TJX - Insecurity Through Stupidity [CARTOON]

March 28, 2007

The news from TJX (Parent of TJMaxx and Marshalls Stores) keep getting worse. Not only were records from 45 Million people were stolen, it apparently went unnoticed for 18 months and was only found by accident.

Pardon my humble drawing skills, but I felt like drawing a cartoon, given the cartoonish nature of their security practices. (Yes I misspelled TJ Maxx).

Apparently the hackers were highly organized and were able to install software onto their transaction systems in order to capture the unencrypted information being sent to the card processor (I would guess by stealing or intercepting the logs which appear to have been left undeleted). There is also a mention of them getting access to whatever system they were using to decrypt the data that was encrypted.

How is it possible that someone can install software on your transaction systems and no one notice it? Did these people have any data security people? Did they routinely hire a security auditing firm to check up on their systems? I can understand home users having no security but this is a 16 billion revenue per year company. "Cmon in ya'll help yourself" is great for a store but not for a data center.

I can understand this a bit more after working at a financial services company; although it didn't really process card transactions (the bank outsourced this) the bank did offer credit and debit cards and that side of the house did have to track them. During my stay card numbers that did move in the network were finally chopped before transit (for display in the customer portal). However other personal financial information resided unencrypted in the AS/400 and also moved around into various other systems. There was a great deal of talk about data security but at the point I left there were still many questions on how to actually implement it. They did, however, spend an inordinate amount of time protecting the PC's against viruses.

I never put my money in the company's investments or the bank.

An interesting comment from a post:

I worked there for three years. During that time it was made clear to me, more than once and by Paul Butka (now CIO), among others, that while TJX was writing policies regarding data security, the policies were not to interfere with the speed of any software rollouts. Repeated suggestions that we hire QA people to test our security were ignored.

This mirrors the kind of thinking I have seen in my previous job. Security is very important, but not as important as business as usual. Maybe now people will take it seriously?

How can you ensure your company won't wind up in the same discussions as TJX? For one thing, security is not an isolated concept; you have to consider it over the entire organization. If your organization touches sensitive customer data, you must not only look at security practices before, during and after development projects, but also hire competent outside security auditors on a regular basis to test everything. It's not rocket science but it is hard work, and not cheap.

I once worked briefly at a university where the web single sign-on system exposed user's passwords in the URL, which no one noticed until I showed up. Another thing they were doing was to expose database ids unencrypted in urls (and using GET for write operations). The system in question was used by all parts of the university to verify that state money was correctly spent and was a requirement for the university to be paid. With the naked database ids I could sit there in the browser and delete the entire database. Lovely. I tried to convince them to hire an outside auditor to look for other problems, but it was a short contract and after I left I never heard if they did.

Of course the university example was obvious (to me anyway) and easy to fix (I encrypted the id's shown based on the session and rejected non-matching ids, a quick way to fix the problem).

You look at TJX and it just is amazing to me how this went on for 18 months! Imagine how many other companies may be in the same boat and either don't know it or refuse to tell anyone.

PT Barnum's famous saying (which he apparently never said) was "There's a sucker born every minute...and two to take 'em." Whatever you are, don't be a sucker because there are two hackers out there to take you out.