Remember that TJX Is a Victim

Eight years ago this week news sources buzzed about the Melissa virus. How times change! Vulnerabilities and exposures are being monetized with astonishing efficiency these days. 1999 seems so quaint, doesn't it?

With the release of TJX's 10-K to the SEC all news sources are discussing the theft of over 45 million credit cards from TJX computers. I skimmed the 10-K but didn't find details on the root cause. I hope this information is revealed in one of the lawsuits facing TJX. Information on what happened is the only good that can come from this disaster.

It's important to remember that TJX is a victim, just as its customers are victims. The real bad guys here are the criminals who compromised TJX resources and stole sensitive information. TJX employees may be found guilty of criminal negligence, but that doesn't remove the fact that an unauthorized party attacked TJX and stole sensitive information. Unfortunately I believe the amount of effort directed at apprehending the offenders will be dwarfed by the resources directed at TJX. That will leave those intruders and others like them to continue preying on other weak holders of valuable information.

Update: At least US credit card holders don't have it as bad as our friends in the UK.

Comments

Thomas Ptacek said…
No matter what you do to track down and punish the perpetrators, there will be 1,000 more to take their place.

But almost anything you do to punish TJX is likely to have a lasting impact on them and the rest of the industry.

Perhaps everyone will allocate more resources to security.

Or, perhaps companies will be more risk-averse about deploying interesting new IT systems that increase exposure to protected information.

I can't see how either would be a bad thing.

Let's not waste time trying to unwind Eurasian organized crime syndicates. Our information should be safe whether they exist or not.
Anonymous said…
Sure they are to a certain extent a victim, but part of the responsibility they took on when storing customer information was providing due diligence in protecting it. I have no idea if their security mechanisms were up to snuff or not. But my feeling is that they are about average but just got unlucky. Still, if they end up collapsing under all the lawsuits it may just start to change how these corporations see the value add of implementing sound security.
Anonymous said…
If I borrow your BMW, drive it to a bad part of town, leave it overnight with the keys in the ignition, and it gets stolen, are we both victims of auto theft? Technically, yes, but the more outstanding issue is that you were a victim of my recklessness.
Anonymous said…
Thanks for the nice post!

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics