There is a lot of interesting and distressing information emerging on the massive data breach against the TJX Companies, which own TJ Maxx, Bob's Stores, Marshalls and others.
The breach was originally reported in January. However, the news this week is that the theft was even bigger than first thought. All told, information on at least 45.7 million credit and debit cards was stolen. This would make it the biggest data breach ever, according to the Ars Technica story.
Since discovering the Computer Intrusion, we have taken steps designed to strengthen the security of our computer systems and protocols and have instituted an ongoing program to continue to do so. Nevertheless, there can be no assurance that we will not suffer a future data compromise. We rely on commercially available systems, software, tools and monitoring to provide security for processing, transmission and storage of confidential customer information, such as payment card and personal information.
Let's take a closer look.
The first sentence says that the company has instituted a program to strengthen its security since the intrusion was identified. That could mean simply that remedial steps are being taken. We clearly hope that another interpretation -- that nothing much was in place before the barn door was opened -- is not true. Realistically, we are sure that TJX had security in place. Our concern is that such steps may have been half-hearted or rudimentary.
The second sentence is a throw-away typical of risk sections of SEC filings. The third -- which dovetails nicely with the first -- is disingenuous and unacceptable. TJX doesn't mosy on down to Best Buy or CompUSA and pick up the security software that the vendor has decided to make available. Nor does it use the same credit card system as a corner hardware store. It doesn't need to rely on a system that, apparently, left the data partially unencrypted.
A company that had $16 billion in revenue last year basically tells vendors and service providers what it wants and when it wants it. The sentence is disturbing for a second reason: Once the security systems are created, TJX takes over full responsibility. Its security folks need to test and monitor the system. If there is a problem, they need to address it. Vendors have to help, but the buyer calls the shots.
We understand that TJX was attacked by smart thieves. We do not expect miracles, and know that that there are no guarantees when working against the obvious brilliant bad guys who engineered this long-term heist. However, we are troubled when the company that lost the data tries to shift the blame.