Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

A number of news sources (including a page one article in Wall Street Journal on Friday, 4 May) have reported on a security breach at TJX, parent company of the TJ Maxx department store chain, resulting in the compromise of more than 45 million credit card numbers. In terms of credit data theft, that’s a new record!

http://www.theregister.co.uk/2007/03/29/tjx_credit-card_debacle/

http://www.msnbc.msn.com/id/17853440/

One humorous aspect of the WSJ article (free online link not available) accompanies an assertion that the attackers may have initially penetrated TJX security via the poorly-secured (at best) WiFi network deployed at various store locations. The wireless network was used to connect employee hand-held computers, which at times would transmit passwords that could be used to access the corporate network. Anyway, the Journal included an image of a sizeable high-gain, directional wireless antenna (sort of like this one - http://www.cantenna.com/), with a caption to the effect of "this may or may not have been what the attackers used," as though what they really wanted to say was, "look at this scary bazooka that the mean hackers were pointing at the innocent merchant."

Not that the hackers are innocent. They should go to jail. But what really irks me is that the merchant has no official liability in these cases. Apparently, legally, the cost of credit card data theft is shared by the card company (Visa/MasterCard), the issuing bank, and the consumer (up to $50 or whatever). Of course, TJX is going to get sued, but the laws protecting financial data against negligence can and should be more clear on this.

Why on earth does TJX need to store 45 million credit card numbers anyway? I don’t understand what sort of retail data mining or down-stream usage requires preserving the actual card number once the transaction is complete. One exception - the Amazon.com one-click shopping thing. But if a seller is going to elect to offer that kind of feature, they should be held fully liable when their big card database gets compromised. And TJ Maxx doesn’t even seem to have an ecommerce presence …

 

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment