Massive TJX encrypted (or not) data theft

The BBC does not give much detail in its story, but it does at least mention that the data in question may have been encrypted:

In its filing to the Securities and Exchange Commission (SEC) the group said it believed “the intruder had access to the decryption tool for the encryption software utilized by TJX”.

Interesting. I’ve seen several people miss this fact in their analysis of the incident. Key management is often mentioned as a vague concept in the emerging regulations. Will we see sudden interest in tightening up the audit requirements for this crucial aspect of encryption? We’re working hard to refine and publish EKMI audit guidelines. The BBC continues…

It also admitted it did not know who, or how many people, were behind the attack, or whether there had been one breach or many.

The papers also said that a further 455,000 customers who returned merchandise without receipts had personal data stolen – including driver’s license numbers.

[…]

Hackers managed to access information from its TJ Maxx, Marshalls and HomeGoods shops in the US and Puerto Rico; Bob’s Stores in the US; as well as Winners and HomeSense shops in Canada.

It’s all so vague, but at least they’re trying to warn people/companies who might be affected. One might gather that times really have changed when they read a SF Gate article that (over?) emphasizes how little is apparently known about the incident:

“It’s not clear when information was deleted, it’s not clear who had access to what, and it’s not clear whether the data kept in all these files was encrypted, so it’s very hard to know how big this was,” said Deepak Taneja, chief executive of Aveska, a Waltham, Mass.-based firm that advises companies on information security.

Funny quote, eh? Maybe it is just not clear to Deepak? Wonder what he considers “easy to know” in investigations.

TJX also remains uncertain of the theft’s size because it deleted much of the transaction data in the normal course of business between the time of the breach and the time TJX detected it.

“There is a lot of information we don’t know, and may never be able to know, which is why this investigation has been so laborious,” TJX spokeswoman Sherry Lang said.

Ooops. I always wonder what people are thinking when I come across data retention practices that keep sensitive consumer identity/card around data longer than necessary but that delete transaction and log data.

The PCI DSS has helped me significantly in the face of VPs and C-level folks who insist that they absolutely need to keep consumer data around for “convenience” or some other arguably lopsided (is it really in the consumer’s interest?) value proposition. I can’t reveal names/places but I’ve certainly had some heated confrontations where I get to try and convince a highly-successful and profitable business person that their practices have generated a “weaponized” data repository that could blow up and things must change immediately.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.