One year ago Thursday, The TJX Companies Inc. disclosed what has turned out to be the largest information security breach involving credit and debit card data — thus far, at least.
The data compromise at the Framingham, Mass.-based retailer began in mid-2005, with system intrusions at two Marshalls stores in Miami via poorly protected wireless LANs. The intruders who broke into TJX’s payment systems remained undetected for 18 months, during which time they downloaded a total of 80GB of cardholder data.
TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. Even that number may be far too low: A group of banks that is suing the retailer claimed in an October court filing that information about 94 million cards was exposed during the serial intrusions.
The sheer size of the data theft puts TJX in a league of its own among companies hit by such incidents, and the breach has made it something of a poster child for sloppy data security practices among retailers. In addition, the breach highlighted several familiar issues and some not-so-familiar ones.
Here, on the one-year anniversary of the breach becoming known, are five takeways for security managers:
Breach disclosures don’t always affect revenue or stock prices …
Despite being the biggest, costliest and perhaps most written-about breach ever, customer and investor confidence in TJX has remained largely unshaken. TJX’s stock was worth about US$30 per share when the breach was disclosed, and its closing price today was just over $29. Meanwhile, the retailer said this month that in the 48-week period that ended Jan. 5, its consolidated comparable-store sales increased 4% from the year-earlier level.
Clearly, TJX’s customers weren’t as concerned about the breach as many observers had expected they would be. Much of that no doubt has to do with the fact that consumers realize they themselves won’t have to pay for any fraud that might result from payment card compromises, said Avivah Litan, an analyst at Gartner Inc.
… but they can be costly
TJX has said that in the 12 months since the breach was disclosed, it has spent or set aside about $250 million in breach-related costs. That includes the costs associated with fixing the security flaws that led to the breach, as well as dealing with all of the claims, lawsuits and fines that followed the breach.
For instance, settlements reached by TJX include offers of free credit-monitoring services for three years to consumers whose driver’s license numbers were exposed in the breach, plus cash reimbursements, vouchers and a promised three-day customer appreciation event this year, during which the company plans to offer 15% discounts on all goods.
“I think a lot of companies are seeing how costly these breaches can get,” said Forrester Research Inc. analyst Khalid Kark. As a result, there’s a lot more awareness in the executive suite about the need for security controls, Kark said. He previously estimated that the breach at TJX could end up costing the company $1 billion over the next few years.
PCI remains a work in progress
The breach brought to light the fact that many retailers, including top-tier ones like TJX, had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI. The rules took effect in June 2005, and required merchants — especially ones such as TJX that process a high volume of card transactions annually — to implement 12 broad security controls for protecting customer data.
But court documents filed by the banks that are suing TJX allege that the company wasn’t compliant with nine of the mandated controls during the period when the intrusions were taking place. And TJX was by no means alone. In response to the slow adoption of the PCI controls, Visa Inc. threatened to start imposing hefty fines and higher transaction fees on merchants if they didn’t become compliant by the end of last September.
Visa won’t disclose whether it has fined any merchants since then, but there is ample anecdotal evidence that it has.
The card payment process has issues
The TJX breach exposed a fundamental rift, with banks and credit card companies on one side and merchants on the other. In several states, credit unions and smaller banks have lobbied the legislatures to pass new laws requiring retailers to reimburse them for the costs involved in notifying customers of breaches and reissuing cards.
But the lobbying attempts failed everywhere except in Minnesota, which last May approved the Plastic Card Security Act — a law that holds breached entities financially responsible if they were storing prohibited card data on their systems.
In fighting the state bills, retailers have argued that the commissions they pay to card companies on each transaction are supposed to cover fraud-related costs, making any additional payments a double penalty. They also said that the only reason they store payment card data is because they’re required to by the credit card companies. In October, the National Retail Federation (NRF) asked Visa and the other card companies to drop that requirement.
The NRF’s request is echoed by Litan, who long has argued for fundamental changes in the card industry’s payment process, via the introduction of measures such as one-time passwords and all PIN-based transactions.
The bad guys remain hard to catch
For all the attention paid to the breach by TJX, and all the hired forensics experts and law enforcement authorities on the case, the perpetrators thus far haven’t been tracked down. Some individuals who allegedly used card numbers stolen in the breach have been arrested. But the hackers themselves have remained frustratingly out of reach, as is the case in most breaches.
“The crooks are still at it,” Litan said. “They probably will strike again. They’re laughing all the way to the bank.”