Details of the largest breach of customer data are starting to come to light.
STANDARDS WORK -- IF THEY'RE FOLLOWED
To adequately protect cardholder data, companies that handle this information need a secure network, some way of securing cardholder data during storage and transmission (such as encryption), a process for identifying and patching software vulnerabilities, and well enforced access control measures. So says the Payment Card Industry data security standard introduced by American Express, MasterCard Worldwide, Visa International, and other credit card providers two years before TJX announced its data breach.
Of course, PCI improves security only if retailers follow the standard closely. TJX said in its 2006 annual report that it "generally" had stopped storing magnetic-stripe data after Sept. 2, 2003; "generally" encrypted all payment card, check transaction, and personal information after April 7, 2004; and "generally" had masked payment card PINs as well as portions of payment card transaction and check transaction information after April 3, 2006.
TJX Hack: Possible Entry Points
Data thieves attached a USB device to an in-store online employment terminal that bypassed the company's network firewall and planted software in TJX's computer system
Data thieves used mobile access technology to enter a poorly secured wireless network from outside the store, and from there got into TJX's computer system
Data thieves accessed card-payment data flowing through point-of-sale PIN-pad devices, perhaps by substituting look-alike doctored devices surreptitiously and then retrieving them later
However, Visa indicated in February, through a number of documents sent to financial institutions that issue cards and manage Visa transactions, that TJX was storing card number, expiration date, and card verification value codes, all of which are prohibited by PCI. As for its efforts at encryption, "We believe the intruder had access to the decryption algorithm for the encryption software we utilize," TJX said in its annual report.
PCI also covers wireless network security, stating that wireless networks transmitting cardholder data must encrypt transmissions by using Wi-Fi-protected access (WPA or WPA2) technology, IPsec VPN, or SSL/TLS. "Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN," the standard states.
Other retailers are starting to feel the TJX Effect. In March, some of the stolen data surfaced in Florida, where thieves used it to make phony credit cards to steal about $8 million in merchandise from Wal-Mart stores in 50 Florida counties. In July, the U.S. Secret Service tied stolen TJX customer data to another south Florida fraud ring (see story, "The Face Of Identity Theft").
Banks and transaction processors are pushing back against having to cover fraud losses when the poor security practices of others are to blame. Several financial institutions have taken the unusual step of filing lawsuits against TJX, claiming that the retailer acted negligently by storing unprotected credit card holders' information and failing to install firewalls to protect sensitive financial databases. The Massachusetts Bankers Association filed a class-action suit against TJX that will seek to recover damages in the "tens of millions of dollars." The Connecticut Bankers Association and the Maine Association of Community Banks joined the Massachusetts association's suit as co-plaintiffs. TJX is based in Framingham, Mass.
Although aimed at TJX, these lawsuits aren't good news for retailers in general. "You don't usually sue merchants," says Mark Macheska, a VP of card risk prevention at Citizens Bank, but "the banks are taking all of the losses." Payment card information for hundreds of thousands of Citizens Bank customers may have been compromised as part of the TJX breach.
Lawmakers have used the TJX debacle to push data security legislation. On Aug. 1, the Plastic Card Security Act of Minnesota took effect, making the state the first to shift the costs associated with data breaches from financial institutions to the retailers that mishandle consumers' financial data. The law makes it illegal for Minnesota businesses to store a customer's PIN, security code, or magnetic-stripe information for more than 48 hours after a transaction is authorized. Next year, penalties are set to kick in that would give Minnesota financial institutions, such as banks and credit unions, the ability to sue merchants caught keeping private financial data if there's a security breach.
Massachusetts passed a data breach notification law this month, partly in reaction to TJX, joining some 30 states that require organizations to notify those affected when their personal data has been compromised. But not every state is rushing in. In May, Texas shot down a bill that would have compelled businesses to better protect and safeguard sensitive personal information contained in their customer records.
Still, the passage of the Minnesota law indicates that the TJX data breach is "the straw that broke the camel's back" in terms of the public's patience with lax data security, says PayPal chief information security officer Michael Barrett. "If more states don't pass laws like Minnesota did," Barrett says, "we'll just be waiting for the next incident before we act."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.