TJX Offers One-Day Sale To Make Up For Massive Data Breach
from the how-generous dept
Until earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people’s credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores’ WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they’d gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn’t-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.
Comments on “TJX Offers One-Day Sale To Make Up For Massive Data Breach”
Wow
Bitter much?
RE: Wow
Uh! Yah, I could have got that totally cool size 65 Pleather microskirt for going to the con way off price! Fer suuuure!
Wake up to the real world...
Wake up to the real world. I would bet that more than 95% of businesses are setup in this sort of way. IT is a balancing act with limited resources. It is also an industry that literally has no standards and the core elements change on a yearly basis. Why in a perfect world every company would invest the necessary dollars, there are many that don’t and won’t do it. This is an especially bad example, but most companies are setup such that once you get past the front door security, you have a lot of access.
With that said, not-encrypting the CC info is really bad. Even if the network was setup without a lot of security concerns, you’d think someone would have thought a bit on that one!
Freedom
Re: Wake up to the real world...
Agreed! Until companies realize they need to beef up their IT departments, or flat out hire network security professionals, this type of thing will continue to happen.
Most buildings that house companies have a security system and human guards.
As more of companies and their assets are housed in cyberspace, does it not make sense to apply some of the same rules?
Oh well. Try explaining that to a boss who thinks of a train ride when you talk to him about SSL tunneling.
Re: Wake up to the real world...
Although I agree with most of what you said it was required of all merchants since 2005 that the CC info be encrypted by Visa.
I also want to say that TJX lost a lot of business from me after they had the breach.
Re: Re: Wake up to the real world...
Ok there was a limit that you had to have so much in annual charges before the requirements
50% of capitol investment by US businesses is in IT. That’s 1.8 trillion in 2007. I don’t think this is a problem born of industry wide underinvestment in IT.
Re: Re:
True, too true. I work in IT.
One comment...
the beatings will continue until morale improves!! Until there is teeth in consequences for data breaches they will not change.
It rolls downhill ya know
from the how-generous dept -> “It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers”
I dont think so – the banks ultimately just pass the loss on to the consumer in one way or another.
mac
I dont think so – the banks ultimately just pass the loss on to the consumer in one way or another.MKV to RM converter
FTC needs to change
The FTC treated TJX unfairly. The FTC should rethink the law of credit card security, and stop treating merchant victims of organized crime as culprits. –Ben
Re: FTC needs to change
Reading a bit from your article and comments… It sound like it’s OK to run your business poorly from an IT/security standpoint and claim ignorance when cornered. Your comments sound like the kid on the playground pointing their finger saying “look at all these companies, they do it too”. Well guess what? They’re not the ones that had it happen to them.
Part of the problem is that people will not conform or put forth ANY effort unless they’re forced to. It’s too bad we have to have examples in society but without them we have crime. It’s no different with business, if there’s not examples, they continue to do what’s cheap rather than what they should do. Hopefully this makes other companies on their scale to take a look at security and determine if they’re at risk for a breach and some lofty payback if it happens.
I’m a bit sickened by you calling them “victims”. Companies do all they can to cut corners and they need to be held accountable when they screw up, especially on a scale like this.
Networks
My home Wireless-N network is encrypted with WPA2-AES/TKIP with a long, but memorable, pass-phrase. Router also checks MAC Addresses and requires wireless devices to be registered on the router before access is allowed. Router settings took about 2 minutes to set up, computers collectively about 10 minutes to get connected right.
I have only ever worked in Retail and I have never taken any post-secondary IT courses. “Sheer incompetence” is an understatement, and TJX should still get that $41-million fine.
Also, I believe “hackers” is the wrong term, they were “crackers”. Hackers have pride, they want a challenge, and usually they do it just to prove they can, not to steal information for personal gain. Not unless that gain is a monthly paycheck that is. I’m curious to know if TJX’ network was infected with that Downadup/Confliker worm, and if they have some less incompetent employees to make sure that’s handled properly.
Encrypting CC info
What scary about the encryption of CC info is that the banks we work with (I work at a retailer) _cannot_ support encryption on their links…
The PCI standards require us to keep the data encrypted while it resides on our system (or is being sent over our network), but as soon as it goes on the link to the bank, it’s wide open (note that the PIN is always encrypted, but the card number and expiration date are wide open).
We’ve hit the bank a couple of times about encrypting that data flow, but they claim their systems can’t handle it!
Here in Portugal we have a system that issues “virtual credit cards” that expire after 1 month and have a limit set by the user. Its called mbnet (www.mbnet.pt).
For every single online transaction we can use a different card number, that even if it falls in the wrong hands, can’t be of much use to them.
Maybe someone in the US should copy this. 🙂
that mbnet sounds promising.
As far as TJ MAXX, its the least they could do for ruining the credit of their loyal customers