Incompetence to the Maxx

Stephen DeAngelis

April 05, 2007

Last week the parent company of TJ Maxx (TJX) reported the theft of nearly 46 million credit and debit card numbers from customers in the United States, Britain and Canada. This didn’t happen in one fell swoop (like the loss of laptop or theft of a CD), it took place over a period of years. [“Data Theft Grows to Biggest Ever,” by Ellen Nakashima and Ylan Q. Mui, Washington Post, 30 March 2007].

“The figure, which the company said is incomplete, represents the largest reported computer theft of personal data in history. … According to the filing, TJX discovered suspicious software on its computers Dec. 18 and began an investigation. Three days later, the company concluded that a breach had probably occurred and that the intruder was still on the system. The next day, it notified federal investigators. On Dec. 27, the firm learned that customer data had been stolen, and it notified banks and check-processing companies. On Jan. 17, TJX announced the intrusion but did not say how much data was taken. Based on the firm’s investigation, the intrusion occurred in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007. No customer data was stolen after Dec. 18, 2006. Three-quarters of the cards were expired or contained magnetic strip data that was masked or stored as asterisks rather than numbers at the time the information was stolen. The firm stored data, some of which dated to 2003 transactions. Expired cards can still be at risk because they are often renewed with the same numbers, and the TJX filing said the hackers’ technology could have penetrated masked data. The thieves stole data from the firm’s computer systems in Framingham, where transactions are processed for customers in the United States, Puerto Rico and Canada. They also took data from systems in Watford, England.”

Anyone who has ever been mugged, had their car broken into, or had their house robbed knows how violated they feel afterwards. Forty-six million shoppers should have that same feeling right now. Whenever you hand over a credit or debit card to a merchant, you are demonstrating a high level of trust in that company — both its employees and processes. You assume that they will take extraordinary measures to protect your property (in this case, your identity and credit). TJX violated that trust in a huge way and needs to take extraordinary measures to recover its reputation. Otherwise, the company should suffer the consequences to the Maxx.

“TJX, whose 2,500 stores include clothing chains T.J. Maxx and Marshalls, reported the breach in January but disclosed its massive scale for the first time in a filing made to the Securities and Exchange Commission after business hours Wednesday [28 March]. The computer breach is significant not only because of its scope but also because the hacker or hackers had access to the decryption tool used to decipher sensitive encrypted information and an ability to intercept data as shoppers’ credit transactions were being approved. Thieves have been using the data to make fraudulent purchases in Florida and as far away as Sweden and Hong Kong, according to police and bank officials. Also taken were personal ID numbers, related names and addresses, and drivers’ license, military and state ID numbers from 455,000 shoppers who made merchandise returns in the United States and Puerto Rico. The Framingham, Mass., firm acknowledged in the filing that it ‘may never be able to identify much of the information believed stolen.'”

When you think about it, the entire economy relies on trust. People give merchants little pieces of paper (called money) or little pieces of plastic (called credit or debit cards) and in return customers get real products like televisions, computers, and meals. Merchants trust customers and and customers trust merchants. Break down that trust and you break down the economy. That is perhaps the greatest irony of identity theft. Criminals, whose activities undermine that trust, rely on it to make their crimes profitable.

Lawmakers who understand the importance of maintaining that trust have proposed legislation that would make companies responsible for breaches of trust.

“Legislation pending in Massachusetts would make retailers responsible for the financial cost of data breaches, currently covered by banks that issue the credit cards. Rep. Barney Frank (D-Mass.) is considering introducing a similar bill in Congress.”

TJX’s incompetence in protecting data should serve as a cold shower to sleepy merchants who remain lax or unvigilant in their transactions. The 17 February 2007 cover of The Economist carries the headline “The end of the cash era.” If other major merchants prove as incompetent as TJX in handling credit and debit transactions, the cash era may be around for a long time.

“The breach is a wake-up call, analysts said, to retailers, consumers and regulators about the increased sophistication of hackers and the need to improve data security. ‘In the old days, a fraudulent store employee could steal 30 or 40 credit cards a weekend,’ said Mark Rasch, technology director with FTI Consulting, which helps firms prevent data breaches. ‘Now we’re at the point where a motivated hacker can steal 30 or 40 thousand cards in a weekend. And a team of motivated hackers can steal 30 or 40 million.’ Avivah Litan, a security analyst with Gartner, said investigators told her they thought hackers gained access through a wireless network that managed the cash registers and terminals. Once in, they were able to find their way to systems in Britain, Puerto Rico and Canada. ‘The lesson is that one little hole in your network through a wireless network can lead you to the entire corporate treasure,’ Litan said. This month, Florida police arrested six people suspected of using stolen TJX credit card data to purchase $8 million in gift cards and electronic goods, said Keith Kameg, an officer in Gainesville. The arrests are among the first indications that the stolen information is being used to buy goods fraudulently, and Kameg and others said they expect many more cases to turn up.”

The first consequences of the TJX breach are already beginning to occur.

“Since January, when TJX disclosed the breach, it has been the target of class-action lawsuits by shoppers in Massachusetts Alabama, California, Canada and Puerto Rico. ‘They’re obviously not happy,’ attorney Jon J. Lambiras said of his clients in Massachusetts. ‘They’re very concerned that they’re at risk for identity theft.'”

This story will continue to play out as more reports of identity thefts occur. Millions of unproductive hours are likely to be spent (along with hundreds of millions of dollars) in straightening out the mess created by this breach of trust. What is TXJ’s response to this mess?

“TJX is cooperating with a federal criminal investigation. State and federal authorities are also looking into whether TJX violated consumer-protection laws. TJX spokeswoman Sherry Lang suggested that TJX was simply the most visible example of a widespread trend. ‘Breaches go on all the time that never get detected and never get reported,’ she said. ‘I think we have been victimized here along with our customers.'”

Somehow I don’t think the real victims will see TJX as a victim. In today’s society, however, nobody wants to take responsibility — it’s always someone else’s fault. That’s not enjoying life to the Maxx or taking responsibility to the Maxx.