Security experts have mixed views on how retail giant TJX Companies
Inc. handled the aftermath of a massive data breach, which may have
exposed the
credit card data of millions of customers.
 | | | | | If you can't specify the likely
amount of data that's been breached then it means that you don't
have a good control system in place.
Larry Ponemon,
founder and chairmanPonemon
Institute |
| | | | | |
| |
|
One expert said the company, which runs several discount
clothing and home goods stores, should have determined the size and
scope of the breach more quickly and notified customers sooner.
Another expert said the company seems to have acted properly by
following the advice of law enforcement to not immediately make the
breach public.
The Framingham, Mass.-based retailer said an attacker exploited
a flaw in a portion of its computer network that handles credit
card, debit card, check, and merchandise return transactions for
customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright
stores in the U.S. and Puerto Rico, and its Winners and HomeSense
stores in Canada. The intrusion may involve customers of its T.K.
Maxx stores in the U.K. and Ireland and could also extend to TJX's
Bob's Stores in the U.S., the company said.
The discovery was made in December, but the retailer said
investigators asked to delay an immediate announcement of the
breach during the initial part of the investigation.
Larry Ponemon, founder and chairman of the Ponemon Institute,
said TJX's handling of the breach could have been better. For
starters, he said, the company should have already determined the
size of the data breach. "If you can't specify the likely amount of
data that's been breached then it means that you don't have a good
control system in place," he said. Another area where TJX may have
slipped up is in notifying potential customers, Ponemon said,
adding that victims should be contacted directly, rather than
learning of the breach through a company press release or the news
media.
David Taylor, vice president of data security strategies at
Stamford, Conn.-based Protegrity Corp. offered a more sympathetic
assessment. He said TJX appears to have acted properly by following
the instructions of law enforcement not to go public with the
breach immediately. The key is to be as open and honest as possible
once the news does go public.
"If their attorneys and police say don't talk about this
immediately after the breach, that's what they should tell the
media," he said. "At least you're giving a reason for not being
forthcoming. The more explicit you are on what happened and the
steps you've taken, the more people will trust you. If you say you
have everything under control without an explanation, nobody will
believe you."
While data breaches have become more public, research conducted
by the Ponemon Institute shows that the rate of data breaches is
not changing.
"In reality, data breaches have been happening for decades,"
Ponemon said. "What is changing are the data breach laws."
More than 30 states have passed laws similar to a California
requirement that companies inform victims of a data breach.
In a study released in October 2006, the Ponemon Institute found
that
data breaches cost companies an average of $182 per compromised
record, a 31% increase over 2005. Ponemon studied 31 companies that
experienced a data breach. The total costs for each loss ranged
from less than $1 million to more than $22 million, according to
the 2006 findings.
Still, some companies are ambivalent towards data security,
Ponemon said.
"There are many more companies that are still complacent about
the whole thing and don't worry and understand the economic
impacts," he said.
If there's one thing Taylor has learned from investigating data
breaches over the years, it's that companies only increase their
security spending after they've been hacked. He expects the trend
to continue with TJX.
"The difference in security budgets between companies that have
been breached or not breached is big," he said. "A company that
hasn't suffered a breach might have a budget of $500,000 dollars. A
company that has suffered a breach will more likely have a budget
of $5 million."
Now that TJX has been hit Taylor expects the company to "spend a
lot of money" on security.