http://www.informationweek.com/news/showArticle.jhtml?articleID=201400171 By Larry Greenemeier InformationWeek August 11, 2007 TJX will be glad when this year is over. The $17 billion-a-year parent company of T.J. Maxx, Marshall's, and several other discount retail chains has spent the past eight months dealing with the largest breach of customer data in U.S. history, the details of which are starting to come to light. Last December, TJX says it alerted law enforcement that data thieves had made off with more than 45 million customer records. Since that time, at least one business, Wal-Mart, has lost millions of dollars as a result of the theft, while TJX has spent more than $20 million investigating the breach, notifying customers, and hiring lawyers to handle dozens of lawsuits from customers and financial institutions. Should TJX lose in the courts, it could be on the hook for millions more in damages. But there's an even broader TJX Effect: The data breach, which actually took place over a period of years, has put the entire retail industry on the defensive and stirred up demands for all businesses that handle payment card information to do a better job of protecting it. Legislators are invoking TJX's name to fast-track data-security bills. Few details of the TJX debacle have been made public by the company or investigators. As recently as June, TJX said in a regulatory filing that it didn't know "who took this action, whether there were one or more intruders involved, or whether there was one continuing intrusion or multiple, separate intrusions." Still, important details can be gleaned from internal and external sources. Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. "The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals," says the source. In a March filing with the Securities and Exchange Commission,TJX acknowledged finding "suspicious software" on its computer systems. The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX's networks, according to the source. The firewalls on TJX's main network weren't set to defend against malicious traffic coming from the kiosks, the source says. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. The kiosks "shouldn't have been on the corporate LAN, and the USB ports should have been disabled," the source says. In May, The Wall Street Journal cited a separate entry point, reporting that data thieves had accessed an improperly secured Wi-Fi network from the parking lot of a Marshall's store in St. Paul, Minn. The thieves reportedly used a wireless data poaching tactic called "wardriving" and exploited the deficiencies of the aging Wired Equivalent Privacy wireless security protocol. The Wall Street Journal cited sources close to the investigation, and TJX wouldn't comment. Mark Loveless, senior security researcher for network-access control vendor Vernier, who goes by the online handle of "Simple Nomad," says it's possible the cyberattackers stumbled across a vulnerable store location while patrolling a strip mall or shopping center in their car using a laptop, a telescope antenna, and an 802.11 wireless LAN adapter. While the TJX store wasn't likely at the top of their list, they found that it was accessible and yielded information they could use to further penetrate TJX's IT systems. "The allure was too good to pass up," he posits. TJX admits that some of the data was stolen during the payment card approval process, in which data is transmitted to payment card issuers without encryption. That might refer to a hacking technique called "skimming," a variation of which was used to steal 238 payment card account numbers earlier this year from four 24-hour Stop & Shop stores in Rhode Island and one in Massachusetts. That scam worked like this: When the data thieves entered a store, one of them distracted a clerk while another swapped the store's PIN-pad terminal with a nearly identical device that had been electronically altered to capture customers' account numbers and PINs. The switch took as little as 12 seconds, according to the U.S. Attorney's Office for the District of Rhode Island. Several days later, the thieves returned to the store, replaced the original terminal, and made off with the altered one containing customers' account information. TJX says it was first tipped to a security problem on Dec. 18, 2006. Incident response experts from General Dynamics and IBM confirmed within a few days that there had in fact been an intrusion. However, some financial institutions say they noticed an increase in fraudulent activity on cards in their networks in November, which would put the break-in, or break-ins, earlier--probably much earlier. "We were notified of the TJX compromise by Visa--as well as in the news--in January," says the CFO of one credit union, which then reissued payment cards to the customers whose data might have been stolen. TJX says that "due to the type of technology used in the intrusion as well as deletions of transaction data in the ordinary course of business," it may never be able to identify "much of the information believed stolen." The company says the stolen data includes account information for about 45.7 million separate payment cards, though TJX claims that 75% of those cards were either expired at the time of the theft or the stolen information didn't include the security code data from the magnetic stripe on the cards. The company thinks that driver's license numbers, military IDs, and state IDs for 455,000 customers, together with their names and addresses, also were stolen. STANDARDS WORK -- IF THEY'RE FOLLOWED To adequately protect cardholder data, companies that handle this information need a secure network, some way of securing cardholder data during storage and transmission (such as encryption), a process for identifying and patching software vulnerabilities, and well enforced access control measures. So says the Payment Card Industry data security standard introduced by American Express, MasterCard Worldwide, Visa International, and other credit card providers two years before TJX announced its data breach. Of course, PCI improves security only if retailers follow the standard closely. TJX said in its 2006 annual report that it "generally" had stopped storing magnetic-stripe data after Sept. 2, 2003; "generally" encrypted all payment card, check transaction, and personal information after April 7, 2004; and "generally" had masked payment card PINs as well as portions of payment card transaction and check transaction information after April 3, 2006. However, Visa indicated in February, through a number of documents sent to financial institutions that issue cards and manage Visa transactions, that TJX was storing card number, expiration date, and card verification value codes, all of which are prohibited by PCI. As for its efforts at encryption, "We believe the intruder had access to the decryption algorithm for the encryption software we utilize," TJX said in its annual report. PCI also covers wireless network security, stating that wireless networks transmitting cardholder data must encrypt transmissions by using Wi-Fi-protected access (WPA or WPA2) technology, IPsec VPN, or SSL/TLS. "Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN," the standard states. SUNSHINE STATE Other retailers are starting to feel the TJX Effect. In March, some of the stolen data surfaced in Florida, where thieves used it to make phony credit cards to steal about $8 million in merchandise from Wal-Mart stores in 50 Florida counties. In July, the U.S. Secret Service tied stolen TJX customer data to another south Florida fraud ring (see story, "The Face Of Identity Theft" [1]). Banks and transaction processors are pushing back against having to cover fraud losses when the poor security practices of others are to blame. Several financial institutions have taken the unusual step of filing lawsuits against TJX, claiming that the retailer acted negligently by storing unprotected credit card holders' information and failing to install firewalls to protect sensitive financial databases. The Massachusetts Bankers Association filed a class-action suit against TJX that will seek to recover damages in the "tens of millions of dollars." The Connecticut Bankers Association and the Maine Association of Community Banks joined the Massachusetts association's suit as co-plaintiffs. TJX is based in Framingham, Mass. Although aimed at TJX, these lawsuits aren't good news for retailers in general. "You don't usually sue merchants," says Mark Macheska, a VP of card risk prevention at Citizens Bank, but "the banks are taking all of the losses." Payment card information for hundreds of thousands of Citizens Bank customers may have been compromised as part of the TJX breach. Lawmakers have used the TJX debacle to push data security legislation. On Aug. 1, the Plastic Card Security Act of Minnesota took effect, making the state the first to shift the costs associated with data breaches from financial institutions to the retailers that mishandle consumers' financial data. The law makes it illegal for Minnesota businesses to store a customer's PIN, security code, or magnetic-stripe information for more than 48 hours after a transaction is authorized. Next year, penalties are set to kick in that would give Minnesota financial institutions, such as banks and credit unions, the ability to sue merchants caught keeping private financial data if there's a security breach. Massachusetts passed a data breach notification law this month, partly in reaction to TJX, joining some 30 states that require organizations to notify those affected when their personal data has been compromised. But not every state is rushing in. In May, Texas shot down a bill that would have compelled businesses to better protect and safeguard sensitive personal information contained in their customer records. Still, the passage of the Minnesota law indicates that the TJX data breach is "the straw that broke the camel's back" in terms of the public's patience with lax data security, says PayPal chief information security officer Michael Barrett. "If more states don't pass laws like Minnesota did," Barrett says, "we'll just be waiting for the next incident before we act." A PARADOX There's an interesting paradox in the TJX Effect, and it has to do with the company's financial performance. While at least a dozen customers have sued the company for not properly protecting their payment information--the cases are being consolidated into class-action suits and venues are still being chosen--many more are still shopping at its stores. Financial analysts continue to raise their expectations for the company's stock price, as first-quarter 2008 sales were up about 6% compared with the year-earlier quarter, to $4.1 billion. Net income was down less than 2% from a year ago, to $162.1 million--not bad considering the $20 million charge TJX had to take. In a February survey of 1,200 debit card holders by Javelin Strategy & Research, three out of four said they wouldn't continue shopping at a merchant where a data breach had occurred, says Mary Monahan, a Javelin analyst, and 84% said they would shop at merchants that said they were security leaders. But the reality seems quite different. "As Americans, we're a very convenience-oriented society," says James Lee, public and consumer affairs officer for ChoicePoint, a provider of identification and credential verification services. In 2005, ChoicePoint reported that identity thieves had stolen about 163,000 customer records. TJX also may be benefiting from reports that identity fraud isn't as rampant as many think. Of the 24 data breaches analyzed by the U.S. Government Accountability Office in a report issued last month, only three included evidence of resulting fraud on existing accounts and only one included evidence of an unauthorized creation of a new account. The GAO report states that for the 18, "no clear evidence had been uncovered linking them to identity theft; and for the remaining two, there was not sufficient information to make a determination." WATERSHED CASE However, the magnitude of the TJX data breach, and the fact that stolen data is starting to surface, may change that perception. "TJX is a watershed case in this regard," PayPal's Barrett says. When customer data is stolen, as opposed to lost, you can be sure that someone's looking to use that information for financial gain. "Having an information breach is now an extremely significant operational risk," Barrett says. "There are very few risks that are worse than that." Are executives nationwide worried about the TJX Effect? "Absolutely," says Andre Gold, head of technology risk management at ING U.S. Financial Services and former director of information security for Continental Airlines. "That's the kind of info that my executives are in tune to, because they want to make sure we're aware of this so that the same thing doesn't happen to us." The main takeaway: Look for weak links within your organization, because if you don't find them, someone else will. ChoicePoint's Lee says the TJX data breach will force companies to be more transparent about the customer data they keep and how they protect it. ChoicePoint has accelerated a project to automate the way it discloses personal information to consumers who request it. Right now, if consumers want to know what information ChoicePoint has on them, the company puts together a report manually and mails it to them. To keep up with TJX-inspired demand, Lee's working to automate the system, a project that could take up to 26 weeks to complete, he says. The National Retail Federation, whose eight-member executive committee includes CEOs from Ethan Allen Interiors, J.C. Penney, and Liz Claiborne, advocates several measures to prevent another data breach on the scale of TJX's. Rather than retain credit card information after a transaction is completed in order to settle disputes and handle chargebacks for returned merchandise, federation CIO Dave Hogan recommends retaining only information about the transaction itself--store number, time and date stamp, register number, and authorization number. "That would minimize, if not stop, payment card fraud," he says. At the very least, retailers should require customers to enter a PIN for debit and credit purchases to be processed. This doesn't solve the data theft problem, but it does reduce risk, Hogan says. Even better, credit card companies will eventually replace magnetic-stripe cards in favor of those with embedded chips that require PINs whenever they're used. For others, the lesson is simple. "Get serious about getting PCI certified," says PayPal's Barrett. To get that seal, you must have your IT systems inspected by a Qualified Security Assessor or an Approved Scanning Vendor that's been blessed by American Express, Discover, JCB, MasterCard Worldwide, and Visa International--all founding members of the PCI Security Standards Council. The inspector checks an organization's IT systems against the criteria published in the PCI data security standard. There are dozens of QSAs and ASVs, including Deloitte & Touche and Dimension Data. With any luck, the TJX Effect will teach retailers this basic lesson: Thieves can't steal sensitive customer data if retailers aren't storing it. [1] http://www.informationweek.com/story/showArticle.jhtml?articleID=201400172 Copyright © 2007 CMP Media LLC ____________________________________ Attend HITBSecConf2007 - Malaysia Taking place September 3-6 2007 featuring seven tracks of technical training and a dual-track security conference with keynote speakers Lance Spitzner and Mikko Hypponen! - Book your seats today! http://conference.hitb.org/hitbsecconf2007kl/
This archive was generated by hypermail 2.1.3 : Mon Aug 13 2007 - 00:30:04 PDT