TJX Hacked; International customer impacts; personal section of WSJ?

[Updated as of 2/1/07]

I have been following this debacle with TJX that had “‘a limited number’ of individuals had been stolen from the compromised system. And by ‘limited’ we mean substantially less than millions,” said McConnell number of accounts stolen. Supposedly from the news sources the intruders had access to not only credit card processing systems, stored data, but also the financial accounting systems. Up to this point the impact and damages are spreading with each passing day, and I imagine this will encourage greater adherence to the PCI DSS. It is unfortunate that it requires incidents like CardSystems and now TJX to really gain acceptance, but at least we are there.

Another point that concerned me over the TJX situation is their ability to vouch for their financial statements under SOX and international standards. If they truely did not have control over the environment, then I imagine it will be hard pressed for any auditor to put his name down without an exhaustive walkthrough of every financial transaction. It is interesting that there has been zero discussion of these types of concerns in any of the media outlets.

I typically work with clients that are in these situations, or as an advisor to ensure these such events never occur – the absolute security success measure: Your client is never in “the WSJ” for these situations. Being that I have no direct contact with TJX I have refrained from speculating or publishing post-mortem thoughts and actions. That all changed when I saw that this very severe situation was pushed to the Personal Technology section of the Wall Street Journal (“Wide Credit-Card Fraud Surfaces in TJX Hacking” by JOSEPH PEREIRA January 25, 2007; Page D3) To that point, I will make this post an accounting of what is known – and what this may mean in the long run. I will be sure to provide references to sources, as I am able. I hope this condensed accounting presents a clearer picture of the true importance of compliance with PCI DSS, and for that matter maintaining a strong Control Environment for both your customers, employees, and shareholders.

#1. There was a breach, but were the accounts used or merely misplaced or stolen by some kids in VA?

According to MBA spokesman Bruce Spitzer “…hundreds of thousands of customer accounts …” These accounts were stolen, most likely sold, distributed around the world, and are being charged up at this moment.

#2. Where are people using these fraudulent accounts? (Is it in my backyard?)

According to the WSJ article – Multiple States in the U.S. (Georgia, Florida, and Louisiana – updated), Hong Kong, and Sweden

#3. Who was affected by this breach? Domestic? International?

Reports state that the systems affected were the systems that managed the return merchandise. (Update 2/1/07: Driver’s License information also stolen. Update 1/30/07: Credit cards, Debit Cards, and CHECK information was stored, and subsequently stolen) Reports show that customers within the United States and abroad (Canada) have already been affected, or alerted to be wary of their credit (United Kingdom).

#4 I thought PCI DSS stated that records should be wiped of a sensitive nature – given a reasonable amount of time for processing (i.e. seconds). How wide is the timeframe at risk by this breach?

“Chairman Ben Cammarata says information on transactions made between May and December last year may have been accessed…” JD: That is well beyond any allowable standard, and certainly not within the limits of PCI DSS. A great follow-up question would ask why they kept such data online for such a long period of time

#5. Advice Good and Not Great – in any event like this breach individuals offer their wisdom, and sometimes it is not quite right. So be wary of those that make curious guarantees, or they may offer you some tulips for your trouble.

Quoted in its entirety: “David Roberts, chief executive of The Corporate IT Forum, says it appears the retailer may have underinvested in systems to protect information. ‘I do not know of any other retailer that has suffered a similar attack in recent years. It will require a major revision to ensure its systems are foolproof,’ he said.” JD: Emphasis added.

The reality is their is no foolproof system that they can employ to prevent this attack from happening 100% of the time. They can layer technologies with procedures, and through this effort make it worthless to try and exploit the system. The simplest approach is to make the data inaccessible – either delete it, or encrypt it (Please choose a vendor responsibily as each has features that allow for seamless integration).

#6. Exactly how many accounts were stolen?

A news agency has reported that “millions of customers’ financial information…” — credit cards, debit cards, even checks.

200,000 accounts have been identified in Massachussets alone as being compromised.

#7. Why did TJX take so long to disclose the situation? Why are only some banks and customers being notified?

The laws are different in every country, and it is up to the company to decide who should be notified (if at all), and in what manner. That is unless a law is in place. There are several laws that require disclosure in situations like this in the United States (30 states laws and 1 Federal I believe at last count), and the International regulations are catching on to the need.

A bit of history – CA was the only state to require disclosure of this nature w/ SB-1386. No other real laws were developed until an Atlanta based company was not inclined to warn all citizens in the United States. This action prompted 22 other states to pass legislation.

This TJX incident will be the impetus for further international disclosure laws – Canada is the first, and not the last

“The recent privacy breaches clearly demonstrate the need to address the issue of notification,” said Anne-Marie Hayden, a spokeswoman for Ms. Stoddart. “I think it’s safe to say that when the commissioner reappears before the parliamentary committee she will recommend amending [privacy laws] to include provisions that would require companies to notify our office and, of course, the individuals affected, when there is a privacy breach.” Source cited.

[Updated 1/30/07] – The breach occurred in May, and not December. The first press release stated they “detected” it in December, but now are releasing it occurred nearly 6 months ago.

[Updated 2/1/07] - “The breach affected data as far back as 2003” JD:  Sensitive data should be securely archived based on a business need.  Beyond being in absolute violation of industry best practices – this is against any good business / information security / data custodian practices.

#8.  [Updated 2/1/07]  What is the business impact of this breach?

[Updated 2/1/07]  Typically the cost involved in any breach involves the cost of replacing the consumers card, the additional manpower to bring systems up to a higher level of security (technology acquisition + consulting fees), legal feeds, press release fees, compliance fines, and of course civil action damages.  Beyond the distraction to the business and the delay of business critical projects the soft costs also include loss of consumer goodwill.

[Updated 2/1/07] Hard costs from TJX Breach:  One bank (of 240) reported it is reissuing 20,000 cards at $5 each totaling $100,000.

[Updated 2/1/07] According to Gartner a breach of this magnitude with some much disclosure, legal, and technology costs involved can reach $60-90 per account – totaling (for this single bank): $1,200,000

[Updated 2/1/07]If we consider TJX’s likely financial costs – 200,000 accounts * $5 or $60 = $1,000,000 or $12,000,000.

[Updated 1/30/07] – 50 banks alone in Massachusetts have reported being impacted by the breach – Cited

[Updated 1/30/07] – Class action lawsuit filed in Canada for negligence – Cited

[Updated 1/30/07] – Track 2 Data stored by TJX – in violation of PCI DSS – Cited

As more data and the story unravels I will try and continue posting updates. If there are other good sources – please post links below! Lets learn from this breach, and move forward stronger as a community.

James DeLuccia IV

A review: ISACA’s “Return on Security Investment (ROSI)”

ISACA published an IS AUDITING GUIDELINE on defining and measuring ROI or ROSI (Return on Security Investment). The publication describes several usable equations, and starting points on creating a measurement program. Below are my comments on the most important points and some commentary on those provided. This publication, unfortunately, is not the be all guide nor does it truly address the reader’s need for a plan on implementing such a valuation program. Any comments beyond the referenced sources for additional starting points would be appreciated.Establishing Metrics is the first task:

These should be based on consistently occurring and measurable. The metrics can reflect the organization’s usage of technology and focus along important aspects of the infrastructure.

Capture information on the existing user experience:

Develop and distribute a survey that pointedly asks the users to grade their experience for specific measurable concerns. An example would be “How often is the mail server unavailable for more than 10 minutes? Daily, Weekly, Monthly”

These surveys provide an indicator on user perception and experiences. Data pulled from the systems through system to system testing and tracking is preferred, but ideal for moving forward tracking. Surveys allow for immediate data benchmarking and measurement.

The insurance conundrum when measuring value for security products:

Security is a risk management method for loss prevention. This, like insurance for your car, is a cost that is extolled today for an event in the future that occurs for the enterprise. The cost of insurance fluctuates (usually up and rarely down) and roughly follows the trend in risks. If for instance an owner moves from a farm to the city – their insurance costs will rise. The reason is there is more occurrences of a loss. Similar in the security world – simply because today we have implemented a security solution, an increase in incidents may still occur. The truth is that the damage would have been worse without the action, but it is still a prevention and looking in hindsight is never, as rosy as we would prefer.

Consider the ideal situation (running a bank): Install super-security application (example: security guard) and the logs (security journal shows no physical bank robbers waving guns) show no incidents. Why pay for the (guard salary) maintenance costs? Did the super-security tool prevent all the losses, or has the criminal world simply moved away from holding up your bank in person to digital attacks? The answer is you need both – remove the guard and that becomes the simpler path of attack; add more security and force a more complex attack vector.

Remember – the blackhat hackers / criminals / mob / cartels are calculating their own ROSI, and only will put forth the effort to attack along a path if there is a healthy return. Our motivations are the same, and therefore, as we know our enemy, we can put forth mechanisms of a sufficient degree to achieve a reasonable security posture that respects the value of the assets within, and allows continued success as a business.

Best regards,

James DeLuccia

Elegant Solutions: Breakthrough Thinking the Toyota Way

An unusual post, but it is the New Year and we might as well start with a bit of reflection on innovation and elegance. Follows are excerpts from “Elegant Solutions – Breakthrough thinking the Toyota Way” by Matthew E. May. Thank you to Guy Kawasaki for pointing to this manifesto.

“An elegant solution is one in which the optimal outcome is achieved with the minimal expenditure of effort and expense.”

A big lesson – “Avoid the Temptations

1. Swinging for fences. This is the “homerun or bust” trap, which invariably destroys a strong batting average over time. It carries with it huge risk, usually accompanied by high cost.
2. Getting too clever. This is the “bells and whistles” trap, which can easily get out of control in an effort to outdo competitors. It carries with it the danger of complexity and customer alienation.
3. Solving problems frivolously. This is the “brainstorm” trap, which is misguided creativity far afield from company direction. It’s a symptom of poorly defined work, and fraught with waste. There’s a reason we call it an organization.

Small baby steps and keep the ideas simple. I am certainly guilty of number 3, but I believe in the same breath that without these activities my truly elegant solutions would never come to bear.

“The pursuit of perfection is not focused on achieving perfection, it’s focused on chasing it. Perfection is unachievable…it’ll never happen. We’ve become impatient with mastery. If you can’t achieve perfection, why bother? Because you have to. Otherwise you’ll always be a follower.
At Toyota the mantra is: no best, only better. “

I love the idea that perfection is unattainable, yet is within our grasp. The idea of continuously redeveloping oneself and one’s art as a process of perfection is very inspiring.

“All artists work within the confines of their chosen media, and it’s the limits that spur their creativity. The canvas edge, the marble block, the eight musical notes—the resources are finite. So it’s how you view and manage them that makes all the difference.
And that’s the big question: Are limits preventing innovation, or enabling it?
There’s only one right answer. Innovation demands exploiting limits, not ignoring them.”

Limits of resources is a forever challenge to those working in every industry around the world. The Toyota concept of embracing these constraints and finding innovation is an uncharacteristic way of viewing these deficiencies. It is very practical to consider constraints for those who (in our context) manage businesses and IT controls. There is always a budget and unfortunately only 24 hours on that clock. The ability to work within these boundaries and excel is a challenging and worthwhile path.

“Keep it Lean
Complexity kills—scale it back, make it simple, and let it flow.
More is often just more. Unless it’s more simple, accessible, timely and efficient, which really means it’s less complicated and complex. When it comes to solutions, size and sprawl matter. Be-all, end-all, feature-rich solutions almost always miss the mark. Because they’re over-scoped and too complex. They’re usually proof that we lack real insight into our customer’s desires. Complexity destroys value, which is what matters most to the customer. The most elegant solutions always seem blazingly simple. “

The opposite of most organizations and product solutions that try to throw a kitchen sink at a problem. Addressing a problem in a simple fashion is key to controlling costs – emotional, capital, and intellectual. Consider implementing a complex application for a single task – will it be used? Will every feature be used? My favorite (and I admit I am an addict): How many features of Microsoft Excel do you use? How many versions have they been in the application (since the end of time you say?!) – why did you just buy another version to upgrade? Balance the simplicity with the problem at hand. Something that is paramount to addressing compliance and regulatory concerns. Documentation should be simple and direct. Controls should be clear and operating. Long explanations are not necessary (to auditors or lawyers) if the work is elegant.

Happy New Year!

James DeLuccia