors. They’re likely to be even more annoyed if they look into the details of the breach: earlier reports highlighted the company’s security incompetence, but a story this week made things look even worse. The breach was apparently perpetrated by using poorly secured in-store kiosks, which were on the corporate network and not behind firewalls. Attackers stuck USB keys in the kiosks and loaded software that allowed them to be controlled remotely, and used as gateways onto the network. While it certainly doesn’t look like TJX was paying a lot of attention to security, a 25 cent per share loss will make investors take notice — and that, hopefully, will force companies to take data leaks and security more seriously.
Filed Under: data leaks, security
Companies: tjx
Comments on “Now Maybe TJX Will Take Data Security Seriously”
Loss
They’ll just write it off as a loss on their taxes…if they pay any. I am sure they will have to go through the motions of improving security. Whether or not it actually gets better will be fun to see.
Any company that doesn’t take the time to insure security of customer financial data deserves everybit of loss they get.
But then, is that really the problem, or is the problem trusting computers so much with finances?
One thing can be certain – computers will never be 100% secure. If you can code in security, you can code something to get around it. It’s just the nature of the computer. It only does what you tell it to do. And despite Corporate and Government’s arrogance – the best programmers don’t always work for them.
Simple Analysis
We just had a meeting where we went over laptop security ..
20 People * 0.5 hour * ~50$/person/hour = $500
20 People * 10 minutes per day securing laptop =~ $50k/year
1 lost unsecured laptop with sensitive data =~ $10,000,000 – $1,000,000,000
Of course I’m talking about laptops with engineering documents, analyses, failure reports, ect. not costumer financial data, but all we need to do is make consumer financial breaches cost that much to the company and they will change their practices. I’d personally like to see free credit monitoring for life with reports every time there is an update to credit history along with 100% protection from fraud. This should be insured against the CEO and board of directors personal finances or the company should be required to set up a significant fund to provide these services in case the company goes under.
I’m allowed to hope … right?
Yeah right...
We all know the only “improvements” TJX did was fire a few low level peons to keep up appearances with the shareholders.
Please for the love of God, tell me you're joking!
What damn fool administrator with ANY backbone would ever agree to allow his/her network to be compromised in this manner?
I mean, I would rather QUIT a job if they were forcing me to overlook HUGE GAPS in security like this, then be FIRED after the fact and made to look like a completely incompetent idiot!
This is BASIC security here, anyone with ANY knowledge of networking knows, you don’t put an unprotected computing device out in the public and leave it on your intranet! Man, if I didn’t have these back problems, I’d be applying for a job at TJX, where apparently anyone can get a job in the IT dept!
Re: Please for the love of God, tell me you're jok
D’oh!
But before we write this off to total stupidity, another (speculated) physical attack vector described in the article was a doctored credit card reader placed on a checkout counter. That type thing has to be worrisome to a lot of retailers.
Fortunately, some of the downstream crooks behaved the way you’d expect of street criminals, producing multiple $400 gift cards at Wal-Mart to get around the store policy of requiring IDs for $500 cards.
Furthermore, criminal charges could be filed...
In this case especially, the local authorities could file Criminal Negligence charges considering that TJX disregarded the most basics of networking security.
Of course, I suppose our Attorney General is too busy pursuing other things at the moment, but seriously, someone should be made to stand up and take full responsibility for this fiasco!
dumb security
Security is a tedious job that should be left to the professionals. It is not a guarantee, but so many people think they “get it” that they do dumb shit stuff like allowing USB access or letting public access terminals have full run on internal networks.
Even big money companies do stupid things. A few years ago, when I was a client at Smith Barney, I used an online account. The account was secured by a username, password, and PIN. When I logged on I found they stuffed a cookie in my browser with the username and PIN in the clear! The web site described the password content so it limited the brute force range.
The next article should be stories about smart people doing dumb things. The one I like best is how companies save thousands on computer security. They do not hire the staff and believe that unless there is an identified breach, they are safe and secure.
Hmmmmmm,
Think this sounds like someone read a past issue 2600 magazine (2600.org), and saw the article about in store Kiosks. Again all sources were close to the investigation(sure….), and using a SEC Filing, “suspicious software” WOW! the company was hacked, what can be expected. This sounds like someone is on the FUD bandwagon, from a USB management software company. This is bad enough without people jumping and trying to make it bigger than it is along with making a dollar.
Identity theft has brought great tensions to the corporate world causing many companieslosses each year. Everyone is scared of their personal information not leaked out tosome strangers. Not only offices but individuals at home should also purchase onefor safety.
Comment
I´m using this discryptor.net software. I think that really makes ma data secure.
Now, a couple of years later, TJX has yet to pay off any significant amount of customers over their lackluster data protection efforts. But, their name has paid an ultimate price. TJX name value is below the basement and I understand that company credit card applications are at all time lows. Behold the power of a hack to shatter consumer confidence in a brand.
Many companies are setting up encrypted disk drives – whereas the raw hard drive is not readable. It is a great technology – but I’m sure someone already knows how to break it..
Formax FD 6100
encryption
Encryped hard drives are the best defense against this.
Formax FD 6100