One year later: Five takeaways from the TJX breach
The retailer has survived the massive data theft, but the card industry remains unsettled
The data compromise at the Framingham, Mass.-based retailer began in mid-2005, with system intrusions at two Marshalls stores in Miami via poorly protected wireless LANs. The intruders who broke into TJX's payment systems remained undetected for 18 months, during which time they downloaded a total of 80GB of cardholder data.
TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. Even that number may be far too low: A group of banks that is suing the retailer claimed in an October court filing that information about 94 million cards was exposed during the serial intrusions.
The sheer size of the data theft puts TJX in a league of its own among companies hit by such incidents, and the breach has made it something of a poster child for sloppy data security practices among retailers. In addition, the breach highlighted several familiar issues and some not-so-familiar ones.
Here, on the one-year anniversary of the breach becoming known, are five takeways for security managers:
Breach disclosures don't always affect revenue or stock prices ...
Despite being the biggest, costliest and perhaps most written-about breach ever, customer and investor confidence in TJX has remained largely unshaken. TJX's stock was worth about $30 per share when the breach was disclosed, and its closing price today was just over $29. Meanwhile, the retailer said this month that in the 48-week period that ended Jan. 5, its consolidated comparable-store sales increased 4% from the year-earlier level.
Clearly, TJX's customers weren't as concerned about the breach as many observers had expected they would be. Much of that no doubt has to do with the fact that consumers realize they themselves won't have to pay for any fraud that might result from payment card compromises, said Avivah Litan, an analyst at Gartner Inc.
... but they can be costly
TJX has said that in the 12 months since the breach was disclosed, it has spent or set aside about $250 million in breach-related costs. That includes the costs associated with fixing the security flaws that led to the breach, as well as dealing with all of the claims, lawsuits and fines that followed the breach.
For instance, settlements reached by TJX include offers of free credit-monitoring services for three years to consumers whose driver's license numbers were exposed in the breach, plus cash reimbursements, vouchers and a promised three-day customer appreciation event this year, during which the company plans to offer 15% discounts on all goods.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts