[Dataloss] TJX breach shows that encryption can be foiled

Casey, Troy # Atlanta Troy.Casey at mckesson.com
Mon Apr 2 19:44:12 UTC 2007 

It should make for a short list of suspects, assuming TJX was doing a
reasonable job of key management...but it does seem that they would have
been in a bigger hurry than this to declare that the data was encrypted
-- assuming that it, in fact, _was_ encrypted.

That said, following their behavior pattern of releasing little to no
information about this, nothing is said about what sort of encryption or
what cipher strength was in use.  A lot of encryption technology has
been obsoleted in recent years and if they were using a weak algorithm
it may not have been necessary for the thieves to lay hands on their key
in order to decrypt.  Given how long the breach went on, I'd say the bad
guys had plenty of time, in theory at least, to break an algorithm or
"guess" the key by automation...especially if they threw a couple
hundred Nigerian laptops at the problem :-)

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong
Sent: Monday, April 02, 2007 3:33 PM
To: lyger
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled

If that isn't a loaded statement. So TJX is claiming all their credit
card data is always encrypted at-rest? How many people would have access
to such a "decryption tool". This sounds fishy.

On 4/1/07, lyger <lyger at attrition.org> wrote:
>
>
http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_show
s_that_encryption_can_be_foiled/
>
> Encryption alone is no panacea for threats to consumer data, according

> to specialists who say the technology's limit can be seen in the 
> problems reported by TJX Cos. of Framingham.
>
> The notion of using complex math formulas to scramble electronic 
> information is gaining steam as a way to protect individuals' privacy,

> an area of growing concern for retailers and banks as data thefts 
> become more brazen.
>
> But recent details to emerge on how hackers accessed the parent of 
> stores including T.J. Maxx and Marshalls show how encryption can be 
> defeated by clever thieves -- and suggest the breach may have been an
inside job.
>
> A securities filing by TJX on Wednesday disclosed that the incident 
> may have compromised more than 45 million credit and debit card 
> numbers, the most in any single incident. In the filing, TJX also 
> stated that "we believe that the intruder had access to the decryption

> tool for the encryption software utilized by TJX."
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org) 
> http://attrition.org/dataloss Tracking more than 203 million 
> compromised records in 609 incidents over 7 years.
>


--
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over
7 years.

More information about the Dataloss mailing list