Lessons from TJX: Proactive Risk Management Pays

I read today that TJX just held a “Customer Appreciation” sale related to the massive data breach that exposed as many as 100 million customer accounts. According to TJX spokesperson Sherry Lang, TJX offered customers 15% off entire purchases on January 22 “to express our appreciation to customers for their continued support and patronage following the criminal attack(s) announced on our computer systems two years ago.”

I’ve been tracking the TJX data breach since the breach was announced in early 2007. Public details about the breach have been a little sketchy. For those of you with the patience to read legal filings, (or perhaps are having trouble falling asleep), some intriguing details can be found in a class action lawsuit filed against TJX in April 2007 by the banks impacted by the breach. According to the filing, intruders gained access to TJX servers in Framingham through a TJX wireless system that did not have proper security.

The hackers then set up administrative accounts on the TJX servers, which centrally process customer transactions for the entire United States. The unauthorized user then copied and transferred 83 GB of data from the servers in September and November 2005. In May of 2006, again taking advantage of the undetected administrative accounts, the thieves placed illegal “sniffing” software on the TJX’s Framingham servers to capture the details of millions of unencrypted customer transactions. TJX did not discover the sniffer tool until late 2006.

TJX obviously had some pretty serious security deficiencies. The details of the class action suit make it clear that the TJX data breach was not a one-time act of theft but a long-term infiltration of the IT environment by intruders who set up privileged accounts on TJX servers. Apparently, TJX not only failed to detect the intrusion, but it also failed to detect the “rogue” accounts that were being used to siphon off customer data over the course of many months.

With the right security controls, such as conducting regular reviews of user accounts and monitoring privileged user account activity, TJX would have spotted the rogue accounts and could have taken swift action to avoid the loss of millions of customer records. But then again, we wouldn’t be having the Customer Appreciation sale, would we?