[Dataloss] follow-up: The TJX Effect (fwd)

[security curmudgeon]

---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.informationweek.com/news/showArticle.jhtml?articleID=201400171

By Larry Greenemeier
InformationWeek
August 11, 2007

TJX will be glad when this year is over. The $17 billion-a-year parent 
company of T.J. Maxx, Marshall's, and several other discount retail chains 
has spent the past eight months dealing with the largest breach of 
customer data in U.S. history, the details of which are starting to come 
to light.

Last December, TJX says it alerted law enforcement that data thieves had 
made off with more than 45 million customer records. Since that time, at 
least one business, Wal-Mart, has lost millions of dollars as a result of 
the theft, while TJX has spent more than $20 million investigating the 
breach, notifying customers, and hiring lawyers to handle dozens of 
lawsuits from customers and financial institutions. Should TJX lose in the 
courts, it could be on the hook for millions more in damages.

But there's an even broader TJX Effect: The data breach, which actually 
took place over a period of years, has put the entire retail industry on 
the defensive and stirred up demands for all businesses that handle 
payment card information to do a better job of protecting it. Legislators 
are invoking TJX's name to fast-track data-security bills.

Few details of the TJX debacle have been made public by the company or 
investigators. As recently as June, TJX said in a regulatory filing that 
it didn't know "who took this action, whether there were one or more 
intruders involved, or whether there was one continuing intrusion or 
multiple, separate intrusions." Still, important details can be gleaned 
from internal and external sources.

[..]