Will data breach be the end of TJX?

This week in Security Blog Log: Industry experts say companies can learn from a data breach and even prosper from it. But is TJX following the right example?


After writing about TJX Companies Inc.'s admission that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network, I scoured the blogosphere to see what security experts had to say about this latest development.

In the process, I found a couple of interesting blog entries about how data breaches can actually be good for companies if they learn the right lessons from it and deal with the aftermath as openly and honestly as possible.

Unfortunately for TJX, nobody seems to be suggesting that they are traveling along the path to redemption.

The Framingham, Mass.-based retail giant finally gave a tally of the damage in a regulatory filing with the Securities and Exchange Commission (SEC) Wednesday. Along with the 45.7-million-estimate, the company said another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information. That makes this the largest data breach in history, some experts say.

In his Daily Incite blog, Mike Rothman, president and principal analyst of Security Incite in Atlanta, wrote that a data breach disclosure doesn't have to be the end of the company affected.

"If a compromised company aggressively communicates what happened, what they are going to do for customers, and what they are doing to make sure it doesn't happen again, they can certainly recover," he said. "Those that stonewall customers [and] leave them hanging out to dry and basically point the finger at someone else don't fare as well."

He suggested that TJX's actions fall into the latter category.

Security expert Adam Shostack doesn't mention TJX specifically in his latest Emergent Chaos blog posting. But his synopsis of a presentation he delivered at last week's Shmoocon conference in Washington does offer some good food for thought.

His presentation, "Security Breaches are Good for You," describes how data breaches can lead to better security going forward.

"The reason that breaches are so important is that they provide us with an objective and hard to manipulate data set which we can use to look at the world. It's a basis for evidence in computer security," he wrote. "Breaches offer a unique and new opportunity to study what really goes wrong. They allow us to move beyond purely qualitative arguments about how bad things are, or why they are bad, and add quantification."

Time to update that blog
Moving on to another matter, those who follow the blog of Oracle CSO Mary Ann Davidson will notice that she hasn't updated it since Jan. 29. There are plenty of good reasons why bloggers sometimes go for long stretches without adding fresh posts. Most have day jobs and busy families that can make it hard to blog daily, and Davidson obviously is a very busy woman.

But here's what bothers me about her blog:

In her last posting she talks a lot about what was expected to be a strong Oracle presence at the RSA conference in San Francisco. Among other things, she beamed about the fact that her boss, CEO Larry Ellison, would be delivering a keynote.

"We have a very dynamic CEO who is a great speaker and who really Gets Security and has as long as I have been with the company," she wrote. "So yes, I and all the other Oracle security weenies I know are really thrilled that Larry is speaking and nobody is going to miss this. You shouldn't, either."

About Security Blog Log:
Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent columns:

Symantec threat report under the microscope

Spam crackdown: Bloggers take on the SEC 

Blogosphere highlights DST security concerns

The trouble is twofold -- one, the RSA conference was almost two months ago. Two, Ellison never showed up to deliver that keynote.

Oracle has caught plenty of flack for not being on top of its security game. To be fair, the company has taken some encouraging steps in recent months to improve the patching process for DBAs, including its decision to streamline the quarterly patch bulletin, offer more details about its security holes and even offer advance notice on upcoming fixes.

But when the database giant's main security voice stays silent for long periods of time and leaves her blog out of date, it doesn't help to bolster the company's image.

Read more on IT risk management