[Dataloss] follow-up: One year later: Five takeaways from the TJX breach
security curmudgeon
jericho at attrition.org
Fri Jan 18 07:34:18 UTC 2008
---------- Forwarded message ----------
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9057758
By Jaikumar Vijayan
January 17, 2008
Computerworld
One year ago today, The TJX Companies Inc. disclosed what has turned out
to be the largest information security breach involving credit and debit
card data -- thus far, at least.
The data compromise at the Framingham, Mass.-based retailer began in
mid-2005, with system intrusions at two Marshalls stores in Miami via
poorly protected wireless LANs. The intruders who broke into TJX's payment
systems remained undetected for 18 months, during which time they
downloaded a total of 80GB of cardholder data.
TJX eventually said that 45.6 million card numbers belonging to customers
in multiple countries were stolen from its systems. Even that number may
be far too low: a group of banks that is suing the retailer claimed in an
October court filing that information about 94 million cards was exposed
during the serial intrusions.
The sheer size of the data theft puts TJX in a league of its own among
companies hit by such incidents, and the breach has made it something of a
poster child for sloppy data security practices among retailers. In
addition, the breach highlighted several familiar issues and some
not-so-familiar ones.
Here, on the one-year anniversary of the breach becoming known, are five
takeways for security managers:
[..]
More information about the Dataloss
mailing list