If anyone has sympathy for TJX Companies Inc. in the wake of a
massive data breach that may have exposed the
credit card data of millions of customers, they're not
expressing it in the blogosphere.
The Framingham, Mass.-based retail giant acknowledged that an
attacker exploited a flaw in a portion of TJX's computer network
that handles credit card, debit card, check, and merchandise return
transactions for customers of its T.J. Maxx, Marshalls, HomeGoods
and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners
and HomeSense stores in Canada.
The intrusion may involve customers of its T.K. Maxx stores in
the U.K. and Ireland and could also extend to TJX's Bob's Stores in
the U.S., the company said. The discovery was made in December, but
the retailer said investigators asked to delay an immediate
announcement of the breach during the initial part of the
investigation.
Security bloggers were buzzing about the data breach within
hours of TJX's announcement, and, as expected, the reaction was
mostly critical.
Some agreed with security experts like Larry Ponemon, founder
and chairman of the Ponemon Institute, who said in an
interview Thursday that TJX's handling of the breach could have
been better.
For starters, he said, the company should have already
determined the size of the data breach. "If you can't specify the
likely amount of data that's been breached then it means that you
don't have a good control system in place," he said. Another area
where TJX may have slipped up is in notifying potential customers,
Ponemon said, adding that victims should be contacted directly,
rather than learning of the breach through a company press release
or the news media.
Other bloggers took TJX to task for waiting until after a data
breach to outline a plan to bolster security.
Dan Sullivan, a systems architect with experience in IT
security, focused on TJX's plans to improve security going forward
in his
blog.
To TJX's claim that it has significantly tightened the defenses
of its computer systems with help from security experts, Sullivan
wrote, "So attackers break in and a month later the company has a
plan to prevent future breaches. This begs the question, if the
plan was so easy to formulate why wasn't it done before?"
He said this latest data breach should serve as a lesson to
enterprises: "We need to lock down networks before, not just after
attacks," he wrote.
The
Identity Theft Prevention Institute blog offered a similar
assessment. Steffen Schmidt, a contributor to the blog, wrote that
"after the horses left the barn and ran away they decided to close
and lock the barn!"
To TJX CEO Ben Cammarata's public statement that customers
should feel safe shopping in the company's stores, Schmidt joked,
"Sure, just use cash!"
This, he added, "is just one more example of major corporations'
sloppy behavior with sensitive information of their customers."
In fairness to TJX, at least one security expert thinks the
company probably acted properly by heeding the advice of
investigators not to immediately disclose what had happened.
David Taylor, vice president of data security strategies at
Stamford, Conn.-based Protegrity Corp., said the key is to be as
open and honest as possible once the news does go public.
"If their attorneys and police say don't talk about this
immediately after the breach, that's what they should tell the
media," he said. "At least you're giving a reason for not being
forthcoming. The more explicit you are on what happened and the
steps you've taken, the more people will trust you. If you say you
have everything under control without an explanation, nobody will
believe you."