TJX gets little sympathy from blogosphere

TJX is taken to task by security bloggers for waiting until after a massive data breach to take steps to bolster its security.


If anyone has sympathy for TJX Companies Inc. in the wake of a massive data breach that may have exposed the credit card data of millions of customers, they're not expressing it in the blogosphere.
Security Blog Log

The Framingham, Mass.-based retail giant acknowledged that an attacker exploited a flaw in a portion of TJX's computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada.

The intrusion may involve customers of its T.K. Maxx stores in the U.K. and Ireland and could also extend to TJX's Bob's Stores in the U.S., the company said. The discovery was made in December, but the retailer said investigators asked to delay an immediate announcement of the breach during the initial part of the investigation.

Security bloggers were buzzing about the data breach within hours of TJX's announcement, and, as expected, the reaction was mostly critical.

Some agreed with security experts like Larry Ponemon, founder and chairman of the Ponemon Institute, who said in an interview Thursday that TJX's handling of the breach could have been better.

About Security Blog Log:
Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent columns:

'Month-of' flaw projects come under fire

Adobe Reader flaws spook security experts

Skype Trojan: Much ado about nothing?

For starters, he said, the company should have already determined the size of the data breach. "If you can't specify the likely amount of data that's been breached then it means that you don't have a good control system in place," he said. Another area where TJX may have slipped up is in notifying potential customers, Ponemon said, adding that victims should be contacted directly, rather than learning of the breach through a company press release or the news media.

Other bloggers took TJX to task for waiting until after a data breach to outline a plan to bolster security.

Dan Sullivan, a systems architect with experience in IT security, focused on TJX's plans to improve security going forward in his blog.

To TJX's claim that it has significantly tightened the defenses of its computer systems with help from security experts, Sullivan wrote, "So attackers break in and a month later the company has a plan to prevent future breaches. This begs the question, if the plan was so easy to formulate why wasn't it done before?"

He said this latest data breach should serve as a lesson to enterprises: "We need to lock down networks before, not just after attacks," he wrote.

The Identity Theft Prevention Institute blog offered a similar assessment. Steffen Schmidt, a contributor to the blog, wrote that "after the horses left the barn and ran away they decided to close and lock the barn!"

To TJX CEO Ben Cammarata's public statement that customers should feel safe shopping in the company's stores, Schmidt joked, "Sure, just use cash!"

This, he added, "is just one more example of major corporations' sloppy behavior with sensitive information of their customers."

In fairness to TJX, at least one security expert thinks the company probably acted properly by heeding the advice of investigators not to immediately disclose what had happened.

David Taylor, vice president of data security strategies at Stamford, Conn.-based Protegrity Corp., said the key is to be as open and honest as possible once the news does go public.

"If their attorneys and police say don't talk about this immediately after the breach, that's what they should tell the media," he said. "At least you're giving a reason for not being forthcoming. The more explicit you are on what happened and the steps you've taken, the more people will trust you. If you say you have everything under control without an explanation, nobody will believe you."

Read more on Privacy and data protection