NEWS ALERTS — Breaking News Alerts from Identity Theft 911

TJX SEC Filing Reveals Higher Toll, Decoded Encryption

Perhaps shopping at TJX stores wasn’t such a bargain after all.  As if the TJX database breach wasn’t disturbing enough, the past few days have revealed even more unsettling news.  First came word of TJX’s securities filing, which included the first official tally of stolen credit and debit card numbers.  According to a Boston Globe article on March 29, the toll was 45.7 million (plus the dismal “or more” disclaimer), which is actually higher than The Wall Street Journal’s initial estimate of 40 million.  This catapults TJX into the Olympian Gold-Medal rank of companies that have experienced data breaches.  The SEC filing provided the most detailed look at the breach since it was disclosed in January.

Evidently, TJX has also learned more details about other sensitive data the hackers lifted  (including names, addresses, driver’s license numbers, state and military ID numbers) from 455,000 customers who made returns without receipts, according to the March 29 Boston Globe article and the TJX FAQ, a site the company recently posted about the breach.  Additionally, some customers’ state and military ID numbers might have been the same as their social security numbers. TJX officials claim the company will provide those customers with free credit monitoring.

Useless data?

A TJX spokesperson claimed that up to 75% of the information came from cards that were expired or were stored as asterisks rather than numbers, and therefore, are not readable.  However, she admits that they’ll probably never know how widespread the damage is.

According to TJX FAQ, hackers began raiding the system in July 2005, and stole data from transactions that occurred as far back as 2003.

The scariest part:

Just when we thought the case couldn’t get any messier, it does.  TJX did encrypt at least some of its data, but it revealed in the SEC filing that “we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX,” according to a March 31, 2007, Boston Globe article about data encryption shortcomings.  Some are speculating that if the thieves did have the ability to decrypt the data, the security breach might have been an inside job—not the biggest surprise of the year.

However, TJX says that beyond their ability to decrypt data, it appears as though the hackers gained the ability to read the credit card information at the time a transaction was being approved.  At that stage, such information isn’t yet encrypted.

Several questions come up:


  • What’s the use of relying upon encryption of sensitive data if it can be decrypted –possibly by an “insider” supposedly responsible for guarding it?
  • What’s the use of encrypting sensitive data if it can be intercepted and stolen before it’s encrypted?
  • What’s the use, period? Should we just start paying in cash again? Of course not, but if security breaches continue at their current rate, consumers may be pushed in that direction.

If nothing else, the TJX breach serves as a case study in what not to do (store credit card numbers), and what not to rely on (encryption, solely).  We are not suggesting that encryption isn’t a critical part of data security.  We are simply raising the point: Your security is only as good as its weakest link.  At this point, let’s look to the old chestnut—“What doesn’t kill us makes us stronger”—if it can indeed be applied to data security.  

Previous alerts:


TJX Being Sued Over ID Thefts

Massachusetts Banks Now Reporting Fraud as a Result of the TJX Data Breach

TJX to Customers: Extent of Security Breach Not Clear

©2003-2010 Identity Theft 911, LLC. All rights reserved.

.
.