Saturday, January 20, 2007

TJX named as point-of-compromise in International data breach - millions of people at risk!

Data breaches are happening at an alarming rate. Until some meaningful action is taken to address them, such as following already established principles (data and PCI security compliance), we're probably going to see them continue.

Reuters is reporting (courtesy of the Washington Post):

TJX said the breach involves the computer network that handles credit card, debit card, check and return transactions at its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico; and its Winners and HomeSense stores in Canada.

It said the intrusion could also affect customers at stores in the United Kingdom and Ireland, and its Bob's Stores in the United States.
Reuters story, here.

This time not only credit and debit-card information was compromised, but check and all the personal information gathered when someone makes a refund might have been exposed, also.

The breach - reported to have been discovered in December - was kept quiet at the request of law enforcement.

The company has set up hot-lines, which are 866-484-6978 in the United States, 866-903-1408 in Canada and 0800-77-90-15 in the U.K. and Ireland. I called one of them and they didn't seem to be able to answer much, but told me if I wanted more information to go their website, here.

The problem in these large data breaches at merchants (TJX isn't the only one) is that too much personal and financial information is being maintained in databases, which aren't protected properly.

The Privacy Right's Clearinghouse maintains ample evidence of this, here.

The Payment Card Industry has already established data security standards, which aren't being followed in a lot of cases. Visa did a press release announcing that they are offering financial aid to Level 1 and Level 2 merchants. There is also mention that fines will be increased for merchants who fail to comply.

Unfortunately, even Visa states that compliance for Level 1 merchants is at 36 percent and 15 percent for Level 2 merchants.

Although, I commend the action by Visa, I fear fining non-compliant entities might not be enough.

Tech Web's "Dark Reading," has an excellent essay on the need to become more proactive, here.

In their essay, they state:
One recommendation is that Congress pass a law that compels organizations to protect sensitive information rather than one that simply determines when and how customers will be notified after the fact. There's been a consensus in Congress that standards are needed to safeguard personal information, but there's been a lack of unanimity in the details of how this should be done, says, Liz Gasster, acting executive director and general counsel for the Cyber Security Industry Alliance. "It was a real letdown for the citizens of this country that legislators weren't able to overcome their differences last year and pass a law," she says, adding that one big sticking point was Congress not wanting IT security improvements to create additional costs for industries operating in their constituencies.
Maybe with a new Congress, we'll see some "forward thinking" on this issue? After all, it's their responsibility to represent the people, who are having their personal and financial information compromised.

It would also be nice to see more funding to go after the criminals behind this growing problem. After all - the companies being breached aren't the source of this issue.

And besides enacting legislating and prosecuting the criminals doing this, we have the matter of "trust" and "consumer confidence" to consider. These are two "key" business principles that fuel economies. Failure to do something now; might lead to some unfortunate consequences, later.

If you would like to learn more about payment card compliance and data security, here's a site I recommend:

PCI and Data Security Compliance

Here's a previous post, I wrote on this subject:

With all the data breaches - something needs to be done!

No comments: