When TJX Companies Inc.?the $16 billion global retail chain that owns T.J. Maxx and Marshall's, among many other brands?disclosed this week that it had "suffered an unauthorized intrusion into its computer systems" in December, it seemed to be forthcoming.
After all, the chain issued what appeared to be a detailed statement about the incident. Detailed or not, it was certainly longer than the typical "we've been penetrated" statement.
The statement said the company had retained the services of both General Dynamics and IBM to both help investigate and to upgrade security systems to ostensibly prevent another similar intrusion.
But a closer reading of the statement raises quite a few questions, none of which the company has tried to answer.
To be fair, criminal security breaches are among the most sensitive and tricky things to discuss publicly. How specific does one dare get before revealing too much? The culprit is still out there and concealing how much is known about the crime can often help catch the bad guy.
That said, the "we don't want to help the bad guy" rationale is quite convenient when there might be questions about whether the retailer was sufficiently careful about protecting data and systems.
Let's start with the timing. If the chain was so concerned about quickly alerting potentially at-risk customers, why did it wait until Jan. 17 to reveal an intrusion that it said happened a full month earlier? ("Mid-December 2006" is how the statement described it) I hope to avoid thinking that an immediate announcement might have hurt those crucial holiday sales.
Company officials have said the delay was due to both law enforcement requests and "business issues." Asking law enforcement whether information should be released is like asking an in-house lawyer whether a particular course is safe from lawsuits. Law enforcement always want people to say as little as possible about a crime. As for the business concerns, not sure what that could be other than the holiday sales issues referenced.
How safe were it's systems? The carefully-worded statement said, "With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores."
That's sounds great, but why didn't this $16 billion retailer with more than 2,300 stores?which The Wall Street Journal said might have exposed more than 40 million cards in this incident?already have a security package that was "appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores"? Were it's systems last month adequate and now they're overkill? Or are they now adequate and they were insufficient last month?
There's also the PCI implications, courtesy of Visa, Mastercard and other card players. What exactly was captured? The chain said the "intrusion involves the portion of TJX?s computer network that handles credit card, debit card, check, and merchandise return transactions" and that also impacted was "store information related to customer transactions" including driver's license information.
Does that include card application data, with everything from household income to prior addresses and name of employer? Getting back to PCI, does it include CVC numbers, which are technically not allowed to be stored? How much of the data was encrypted?
A banking group this week specifically accused TJX of having kept data improperly, but it's not clear what proof the group has for its claims. That said, the TJX statement certainly opens the door to such concerns.
Another question might be a wording issue. "TJX has specifically identified some customer information that has been stolen from its systems," said the statement. The colloquial interpretation of the term could mean the typical intrusion effort, where the byte-bandit bypasses security and then copies files and leaves. Technically, some security experts say, the phrase "stolen from its systems" should refer to a malicious and destructive act, such as when an intruder copies files and then deletes them or materially changes them.
Were the files actually stolen and they no longer exist within the TJX system? Even if that had been the case?which seems unlikely?hopefully backups would be sufficiently removed to not be impacted.
The geographies mentioned in the statement also are interesting. Quoting again from their statement: This incident impacted "customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada, and may involve customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could also extend to TJX?s Bob?s Stores in the U.S." The data from all of those geographies were stored in one place? That would be unusual, said Mark Rasch, a former federal prosecutor specializing in technology crimes. Rasch wondered whether the breach impacted a third-party card processor that all of the TJX units shared?
As CardSystems learned when they were victimized by an intrusion, protecting future customers is important, but what will ultimately save?or destroy?a company's credibility and trustworthiness is how it handled systems right before the attack.
If IT execs can't get the funding for proper security, they need to point to retailers who get hurt and then suddenly have the public spotlight shone on how well they protected their customer data. I absolutely hope the facts ultimately show that TJX was an ideal corporate citizen and that it had done everything reasonable to do to protect itself.
For the industry, however, it's sometimes not a bad thing for a company to get beaten up for less-than-ideal procedures. If nothing else, it gives a reason for margin-fearing execs to cough up the cash, just in case.