Inside Job? TJX cost of breach estimated at $1.6 billion

April 12th, 2007

By Martin Hack del.icio.us Digg this

Over the last couple of days there have been rumors whether the massive breach at TJX might have been an “inside-job”. This is probably fueled by the fact that the attacker apparently had access to the crypto keys within TJX’s data center. Whether it was an inside-job or not, doesn’t really matter at this point.

Protegrity a leader in the Enterprise Encryption and Data Security Management space, estimates the total cost of the breach roughly $1.6 billion. That equates to about $37 per customer record. Protegrity arrives at this number by using their own “Return on Data Security Calculator”. It considers things like Cost of Detection, Customer Remediation, Corporate Remediation, Down Time, Brand Impact and Cost of Fraudulent Use of Data.

The PCI Vendor Alliance

Protegrity is also one of they founding members of the PCI Security Vendor Alliance. (Background on PCI DSS). Of all the regulatory requirements like SOX, HIPAA, PCI DSS might be the one with the most explicit security requirements. Though PCI DSS hasn’t been around for that long it’s requires all merchants, financial institutions, card processors and other organizations to comply with PCI DSS within a given time frame.

Protect Card Holder Data

One of the prime concerns with the standard is requirement number 3: “Protect Stored Cardholder Data”. And sure enough, the breach at TJX was exactly around that. “What surprised me the most about the TJX breach that they didn’t have any software that detects whatever trojan software that was installed on their systems. Even if the attacker was able to get a hold of a encryption key, what happened to key rotation and management? Also, at one point someone found TJX to be compliant, it begs the question whether the auditors were looking for these kind of requirements, said David Taylor, VP Data Security Strategies at Protegrity.

It remains to be seen what kind of sanctions and impact the TJX breach will have on the company. According to Taylor, “right now the PCI requirements don’t have the same type of enforcements like the ones that FASB (Financial Accounting Standards Board) is already using.”

Just as a reminder, CardSystems, who was until now leading the chart with 40 million stolen credit cards was practically forced out of business and subsequently acquired by Pay by Touch in 2005.


Enter your email address to get Hack Report news via email:


3 Comments

  1. Comment by PCI on April 12, 2007 11:55 pm

    You can find more information on PCI at the PCI Answers blog.
    http://pcianswers.com/

  2. Pingback by Star war erotic art on February 28, 2011 2:59 am

    [...] Inside Job? TJX cost of breach estimated at $1.6 billion » Hack 12 Apr 2007. One of the prime concerns with the standard is requirement number 3: “Protect Stored Cardholder Data”. And sure enough, the breach at TJX Inside Job? TJX cost of breach estimated at $1.6 billion » Hack [...]

  3. Pingback by A new type of War… | MI621: Social Media for Managers on March 13, 2013 12:46 pm

    [...] records.  Cyber war is dangerous.  Just ask those trying to protect us. Share this:TwitterFacebookLike this:LikeLoading... [...]

Comments RSS TrackBack Identifier URI

Leave a comment

You must be logged in to post a comment.

Should Security be optional? Anonymous Web Surfing
 
-->