Did TJX take the right steps after data breach?

Security experts are mixed on whether TJX acted properly following a massive data breach last month. One expert says potential victims should have been notified sooner.

Security experts have mixed views on how retail giant TJX Companies Inc. handled the aftermath of a massive data breach, which may have exposed the credit card data of millions of customers.
If you can't specify the likely amount of data that's been breached then it means that you don't have a good control system in place.
Larry Ponemon,
founder and chairmanPonemon Institute

One expert said the company, which runs several discount clothing and home goods stores, should have determined the size and scope of the breach more quickly and notified customers sooner. Another expert said the company seems to have acted properly by following the advice of law enforcement to not immediately make the breach public.

The Framingham, Mass.-based retailer said an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The intrusion may involve customers of its T.K. Maxx stores in the U.K. and Ireland and could also extend to TJX's Bob's Stores in the U.S., the company said.

The discovery was made in December, but the retailer said investigators asked to delay an immediate announcement of the breach during the initial part of the investigation.

Larry Ponemon, founder and chairman of the Ponemon Institute, said TJX's handling of the breach could have been better. For starters, he said, the company should have already determined the size of the data breach. "If you can't specify the likely amount of data that's been breached then it means that you don't have a good control system in place," he said. Another area where TJX may have slipped up is in notifying potential customers, Ponemon said, adding that victims should be contacted directly, rather than learning of the breach through a company press release or the news media.

Data breach:
How to survive a data breach

Complying with breach notification laws

Column: Federal government pushes full-disk encryption

Survey: Data breach costs surge

Data breach at Boeing exposes 382,000 employees

Hacker exploits UCLA database

Column: Schneier: Data breach at UCLA barely newsworthy

David Taylor, vice president of data security strategies at Stamford, Conn.-based Protegrity Corp. offered a more sympathetic assessment. He said TJX appears to have acted properly by following the instructions of law enforcement not to go public with the breach immediately. The key is to be as open and honest as possible once the news does go public.

"If their attorneys and police say don't talk about this immediately after the breach, that's what they should tell the media," he said. "At least you're giving a reason for not being forthcoming. The more explicit you are on what happened and the steps you've taken, the more people will trust you. If you say you have everything under control without an explanation, nobody will believe you."

While data breaches have become more public, research conducted by the Ponemon Institute shows that the rate of data breaches is not changing.

"In reality, data breaches have been happening for decades," Ponemon said. "What is changing are the data breach laws."

More than 30 states have passed laws similar to a California requirement that companies inform victims of a data breach.

In a study released in October 2006, the Ponemon Institute found that data breaches cost companies an average of $182 per compromised record, a 31% increase over 2005. Ponemon studied 31 companies that experienced a data breach. The total costs for each loss ranged from less than $1 million to more than $22 million, according to the 2006 findings.

Still, some companies are ambivalent towards data security, Ponemon said.

"There are many more companies that are still complacent about the whole thing and don't worry and understand the economic impacts," he said.

If there's one thing Taylor has learned from investigating data breaches over the years, it's that companies only increase their security spending after they've been hacked. He expects the trend to continue with TJX.

"The difference in security budgets between companies that have been breached or not breached is big," he said. "A company that hasn't suffered a breach might have a budget of $500,000 dollars. A company that has suffered a breach will more likely have a budget of $5 million."

Now that TJX has been hit Taylor expects the company to "spend a lot of money" on security.

Read more on Privacy and data protection