Massive Security Breach: Does TJX Get It?

Carl Weinschenk

There is a lot of interesting and distressing information emerging on the massive data breach against the TJX Companies, which own TJ Maxx, Bob's Stores, Marshalls and others.


The breach was originally reported in January. However, the news this week is that the theft was even bigger than first thought. All told, information on at least 45.7 million credit and debit cards was stolen. This would make it the biggest data breach ever, according to the Ars Technica story.


This eWEEK story points to some language in the 10-k that should make corporate IT folks take notice. Here is the full paragraph of the passage excerpted in the piece:

Since discovering the Computer Intrusion, we have taken steps designed to strengthen the security of our computer systems and protocols and have instituted an ongoing program to continue to do so. Nevertheless, there can be no assurance that we will not suffer a future data compromise. We rely on commercially available systems, software, tools and monitoring to provide security for processing, transmission and storage of confidential customer information, such as payment card and personal information.

Let's take a closer look.


The first sentence says that the company has instituted a program to strengthen its security since the intrusion was identified. That could mean simply that remedial steps are being taken. We clearly hope that another interpretation -- that nothing much was in place before the barn door was opened -- is not true. Realistically, we are sure that TJX had security in place. Our concern is that such steps may have been half-hearted or rudimentary.


The second sentence is a throw-away typical of risk sections of SEC filings. The third -- which dovetails nicely with the first -- is disingenuous and unacceptable. TJX doesn't mosy on down to Best Buy or CompUSA and pick up the security software that the vendor has decided to make available. Nor does it use the same credit card system as a corner hardware store. It doesn't need to rely on a system that, apparently, left the data partially unencrypted.


A company that had $16 billion in revenue last year basically tells vendors and service providers what it wants and when it wants it. The sentence is disturbing for a second reason: Once the security systems are created, TJX takes over full responsibility. Its security folks need to test and monitor the system. If there is a problem, they need to address it. Vendors have to help, but the buyer calls the shots.


We understand that TJX was attacked by smart thieves. We do not expect miracles, and know that that there are no guarantees when working against the obvious brilliant bad guys who engineered this long-term heist. However, we are troubled when the company that lost the data tries to shift the blame.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Apr 4, 2007 9:38 AM mike mike  says:
That is a joke. let put some fact in to it you did not what to pay for the serveres or the people to keep your net work safe and that is that .. now they need to go and buy the programing and need items to stop that and try one more time . If one of there store show up here in my city i will not use my cc card at all .. the need to find like 10,000 per card they lost and they mite get the point how bad this is. mike g Reply
Apr 5, 2007 5:29 PM annette higgins annette higgins  says:
I think TJX needs to admit the obvious. There is no way a security breach of this magnitude and length of time could occur without the aid of inside assistance. Unless the company is guilty of total negligence and stupidity there had to be some level of complicity from an insider or insiders. Reply
Apr 26, 2007 8:40 AM KK KK  says:
TJX suffered a breach which cannot be attributed to systems, or more specifically, a system hat "apparently, left the data partially unencrypted". Data is encrypted or not encrypted. Better to say maybe some of the data was left unencrypted in certain locations where is was exposed to who got it. The authors statement is not correct. The TJX breach, like most, was human error, management negligence and just plain stupidity. And for legal reasons and economic liability, TJX cannot admit that this was the the cause of leaving the door open. So agree with the final point, shifting the blame is troubling and usually means they know the blew it. Reply
Apr 26, 2007 8:43 AM Carl Weinschenk Carl Weinschenk  says:
KK, you are correct. The sentence was awkwardly worded. Thanks. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.