One year later: Five takeaways from the TJX breach
The retailer has survived the massive data theft, but the card industry remains unsettled
The data compromise at the Framingham, Mass.-based retailer began in mid-2005, with system intrusions at two Marshalls stores in Miami via poorly protected wireless LANs. The intruders who broke into TJX's payment systems remained undetected for 18 months, during which time they downloaded a total of 80GB of cardholder data.
TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. Even that number may be far too low: A group of banks that is suing the retailer claimed in an October court filing that information about 94 million cards was exposed during the serial intrusions.
The sheer size of the data theft puts TJX in a league of its own among companies hit by such incidents, and the breach has made it something of a poster child for sloppy data security practices among retailers. In addition, the breach highlighted several familiar issues and some not-so-familiar ones.
Here, on the one-year anniversary of the breach becoming known, are five takeways for security managers:
Breach disclosures don't always affect revenue or stock prices ...
Despite being the biggest, costliest and perhaps most written-about breach ever, customer and investor confidence in TJX has remained largely unshaken. TJX's stock was worth about $30 per share when the breach was disclosed, and its closing price today was just over $29. Meanwhile, the retailer said this month that in the 48-week period that ended Jan. 5, its consolidated comparable-store sales increased 4% from the year-earlier level.
Clearly, TJX's customers weren't as concerned about the breach as many observers had expected they would be. Much of that no doubt has to do with the fact that consumers realize they themselves won't have to pay for any fraud that might result from payment card compromises, said Avivah Litan, an analyst at Gartner Inc.
... but they can be costly
TJX has said that in the 12 months since the breach was disclosed, it has spent or set aside about $250 million in breach-related costs. That includes the costs associated with fixing the security flaws that led to the breach, as well as dealing with all of the claims, lawsuits and fines that followed the breach.
For instance, settlements reached by TJX include offers of free credit-monitoring services for three years to consumers whose driver's license numbers were exposed in the breach, plus cash reimbursements, vouchers and a promised three-day customer appreciation event this year, during which the company plans to offer 15% discounts on all goods.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!