Search This Blog

Saturday, October 20, 2007


UPDATING THE TJX BREACH AND WHY WE CANNOT DEPEND ON BUSINESS TO PROTECT OUR NAMES AND PERSONAL DATA


This is a quick update on the worst data breach ever. In case you were in another galaxy, TJX, parent of TJ Maxx, Marshalls, and other US and Canadian retailers, lost 45.7 million customer credit and debit card numbers to hackers, as it was first announced back in early 2007. Apparently the bad guys had been at work stealing the company’s customer information since 2003, and were eventually able to access what they wanted from the parking lot of one of the Marshalls’ stores in 2005, using a directional antenna to download the data. Say what you want, but that’s very sophisticated planning. Based on the potential cost to TJX for the breach—it has been estimated at $4.5 billion—you’d think these folks would have been watching the store more closely. In a new report issued by the Office of the Privacy Commissioner of Canada—TJX stores in that country are Winners Merchant Int’l—the company failed to set adequate standards that could have prevented the break-in. See Wi-Fi Planet story. The article indicates that although other components were complicit in the breach, the actual reason is the fact that TJX relied on weak encryption protocol (Wired Equivalent Privacy-WEP), which allowed the parking lot bandits to do their number. They should have converted to a higher standard (Wi-Fi Protected Access-WPA). See definition. Canadian investigators deemed, “The risk of breach was foreseeable…” TJX actually knew something was going on in 2006, according to the report. So why weren’t steps taken to improve the encryption? I cannot answer that question, but I can reply to how we can stop this kind of identity fraud for good. Give consumers control over their names and personal data, and while we’re at it, compensate them when it is sold. While the Congress, and most states, toy with legislation that applies only after the breach has happened, my concept of control prevents the act from ever occurring. Please tell me if there is something wrong with this idea?

No comments: