Lessons from TJX Security Breach
By Tom Ryan
Just a little over a year ago, The TJX Cos. disclosed what became the largest information security breach involving credit and debit card data. The incident left many wondering about the financial cost of the intrusion, its affect on consumers, and the chances that it could happen again.
Marking the anniversary, ITBusiness.ca came up with five takeaways from the breach’s fallout:
1) Breach disclosures don’t always affect revenue or stock price: Despite the costs and bad publicity, TJX’s stock trades at virtually the same price as before the breach. Sales also remain healthy – comps ahead 4 percent in the eleven months through Jan 5 – despite concerns that consumers would be wary about shopping the off-pricer. Avivah Litan, an analyst at Gartner Inc., believes consumers realized they themselves won’t have to pay for any fraud that might result from payment card compromises.
2) Breaches can be costly: TJX has so far set aside about $250 million in breach-related costs, and Forrester Research estimates that could rise to $1 billion over the next few years. So far, costs have involved fixing security flaws; dealing with claims, lawsuits and fines; and offering free credit-card monitoring services, cash reimbursements, and other discounts to customers affected by the breach.
3) PCI remains a work in progress: The breach brought to light the fact that many retailers had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI. The rules took effect in June 2005, and required merchants — especially ones such as TJX that process a high volume of card transactions annually — to implement 12 broad security controls for protecting customer data. Court documents allege that TJX wasn’t compliant with nine of them when the intrusions took place. And TJX was by no means alone.
4) The card payment process has issues: In several states, credit unions and smaller banks have lobbied the legislatures to pass new laws requiring retailers to reimburse them for the costs involved in notifying customers of breaches and reissuing cards. Retailers have argued that the commissions they pay to card companies on each transaction are supposed to cover fraud-related costs. They also said that the only reason they store payment card data is because they’re required to by the credit card companies. In October, the NRF asked Visa and the other card companies to drop that requirement.
5) The bad guys remain hard to catch: Although some users of card numbers stolen in the breach have been arrested, the hackers haven’t been caught, as is typical in most breaches. “The crooks are still at it,” Mr. Litan said. “They probably will strike again. They’re laughing all the way to the bank.”
Discussion Question: What do you think the retail industry has or should have learned from the TJX security breach?
Take Our Instant Poll
Loading ...
Join the Discussion!
7 Comments on "Lessons from TJX Security Breach"
You must be logged in to post a comment.
You must be logged in to post a comment.
Credit card security is a major issue for IT departments at every major chain retailer. But it’s likely that breaches will continue because (1) only 1 state, Minnesota, passed legislation holding retailers clearly responsible and (2) the demand for stolen credit card data is so lucrative. Tech innovation is ROI-driven, and the ROI for breach innovation is excellent. Crooks have done the financial analysis very well.
This was definitely a wake up call for retailers. It’s an area that doesn’t improve over night and can take one to two years to implement. Many are working on improving this area but it takes time. PCI security should be an evolving, “keeping up with the technology” event.
The TJX breach will be remembered as a major watershed incident. It demanded that every consumer-facing company look hard at its security practices. Firewalls and wireless security jumped to the top of the IT to-do list. And consumers, until then wary of Internet shopping, learned to be wary of all forms of credit and debit card shopping.
But, by now, the retail industry has moved on. The industry has responded. The battle lines between the hacker-scammers and the industry have been redrawn. No doubt we will soon hear of an even more devastating breach. Such incidents have the potential to do huge damage to consumer confidence and the underpinnings of our fast emerging electronic commerce infrastructure.
Stakeholders–including network providers, accountants, and law officials–need to redouble their efforts in both prevention, detection, and ultimately prosecution.
TJX sent a wake-up call all right, but it’s not the one most of us wanted it to be. The call was that being cheap on security investments is a viable approach as it’s a worthwhile gamble. Zero liability campaigns will make sure that a consumer backlash doesn’t happen. That’s the key. As long as customers don’t care about a breach (they may SAY they care, but watch their purchases and then you’ll see how much they truly care), revenue is protected. Therefore, Wall Street won’t care. The rest is just background noise: cost-of-doing-business noise.
Something positive is coming out of this. Retailers are taking the dollars that PCI plans are freeing up and using them to modernize POS and related systems. In other words, when security also enables more sophisticated POS and perhaps payment options that cost less, you’ve suddenly got the CFO’s attention in a way that no cyber-thief ever could.
I think the industry has received mixed messages.
We’ve certainly seen an uptick in interest around data security (an area RSR has been focusing on for some time). But there’s a deeper message–and that is the sense that for a large company like TJX, you can just “pay the ticket and move on.”
A billion dollars sounds like a lot, but when you spread it out over a number of years, and look at the extremely low amount TJX (a company currently bringing in $17 billion in revenue) has had to spend out of pocket thus far, it really isn’t all that much.
I expect a change to come somewhere down the line–but it hasn’t happened yet.
Retail CIOs report that they have had real issues in getting funding for security initiatives. CIOs understand the risks and are always looking for ammunition to bolster their case for additional tools. The industry needs to understand that this isn’t just an isolated incident, and that far worse threats exist.