Dynamic security usage would have prevented the intrusion altogether

TJX Data Breach Worse Than Initially Reported

Occurred earlier, reached further than first thought

Jaikumar Vijayan   

 February 26, 2007 (Computerworld) --

The massive data breach disclosed last month by The TJX Companies Inc. was far worse than first reported, the company said last week.

An ongoing internal investigation into the breach has shown that intruders gained access to TJX’s systems in July 2005, almost a full year earlier than first thought.

The investigation has also found that card transaction data from TJX-owned stores in the U.K and Ireland were affected by the intrusion, the company acknowledged. Previously, TJX had said only that it was “concerned” that the breach may have extended to those countries.

“We are dedicating substantial resources to investigating and evaluating the intrusion,” TJX CEO Carol Meyrowitz said in a statement. More than 50 experts from IBM and General Dynamics Corp., hired by TJX to shore up security in the wake of the breach, are investigating the incident, Meyrowitz said.

TJX, owner of retail chains TJ Maxx, Marshalls and Bob’s Stores, last month revealed that someone had illegally accessed a payment system and made off with card data belonging to customers in the U.S., Canada and Puerto Rico and possibly in the U.K. and Ireland. At the time, the company said the breach had occurred in May 2006.

TJX hasn’t disclosed how many shoppers may have been affected by the breach. Some analysts believe the number could be in the millions.

Avivah Litan, an analyst at Gartner Inc., said the latest update by TJX could mean that officials are getting closer to finding the perpetrators.

“I think they have pinpointed [the intruders] to a large degree and may have found files indicating that 2005 [card] data was stolen,” she said.

TJX’s latest disclosure is not all that surprising and points to a broad lack of internal data controls at many large companies, security analysts said.

“When it comes right down to it, very few companies have effective controls to monitor internal systems closely and follow the movement of data” on their networks, said Alex Bakman, CEO of Ecora Software Corp., a Portsmouth, N.H.-based maker of compliance software. Therefore, such breaches can go unnoticed for a long time, he said.

“The underlying problem is that companies are treating security as a ‘nice to have’ as opposed to a ‘must have,’” Bakman said.

“TJX is just the tip of the iceberg. I think we are going to see many more” such disclosures, he added. “It’s going to get a lot uglier before it gets any better.”

Joel Rosen, CEO of security vendor Tizor Systems Inc. in Maynard, Mass., said, “Many companies that relied on traditional security are just coming to terms with the fact that beefing up existing systems is not the answer.”

The fallout from the breach has been widespread as U.S. and Canadian banks and credit unions have been forced to block and reissue thousands of cards. The New Hampshire Bankers Association has estimated that 20% to 30% of New England residents may have been affected by the breach.