[Updated as of 2/1/07]
I have been following this debacle with TJX that had “‘a limited number’ of individuals had been stolen from the compromised system. And by ‘limited’ we mean substantially less than millions,” said McConnell number of accounts stolen. Supposedly from the news sources the intruders had access to not only credit card processing systems, stored data, but also the financial accounting systems. Up to this point the impact and damages are spreading with each passing day, and I imagine this will encourage greater adherence to the PCI DSS. It is unfortunate that it requires incidents like CardSystems and now TJX to really gain acceptance, but at least we are there.
Another point that concerned me over the TJX situation is their ability to vouch for their financial statements under SOX and international standards. If they truely did not have control over the environment, then I imagine it will be hard pressed for any auditor to put his name down without an exhaustive walkthrough of every financial transaction. It is interesting that there has been zero discussion of these types of concerns in any of the media outlets.
I typically work with clients that are in these situations, or as an advisor to ensure these such events never occur – the absolute security success measure: Your client is never in “the WSJ” for these situations. Being that I have no direct contact with TJX I have refrained from speculating or publishing post-mortem thoughts and actions. That all changed when I saw that this very severe situation was pushed to the Personal Technology section of the Wall Street Journal (“Wide Credit-Card Fraud Surfaces in TJX Hacking” by JOSEPH PEREIRA January 25, 2007; Page D3) To that point, I will make this post an accounting of what is known – and what this may mean in the long run. I will be sure to provide references to sources, as I am able. I hope this condensed accounting presents a clearer picture of the true importance of compliance with PCI DSS, and for that matter maintaining a strong Control Environment for both your customers, employees, and shareholders.
#1. There was a breach, but were the accounts used or merely misplaced or stolen by some kids in VA?
According to MBA spokesman Bruce Spitzer “…hundreds of thousands of customer accounts …” These accounts were stolen, most likely sold, distributed around the world, and are being charged up at this moment.
#2. Where are people using these fraudulent accounts? (Is it in my backyard?)
According to the WSJ article – Multiple States in the U.S. (Georgia, Florida, and Louisiana – updated), Hong Kong, and Sweden
#3. Who was affected by this breach? Domestic? International?
Reports state that the systems affected were the systems that managed the return merchandise. (Update 2/1/07: Driver’s License information also stolen. Update 1/30/07: Credit cards, Debit Cards, and CHECK information was stored, and subsequently stolen) Reports show that customers within the United States and abroad (Canada) have already been affected, or alerted to be wary of their credit (United Kingdom).
#4 I thought PCI DSS stated that records should be wiped of a sensitive nature – given a reasonable amount of time for processing (i.e. seconds). How wide is the timeframe at risk by this breach?
“Chairman Ben Cammarata says information on transactions made between May and December last year may have been accessed…” JD: That is well beyond any allowable standard, and certainly not within the limits of PCI DSS. A great follow-up question would ask why they kept such data online for such a long period of time
#5. Advice Good and Not Great – in any event like this breach individuals offer their wisdom, and sometimes it is not quite right. So be wary of those that make curious guarantees, or they may offer you some tulips for your trouble.
Quoted in its entirety: “David Roberts, chief executive of The Corporate IT Forum, says it appears the retailer may have underinvested in systems to protect information. ‘I do not know of any other retailer that has suffered a similar attack in recent years. It will require a major revision to ensure its systems are foolproof,’ he said.” JD: Emphasis added.
The reality is their is no foolproof system that they can employ to prevent this attack from happening 100% of the time. They can layer technologies with procedures, and through this effort make it worthless to try and exploit the system. The simplest approach is to make the data inaccessible – either delete it, or encrypt it (Please choose a vendor responsibily as each has features that allow for seamless integration).
#6. Exactly how many accounts were stolen?
A news agency has reported that “millions of customers’ financial information…” — credit cards, debit cards, even checks.
200,000 accounts have been identified in Massachussets alone as being compromised.
#7. Why did TJX take so long to disclose the situation? Why are only some banks and customers being notified?
The laws are different in every country, and it is up to the company to decide who should be notified (if at all), and in what manner. That is unless a law is in place. There are several laws that require disclosure in situations like this in the United States (30 states laws and 1 Federal I believe at last count), and the International regulations are catching on to the need.
A bit of history – CA was the only state to require disclosure of this nature w/ SB-1386. No other real laws were developed until an Atlanta based company was not inclined to warn all citizens in the United States. This action prompted 22 other states to pass legislation.
This TJX incident will be the impetus for further international disclosure laws – Canada is the first, and not the last
“The recent privacy breaches clearly demonstrate the need to address the issue of notification,” said Anne-Marie Hayden, a spokeswoman for Ms. Stoddart. “I think it’s safe to say that when the commissioner reappears before the parliamentary committee she will recommend amending [privacy laws] to include provisions that would require companies to notify our office and, of course, the individuals affected, when there is a privacy breach.” Source cited.
[Updated 1/30/07] – The breach occurred in May, and not December. The first press release stated they “detected” it in December, but now are releasing it occurred nearly 6 months ago.
[Updated 2/1/07] – “The breach affected data as far back as 2003” JD: Sensitive data should be securely archived based on a business need. Beyond being in absolute violation of industry best practices – this is against any good business / information security / data custodian practices.
#8. [Updated 2/1/07] What is the business impact of this breach?
[Updated 2/1/07] Typically the cost involved in any breach involves the cost of replacing the consumers card, the additional manpower to bring systems up to a higher level of security (technology acquisition + consulting fees), legal feeds, press release fees, compliance fines, and of course civil action damages. Beyond the distraction to the business and the delay of business critical projects the soft costs also include loss of consumer goodwill.
[Updated 2/1/07] Hard costs from TJX Breach: One bank (of 240) reported it is reissuing 20,000 cards at $5 each totaling $100,000.
[Updated 2/1/07] According to Gartner a breach of this magnitude with some much disclosure, legal, and technology costs involved can reach $60-90 per account – totaling (for this single bank): $1,200,000
[Updated 2/1/07]If we consider TJX’s likely financial costs – 200,000 accounts * $5 or $60 = $1,000,000 or $12,000,000.
[Updated 1/30/07] – 50 banks alone in Massachusetts have reported being impacted by the breach – Cited
[Updated 1/30/07] – Class action lawsuit filed in Canada for negligence – Cited
[Updated 1/30/07] – Track 2 Data stored by TJX – in violation of PCI DSS – Cited
As more data and the story unravels I will try and continue posting updates. If there are other good sources – please post links below! Lets learn from this breach, and move forward stronger as a community.
James DeLuccia IV