Regulator offers clues on TJX security failings

If company execs need a lesson on what not to do before and after a data breach, experts say there's plenty to learn from a regulatory document

Security experts aren't surprised that at least 45.7 million credit and debit cards were stolen in the TJX Companies data breach. Look at how the retail giant handled its customer data and it won't be hard to see how the bad guys made off with so much treasure, they say.

"The mistakes were many, but it started with a lack of security governance that was probably the result of the company being so big," Larry Ponemon, founder and chairman of the Elk Rapids, Mich.-based Ponemon Institute, said after reviewing details of a regulatory document the Framingham, Mass.-based retailer filed with the Securities and Exchange Commission (SEC) Wednesday.

In the document, TJX acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The company also disclosed that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.

Some experts say this represents the biggest data breach in history. By comparison, 26.5 million veterans and active duty personnel were affected by the theft of a Department of Veterans Affairs laptop and external hard drive last year. And in 2005, credit card transaction processor CardSystems Solutions Inc. acknowledged that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more to fraud.

Ponemon said TJX was very disorganized in terms of understanding where they did and didn't have data protection in place and where the biggest security risks were. The company stumbled further in its handling of the aftermath.

"They didn't have the right people and processes in place, and it appears they sat on the information too long," he said. "They probably had an obligation to report this breach sooner to the banks that had to reissue credit cards and so on. The communication between TJX, the banks and others was not coordinated very well. This is costly for the small banks to deal with, and they need more advance notice of a breach so they can deal with it on their end."

Ponemon added that TJX appeared to lack the right mix of security technology, and that vulnerability assessments would have been helpful.

Deepak Taneja, CEO of Waltham, Mass.-based security compliance management firm Aveksa, said that if one reviews the details of TJX's SEC filing, it becomes clear that the scope of the breach is due to several years of poor security controls.

"You have to think of security as a combination of technology, people and the right business processes," he said. "The full extent of the breach is still unknown but it seems a lot of mistakes were made with unencrypted data and information being stored after it was no longer needed. There were multiple problems. It wasn't any single mistake."

Cliff Pollan is CEO of Acton, Mass.-based Lumigent Technologies Inc., which sells database auditing tools. He said TJX also lacked the ability to monitor its network and detect sinister activity sooner.

"It looks like someone added software to the network that was routinely accessing the database and transferring information," he said. "You need to be able to know when that type of thing is happening. You need to be able to monitor network activity and act on a timely basis."

Large companies that don't want to follow TJX as the next poster child of insecurity need to keep the following things in mind, the experts said:

  • Security programs must be layered with the right mix of technology and people and policies.

  • Enterprises must keep tabs on the level of access people have to the network inside and outside the company and be able to monitor user activity.

  • Companies need to have a firm grasp on what kind of data is traveling through the network and ensure that it's encrypted at every access point.
  • Read more on IT risk management