- More porn sneaks onto the iPhone
- 'Swatting' case shows need to ban caller-ID spoofing
- Why the iPhone can't be "killed"
- Nortel enterprise chief wants to bring back Bay
- US sets final emergency responder wireless pilot
The exposure of 45.7 million credit and debit card numbers in the TJX data theft should serve as a wakeup call to retailers who risk losing money and credibility when they fail to protect sensitive customer data, say officials at the PCI Security Standards Council.
Responding to customer concerns and fighting off lawsuits both take up much of a company’s resources after data breaches, notes Seana Pitt, chairperson of the council, which was founded by credit card companies and oversees the Payment Card Industry Data Security Standard (PCI DSS) that took effect in 2005.
“It’s definitely another wakeup call for the industry to get going,” Pitt says. “Anytime these things happen from the store level up to senior management, you get into this firefighting mode that takes the company’s eye off the business of really delivering service to customers and ultimately revenue.”
Data thefts “really hurt these companies in ways they can’t even imagine,” says Bob Russo, the council’s general manager. “It would be so much easier just to comply [with PCI DSS].”
TJX, a Massachusetts-based retailer that operates T.J. Maxx, Marshalls and other stores, said in January that hackers had broken into its computer network, compromising customer credit card information. TJX revealed the magnitude of the crime yesterday in financial reports that say at least 45.6 million credit and debit card numbers were stolen in 2005 and another 130,000 last year.
The fact that hackers were able to access such a huge amount of data indicates that TJX either failed to encrypt or truncate card numbers or did not secure encryption keys that can translate scrambled card information, says Nigel Tranter, a PCI auditor with PSC.
“It is unlikely given the number [of exposed credit cards] that they were in that form because then the breach would not have occurred. The hackers could have gotten in but wouldn’t have gotten anything useful,” says Tranter, who did not have direct knowledge of the TJX incident. “You just can’t store data in clear text form anymore under any circumstances. There’s just no excuse for doing that.”
TJX says it encrypted some card data. But TJX believes hackers had access to the decryption tool, the Boston Globe reported.
To comply with PCI DSS, companies must be audited annually and be scanned for external vulnerabilities by third-party auditors at least once a quarter, according to Tranter.
The Leader in Network Knowledge
Comments (5)
Hilarious - in a way?By tuomoks on September 8, 2008, 2:22 amReally, blaming the technology and especially mainframes is kind of hilarious and sad at the same time! Really, already in 70's all our customer information was...
Reply | Read entire comment
Debt ConsolidationBy Anonymous on September 8, 2008, 1:38 amPaying up to a year's rent in advance goes against my principles, and can be financially crippling for tenants. -http://www.creditworld.com.au/debtconsolidation.html
Reply | Read entire comment
Did I miss something?By Anonymous on April 20, 2007, 9:35 pmWhere has it been published that the data was on a mainframe? In fact I do beleive that the recent compromises have all invloved non-mainframe systems. Encryption...
Reply | Read entire comment
What?By Anonymous on April 20, 2007, 9:13 pmThe guy has no clue. As the first responded stated, IBM mainframes have had the ability to encrypt data for a long time. The company I work for is attempting...
Reply | Read entire comment
A dangerous assertion on mainframe data securityBy Anonymous on April 20, 2007, 2:19 am"Encrypting data on a mainframe is difficult, for example." No, it's not. This assertion is factually incorrect and even dangerous. Of all the recent security...
Reply | Read entire comment
View all comments