Security experts aren't surprised that at least
45.7 million credit and debit cards were stolen in the TJX
Companies data breach. Look at how the retail giant handled its
customer data and it won't be hard to see how the bad guys made off
with so much treasure, they say.
"The mistakes were many, but it started with a lack of security
governance that was probably the result of the company being so
big," Larry Ponemon, founder and chairman of the Elk Rapids,
Mich.-based Ponemon Institute, said after reviewing details of a
regulatory document the Framingham, Mass.-based
retailer filed with the Securities and Exchange Commission (SEC)
Wednesday.
In the document, TJX acknowledged that at least 45.7 million
credit and debit cards were stolen over an 18-month period by
hackers who managed to penetrate its network. The company also
disclosed that another 455,000 customers who returned merchandise
without receipts were robbed of their driver's license numbers and
other personal information.
Some experts say this represents the biggest data breach in
history. By comparison,
26.5 million veterans and active duty personnel
were affected by the theft of a Department of Veterans Affairs
laptop and external hard drive last year. And in 2005,
credit card transaction processor
CardSystems Solutions Inc. acknowledged that
hackers had stolen 263,000 customer credit card numbers and
exposed 40 million more to fraud.
Ponemon said TJX was very disorganized in terms of understanding
where they did and didn't have data protection in place and where
the biggest security risks were. The company stumbled further in
its handling of the aftermath.
"They didn't have the right people and processes in place, and
it appears they sat on the information too long," he said. "They
probably had an obligation to report this breach sooner to the
banks that had to reissue credit cards and so on. The communication
between TJX, the banks and others was not coordinated very well.
This is costly for the small banks to deal with, and they need more
advance notice of a breach so they can deal with it on their
end."
Ponemon added that TJX appeared to lack the right mix of
security technology, and that vulnerability assessments would have
been helpful.
Deepak Taneja, CEO of Waltham, Mass.-based security compliance
management firm Aveksa, said that if one reviews the details of
TJX's SEC filing, it becomes clear that the scope of the breach is
due to several years of poor security controls.
"You have to think of security as a combination of technology,
people and the right business processes," he said. "The full extent
of the breach is still unknown but it seems a lot of mistakes were
made with unencrypted data and information being stored after it
was no longer needed. There were multiple problems. It wasn't any
single mistake."
Cliff Pollan is CEO of Acton, Mass.-based Lumigent Technologies
Inc., which sells database auditing tools. He said TJX also lacked
the ability to monitor its network and detect sinister activity
sooner.
"It looks like someone added software to the network that was
routinely accessing the database and transferring information," he
said. "You need to be able to know when that type of thing is
happening. You need to be able to monitor network activity and act
on a timely basis."
Large companies that don't want to follow TJX as the next poster
child of insecurity need to keep the following things in mind, the
experts said:
- Security programs must be layered with the right mix of
technology and people and policies.
- Enterprises must keep tabs on the level of access people have
to the network inside and outside the company and be able to
monitor user activity.
- Companies need to have a firm grasp on what kind of data is
traveling through the network and ensure that it's encrypted at
every access point.