http://www.informationweek.com/news/showArticle.jhtml?articleID=201400171
By Larry Greenemeier
InformationWeek
August 11, 2007
TJX will be glad when this year is over. The $17 billion-a-year parent
company of T.J. Maxx, Marshall's, and several other discount retail
chains has spent the past eight months dealing with the largest breach
of customer data in U.S. history, the details of which are starting to
come to light.
Last December, TJX says it alerted law enforcement that data thieves had
made off with more than 45 million customer records. Since that time, at
least one business, Wal-Mart, has lost millions of dollars as a result
of the theft, while TJX has spent more than $20 million investigating
the breach, notifying customers, and hiring lawyers to handle dozens of
lawsuits from customers and financial institutions. Should TJX lose in
the courts, it could be on the hook for millions more in damages.
But there's an even broader TJX Effect: The data breach, which actually
took place over a period of years, has put the entire retail industry on
the defensive and stirred up demands for all businesses that handle
payment card information to do a better job of protecting it.
Legislators are invoking TJX's name to fast-track data-security bills.
Few details of the TJX debacle have been made public by the company or
investigators. As recently as June, TJX said in a regulatory filing that
it didn't know "who took this action, whether there were one or more
intruders involved, or whether there was one continuing intrusion or
multiple, separate intrusions." Still, important details can be gleaned
from internal and external sources.
Poorly secured in-store computer kiosks are at least partly to blame for
acting as gateways to the company's IT systems, InformationWeek has
learned. According to a source familiar with the investigation who
requested anonymity, the kiosks, located in many of TJX's retail stores,
let people apply for jobs electronically but also allowed direct access
to the company's network, as they weren't protected by firewalls. "The
people who started the breach opened up the back of those terminals and
used USB drives to load software onto those terminals," says the source.
In a March filing with the Securities and Exchange Commission,TJX
acknowledged finding "suspicious software" on its computer systems.
The USB drives contained a utility program that let the intruder or
intruders take control of these computer kiosks and turn them into
remote terminals that connected into TJX's networks, according to the
source. The firewalls on TJX's main network weren't set to defend
against malicious traffic coming from the kiosks, the source says.
Typically, the USB drives in the computer kiosks are used to plug in
mice or printers. The kiosks "shouldn't have been on the corporate LAN,
and the USB ports should have been disabled," the source says.
In May, The Wall Street Journal cited a separate entry point, reporting
that data thieves had accessed an improperly secured Wi-Fi network from
the parking lot of a Marshall's store in St. Paul, Minn. The thieves
reportedly used a wireless data poaching tactic called "wardriving" and
exploited the deficiencies of the aging Wired Equivalent Privacy
wireless security protocol.
The Wall Street Journal cited sources close to the investigation, and
TJX wouldn't comment. Mark Loveless, senior security researcher for
network-access control vendor Vernier, who goes by the online handle of
"Simple Nomad," says it's possible the cyberattackers stumbled across a
vulnerable store location while patrolling a strip mall or shopping
center in their car using a laptop, a telescope antenna, and an 802.11
wireless LAN adapter. While the TJX store wasn't likely at the top of
their list, they found that it was accessible and yielded information
they could use to further penetrate TJX's IT systems. "The allure was
too good to pass up," he posits.
TJX admits that some of the data was stolen during the payment card
approval process, in which data is transmitted to payment card issuers
without encryption. That might refer to a hacking technique called
"skimming," a variation of which was used to steal 238 payment card
account numbers earlier this year from four 24-hour Stop & Shop stores
in Rhode Island and one in Massachusetts.
That scam worked like this: When the data thieves entered a store, one
of them distracted a clerk while another swapped the store's PIN-pad
terminal with a nearly identical device that had been electronically
altered to capture customers' account numbers and PINs. The switch took
as little as 12 seconds, according to the U.S. Attorney's Office for the
District of Rhode Island. Several days later, the thieves returned to
the store, replaced the original terminal, and made off with the altered
one containing customers' account information.
TJX says it was first tipped to a security problem on Dec. 18, 2006.
Incident response experts from General Dynamics and IBM confirmed within
a few days that there had in fact been an intrusion.
However, some financial institutions say they noticed an increase in
fraudulent activity on cards in their networks in November, which would
put the break-in, or break-ins, earlier--probably much earlier. "We were
notified of the TJX compromise by Visa--as well as in the news--in
January," says the CFO of one credit union, which then reissued payment
cards to the customers whose data might have been stolen.
TJX says that "due to the type of technology used in the intrusion as
well as deletions of transaction data in the ordinary course of
business," it may never be able to identify "much of the information
believed stolen." The company says the stolen data includes account
information for about 45.7 million separate payment cards, though TJX
claims that 75% of those cards were either expired at the time of the
theft or the stolen information didn't include the security code data
from the magnetic stripe on the cards. The company thinks that driver's
license numbers, military IDs, and state IDs for 455,000 customers,
together with their names and addresses, also were stolen.
STANDARDS WORK -- IF THEY'RE FOLLOWED
To adequately protect cardholder data, companies that handle this
information need a secure network, some way of securing cardholder data
during storage and transmission (such as encryption), a process for
identifying and patching software vulnerabilities, and well enforced
access control measures. So says the Payment Card Industry data security
standard introduced by American Express, MasterCard Worldwide, Visa
International, and other credit card providers two years before TJX
announced its data breach.
Of course, PCI improves security only if retailers follow the standard
closely. TJX said in its 2006 annual report that it "generally" had
stopped storing magnetic-stripe data after Sept. 2, 2003; "generally"
encrypted all payment card, check transaction, and personal information
after April 7, 2004; and "generally" had masked payment card PINs as
well as portions of payment card transaction and check transaction
information after April 3, 2006.
However, Visa indicated in February, through a number of documents sent
to financial institutions that issue cards and manage Visa transactions,
that TJX was storing card number, expiration date, and card verification
value codes, all of which are prohibited by PCI. As for its efforts at
encryption, "We believe the intruder had access to the decryption
algorithm for the encryption software we utilize," TJX said in its
annual report.
PCI also covers wireless network security, stating that wireless
networks transmitting cardholder data must encrypt transmissions by
using Wi-Fi-protected access (WPA or WPA2) technology, IPsec VPN, or
SSL/TLS. "Never rely exclusively on wired equivalent privacy (WEP) to
protect confidentiality and access to a wireless LAN," the standard
states.
SUNSHINE STATE
Other retailers are starting to feel the TJX Effect. In March, some of
the stolen data surfaced in Florida, where thieves used it to make phony
credit cards to steal about $8 million in merchandise from Wal-Mart
stores in 50 Florida counties. In July, the U.S. Secret Service tied
stolen TJX customer data to another south Florida fraud ring (see story,
"The Face Of Identity Theft" [1]).
Banks and transaction processors are pushing back against having to
cover fraud losses when the poor security practices of others are to
blame. Several financial institutions have taken the unusual step of
filing lawsuits against TJX, claiming that the retailer acted
negligently by storing unprotected credit card holders' information and
failing to install firewalls to protect sensitive financial databases.
The Massachusetts Bankers Association filed a class-action suit against
TJX that will seek to recover damages in the "tens of millions of
dollars." The Connecticut Bankers Association and the Maine Association
of Community Banks joined the Massachusetts association's suit as
co-plaintiffs. TJX is based in Framingham, Mass.
Although aimed at TJX, these lawsuits aren't good news for retailers in
general. "You don't usually sue merchants," says Mark Macheska, a VP of
card risk prevention at Citizens Bank, but "the banks are taking all of
the losses." Payment card information for hundreds of thousands of
Citizens Bank customers may have been compromised as part of the TJX
breach.
Lawmakers have used the TJX debacle to push data security legislation.
On Aug. 1, the Plastic Card Security Act of Minnesota took effect,
making the state the first to shift the costs associated with data
breaches from financial institutions to the retailers that mishandle
consumers' financial data. The law makes it illegal for Minnesota
businesses to store a customer's PIN, security code, or magnetic-stripe
information for more than 48 hours after a transaction is authorized.
Next year, penalties are set to kick in that would give Minnesota
financial institutions, such as banks and credit unions, the ability to
sue merchants caught keeping private financial data if there's a
security breach.
Massachusetts passed a data breach notification law this month, partly
in reaction to TJX, joining some 30 states that require organizations to
notify those affected when their personal data has been compromised. But
not every state is rushing in. In May, Texas shot down a bill that would
have compelled businesses to better protect and safeguard sensitive
personal information contained in their customer records.
Still, the passage of the Minnesota law indicates that the TJX data
breach is "the straw that broke the camel's back" in terms of the
public's patience with lax data security, says PayPal chief information
security officer Michael Barrett. "If more states don't pass laws like
Minnesota did," Barrett says, "we'll just be waiting for the next
incident before we act."
A PARADOX
There's an interesting paradox in the TJX Effect, and it has to do with
the company's financial performance. While at least a dozen customers
have sued the company for not properly protecting their payment
information--the cases are being consolidated into class-action suits
and venues are still being chosen--many more are still shopping at its
stores.
Financial analysts continue to raise their expectations for the
company's stock price, as first-quarter 2008 sales were up about 6%
compared with the year-earlier quarter, to $4.1 billion. Net income was
down less than 2% from a year ago, to $162.1 million--not bad
considering the $20 million charge TJX had to take.
In a February survey of 1,200 debit card holders by Javelin Strategy &
Research, three out of four said they wouldn't continue shopping at a
merchant where a data breach had occurred, says Mary Monahan, a Javelin
analyst, and 84% said they would shop at merchants that said they were
security leaders. But the reality seems quite different. "As Americans,
we're a very convenience-oriented society," says James Lee, public and
consumer affairs officer for ChoicePoint, a provider of identification
and credential verification services. In 2005, ChoicePoint reported that
identity thieves had stolen about 163,000 customer records.
TJX also may be benefiting from reports that identity fraud isn't as
rampant as many think. Of the 24 data breaches analyzed by the U.S.
Government Accountability Office in a report issued last month, only
three included evidence of resulting fraud on existing accounts and only
one included evidence of an unauthorized creation of a new account. The
GAO report states that for the 18, "no clear evidence had been uncovered
linking them to identity theft; and for the remaining two, there was not
sufficient information to make a determination."
WATERSHED CASE
However, the magnitude of the TJX data breach, and the fact that stolen
data is starting to surface, may change that perception. "TJX is a
watershed case in this regard," PayPal's Barrett says. When customer
data is stolen, as opposed to lost, you can be sure that someone's
looking to use that information for financial gain. "Having an
information breach is now an extremely significant operational risk,"
Barrett says. "There are very few risks that are worse than that."
Are executives nationwide worried about the TJX Effect? "Absolutely,"
says Andre Gold, head of technology risk management at ING U.S.
Financial Services and former director of information security for
Continental Airlines. "That's the kind of info that my executives are in
tune to, because they want to make sure we're aware of this so that the
same thing doesn't happen to us." The main takeaway: Look for weak links
within your organization, because if you don't find them, someone else
will.
ChoicePoint's Lee says the TJX data breach will force companies to be
more transparent about the customer data they keep and how they protect
it. ChoicePoint has accelerated a project to automate the way it
discloses personal information to consumers who request it. Right now,
if consumers want to know what information ChoicePoint has on them, the
company puts together a report manually and mails it to them. To keep up
with TJX-inspired demand, Lee's working to automate the system, a
project that could take up to 26 weeks to complete, he says.
The National Retail Federation, whose eight-member executive committee
includes CEOs from Ethan Allen Interiors, J.C. Penney, and Liz
Claiborne, advocates several measures to prevent another data breach on
the scale of TJX's. Rather than retain credit card information after a
transaction is completed in order to settle disputes and handle
chargebacks for returned merchandise, federation CIO Dave Hogan
recommends retaining only information about the transaction
itself--store number, time and date stamp, register number, and
authorization number. "That would minimize, if not stop, payment card
fraud," he says.
At the very least, retailers should require customers to enter a PIN for
debit and credit purchases to be processed. This doesn't solve the data
theft problem, but it does reduce risk, Hogan says. Even better, credit
card companies will eventually replace magnetic-stripe cards in favor of
those with embedded chips that require PINs whenever they're used.
For others, the lesson is simple. "Get serious about getting PCI
certified," says PayPal's Barrett. To get that seal, you must have your
IT systems inspected by a Qualified Security Assessor or an Approved
Scanning Vendor that's been blessed by American Express, Discover, JCB,
MasterCard Worldwide, and Visa International--all founding members of
the PCI Security Standards Council. The inspector checks an
organization's IT systems against the criteria published in the PCI data
security standard. There are dozens of QSAs and ASVs, including Deloitte
& Touche and Dimension Data.
With any luck, the TJX Effect will teach retailers this basic lesson:
Thieves can't steal sensitive customer data if retailers aren't storing
it.
[1] http://www.informationweek.com/story/showArticle.jhtml?articleID=201400172
Copyright © 2007 CMP Media LLC
Received on Mon Aug 13 02:14:12 2007