Lessons from TJX Security Breach
By Tom Ryan
Just a little over a year ago, The TJX Cos. disclosed what became the largest information security breach involving credit and debit card data. The incident left many wondering about the financial cost of the intrusion, its affect on consumers, and the chances that it could happen again.
Marking the anniversary, ITBusiness.ca came up with five takeaways from the breach’s fallout:
1) Breach disclosures don’t always affect revenue or stock price: Despite the costs and bad publicity, TJX’s stock trades at virtually the same price as before the breach. Sales also remain healthy – comps ahead 4 percent in the eleven months through Jan 5 – despite concerns that consumers would be wary about shopping the off-pricer. Avivah Litan, an analyst at Gartner Inc., believes consumers realized they themselves won’t have to pay for any fraud that might result from payment card compromises.
2) Breaches can be costly: TJX has so far set aside about $250 million in breach-related costs, and Forrester Research estimates that could rise to $1 billion over the next few years. So far, costs have involved fixing security flaws; dealing with claims, lawsuits and fines; and offering free credit-card monitoring services, cash reimbursements, and other discounts to customers affected by the breach.
3) PCI remains a work in progress: The breach brought to light the fact that many retailers had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI. The rules took effect in June 2005, and required merchants — especially ones such as TJX that process a high volume of card transactions annually — to implement 12 broad security controls for protecting customer data. Court documents allege that TJX wasn’t compliant with nine of them when the intrusions took place. And TJX was by no means alone.
4) The card payment process has issues: In several states, credit unions and smaller banks have lobbied the legislatures to pass new laws requiring retailers to reimburse them for the costs involved in notifying customers of breaches and reissuing cards. Retailers have argued that the commissions they pay to card companies on each transaction are supposed to cover fraud-related costs. They also said that the only reason they store payment card data is because they’re required to by the credit card companies. In October, the NRF asked Visa and the other card companies to drop that requirement.
5) The bad guys remain hard to catch: Although some users of card numbers stolen in the breach have been arrested, the hackers haven’t been caught, as is typical in most breaches. “The crooks are still at it,” Mr. Litan said. “They probably will strike again. They’re laughing all the way to the bank.”
Discussion Question: What do you think the retail industry has or should have learned from the TJX security breach?
Credit card security is a major issue for IT departments at every major chain retailer. But it’s likely that breaches will continue because (1) only 1 state, Minnesota, passed legislation holding retailers clearly responsible and (2) the demand for stolen credit card data is so lucrative. Tech innovation is ROI-driven, and the ROI for breach innovation is excellent. Crooks have done the financial analysis very well.
This was definitely a wake up call for retailers. It’s an area that doesn’t improve over night and can take one to two years to implement. Many are working on improving this area but it takes time. PCI security should be an evolving, “keeping up with the technology” event.
The TJX breach will be remembered as a major watershed incident. It demanded that every consumer-facing company look hard at its security practices. Firewalls and wireless security jumped to the top of the IT to-do list. And consumers, until then wary of Internet shopping, learned to be wary of all forms of credit and debit card shopping.
But, by now, the retail industry has moved on. The industry has responded. The battle lines between the hacker-scammers and the industry have been redrawn. No doubt we will soon hear of an even more devastating breach. Such incidents have the potential to do huge damage to consumer confidence and the underpinnings of our fast emerging electronic commerce infrastructure.
Stakeholders–including network providers, accountants, and law officials–need to redouble their efforts in both prevention, detection, and ultimately prosecution.
TJX sent a wake-up call all right, but it’s not the one most of us wanted it to be. The call was that being cheap on security investments is a viable approach as it’s a worthwhile gamble. Zero liability campaigns will make sure that a consumer backlash doesn’t happen. That’s the key. As long as customers don’t care about a breach (they may SAY they care, but watch their purchases and then you’ll see how much they truly care), revenue is protected. Therefore, Wall Street won’t care. The rest is just background noise: cost-of-doing-business noise.
Something positive is coming out of this. Retailers are taking the dollars that PCI plans are freeing up and using them to modernize POS and related systems. In other words, when security also enables more sophisticated POS and perhaps payment options that cost less, you’ve suddenly got the CFO’s attention in a way that no cyber-thief ever could.
I think the industry has received mixed messages.
We’ve certainly seen an uptick in interest around data security (an area RSR has been focusing on for some time). But there’s a deeper message–and that is the sense that for a large company like TJX, you can just “pay the ticket and move on.”
A billion dollars sounds like a lot, but when you spread it out over a number of years, and look at the extremely low amount TJX (a company currently bringing in $17 billion in revenue) has had to spend out of pocket thus far, it really isn’t all that much.
I expect a change to come somewhere down the line–but it hasn’t happened yet.
Retail CIOs report that they have had real issues in getting funding for security initiatives. CIOs understand the risks and are always looking for ammunition to bolster their case for additional tools. The industry needs to understand that this isn’t just an isolated incident, and that far worse threats exist.
Hopefully, one day retailers (and consumers) will realize that a payment mechanism where the account information and user’s identity are provided for all to see/capture on a plastic card, and can then be rendered on a counterfeit version of that mechanism, is NOT a sensible way to transact in this day and age.
It isn’t TJX’s fault that signature-based credit and debit cards are so easily compromised and convertible into ill-gotten gains. And given the escalation in attacks on this primitive (by today’s standards and threats) form of payment, TJX and other retailers are on a “stairmaster” of growing requirements and investments to stick their fingers into this payment mechanism’s dikes. In effect, TJX (and other retailers) are racing to play “catch-up” on closing the barn door after the horses are already out….
Instead, retailers should be more receptive to new ways to pay where the user verifies the identity at the point-of-interaction, and a “token” representing the account information from which the purchase will be conducted is known only to the user and the account issuer. PIN-debit is a good solution (provided that PIN is encrypted in compliance with standards), but private label cards, stored value cards (with PIN authentication), contactless and biometric-secured payments, and many other options are emerging and should be embraced. Most of these alternative payment forms have the additional advantage of being more consumer-friendly–instead of being packed with penalty fees, interest rates, exposure to NSFs, etc.
Embracing better ways to pay and transact will help reduce the merchant’s dependency on archaic bank cards and help absolve them from the need to continue to invest in and be responsible for adding ever-more plumbing for fixing the inherent deficiencies of signature-based bank cards–a payment mechanism that is quickly outliving its usefulness and economic justification.