Update: TJX says data breach worse than previously believed

An ongoing probe shows it happened almost a year earlier than first thought

There's more bad news from Framingham, Mass.-based retailer TJX Companies Inc. regarding the massive data breach disclosed last month.

An ongoing investigation of the breach has shown that intruders gained access to TJX systems almost a full-year earlier than first thought -- and compromised more payment card data than previously believed, the company said in a statement issued yesterday.

The investigation has also confirmed that card transaction data involving TJX-owned stores in the U.K and Ireland were also affected by the intrusion. Previously, the company had only said that it was "concerned" about this possibility.

TJX is the owner of stores such as TJ Maxx, Marshalls and Bob's Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico as well as potentially the U.K. and Ireland.

"We are dedicating substantial resources to investigating and evaluating the intrusion," TJX's new CEO Carol Meyrowitz said in the statement. IBM and General Dynamics Corp., the two companies hired by TJX to shore up security in the wake of the breach, have committed "over 50 experts" to handle the probe, she said.

TJX still hasn't disclosed the number of shoppers that may have been affected by the breach, though many analysts believe the number to be in the millions. When it first announced the breach, TJX said it believed the intrusion took place in May 2006 but wasn't discovered until December, seven months later.

The ongoing investigation found that intruders, in fact, gained access to the company's systems as far back as July 2005 and "on various subsequent dates in 2005." Similarly, payment card data involving transactions over an 18-month period between January 2003 and June 2004 has also been compromised -- as well as more drivers license information than previously thought, the company said. Until now, TJX was only able to confirm the compromise of data involving transactions in 2005 and for the period between May 2006 and December 2006.

One way to interpret yesterday's update from the company is that law enforcement officials could be getting closer to tracking the perpetrators down, said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc.

"I think they have pinpointed [the intruders] down to a large degree and may have found files indicating that 2005 [card] data was stolen," she said.

It is also possible that the information was uncovered by some "really great forensics work" by the investigating team, she said. But that appears unlikely because TJX doesn't seem to have had much of an auditing system in place to enable such forensics activity, she said. If they did, signs of an earlier intrusion or broader compromise would have been picked up much sooner.

TJX's latest disclosure is not all that surprising, and it points to a near total lack of internal data controls at many large companies, security analysts said.

"When it comes right down to it, very few companies have put in place effective controls that enable them to monitor internal systems closely and ... follow the movement of data" on their networks, said Alex Bakman, CEO of Ecora Software Corp. That makes it possible for such breaches to go unnoticed for a long time indeed, he said.

Standards such as the Payment Card Industry Data Security Standards require companies such as TJX to put in place internal controls over their data via measures such as data encryption and strong access control, he said. But very few of the top companies have yet implemented those requirements -- even though they became effective more than 18 months ago.

"The underlying problem is that companies are treating security as a 'nice to have' as opposed to a 'must have,'" he said. "TJX is just the tip of the iceberg. I think we are going to see many more [such disclosures]. It's going to get a lot uglier before it get's any better "

Joel Rosen, CEO of security vendor Tizor Systems, said that TJX is not alone. "Many companies that relied on traditional security are just coming to terms with the fact that beefing up existing systems is not the answer.

"Without real-time insight into what is happening with the data, these breaches could go unnoticed for a very, very long time," he said. "If companies rely on log data that needs to be sifted through manually, it requires huge effort and time to detect unusual activity...."

The fallout from the breach has been widespread, with banks and credit unions around the country as well as in Canada being forced to block and reissue thousands of cards. The New Hampshire Bankers Association has estimated that as many as 20% to 30% of people in New England may have been touched by the breach.

The TJX breach has also prompted the Massachusetts Bankers Association to more actively campaign for legislation that would hold breached entities liable to card-issuing banks for the costs involved in blocking and re-issuing cards, closing and opening accounts and other similar measures. It has also prompted a smattering of class-action lawsuits.

Such breaches are certainly increasing the discussion about class-action lawsuits against breached entities, said Mark Hayes, a partner at Blake Cassels & Graydon LLP in Toronto and the current chair of the Ontario Bar Association Privacy Section. "But generally the [negative] publicity from the breaches generally exceeds [the] damage that is being suffered from them," he said.

As a result, despite all the talk about companies facing lawsuits because of breaches, there very often is little "cause for action" from a legal standpoint -- at least in Canada, Hayes said. "In most of these situations, despite all the headlines" there is relatively little financial damage that consumers directly bear, he said. "Even if you prove liability it is extremely difficult to show damage."

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon