Breach at TJX Puts Card Info at Risk
Network intrusion shows IT security still not up to snuff at some retailers, despite push for stronger protections
January 22, 2007 12:00 PM ETComputerworld -
The TJX Companies Inc. last week disclosed a wide-ranging security breach involving credit and debit card data, providing fresh evidence that IT security remains fragile at some retailers despite attempts by credit card companies to get them to better protect their data.
Framingham, Mass.-based TJX said an “unauthorized intruder” gained access to its systems in mid-December and may have made off with the card data of customers in the U.S., Canada and Puerto Rico, as well as the U.K. and Ireland. The retailer didn’t disclose the number of shoppers that may have been affected by the breach, saying that the full extent of the data theft “is not yet known.”
TJX, which owns retail chains such as TJ Maxx, Marshalls and HomeGoods, has since hired both IBM and General Dynamics Corp. to help it evaluate the extent of the data compromises and implement unspecified security upgrades.
At least some of the stolen information appears to have been so-called Track 2 data taken from the magnetic stripes on the back of credit and debit cards, said Benson Bolling, assistant vice president of lending at the Alabama Credit Union in Tuscaloosa.
The credit union is recalling and replacing about 2,900 Visa debit and credit cards after having received multiple alerts last week from Visa U.S.A. Inc. about card information — including Track 2 data — being compromised in a retail breach. The alerts didn’t identify the retailer involved in the breach, Bolling said.
Track 2 data includes account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion. Retailers are forbidden from storing such information under the Payment Card Industry (PCI) Data Security Standard being pushed by Visa, MasterCard International Inc. and other credit card companies. But many retailers continue to do so, often because their point-of-sale systems capture and store the data by default.
Further Protections
The breach at TJX shows why it’s so vital to purge the Track2 data from systems, said David Taylor, vice president of data security strategies at Protegrity Corp., a Stamford, Conn.-based company that offers PCI compliance services. It also underscores the importance of encrypting sensitive data, another step that the PCI standard requires, Taylor said.
The latest incident is sure to lend even more urgency to efforts to get retailers to adopt the PCI requirements, said Avivah Litan, an analyst at Gartner Inc. Litan said that thus far, only about 50% of Tier 1 merchants — those processing more than 6 million credit card transactions per month — have become fully compliant with PCI, which went into effect 18 months ago.
IT security
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
