Over the last couple of days there have been rumors whether the massive breach at TJX might have been an “inside-job”. This is probably fueled by the fact that the attacker apparently had access to the crypto keys within TJX’s data center. Whether it was an inside-job or not, doesn’t really matter at this point.
Protegrity a leader in the Enterprise Encryption and Data Security Management space, estimates the total cost of the breach roughly $1.6 billion. That equates to about $37 per customer record. Protegrity arrives at this number by using their own “Return on Data Security Calculator”. It considers things like Cost of Detection, Customer Remediation, Corporate Remediation, Down Time, Brand Impact and Cost of Fraudulent Use of Data.
The PCI Vendor Alliance
Protegrity is also one of they founding members of the PCI Security Vendor Alliance. (Background on PCI DSS). Of all the regulatory requirements like SOX, HIPAA, PCI DSS might be the one with the most explicit security requirements. Though PCI DSS hasn’t been around for that long it’s requires all merchants, financial institutions, card processors and other organizations to comply with PCI DSS within a given time frame.
Protect Card Holder Data
One of the prime concerns with the standard is requirement number 3: “Protect Stored Cardholder Data”. And sure enough, the breach at TJX was exactly around that. “What surprised me the most about the TJX breach that they didn’t have any software that detects whatever trojan software that was installed on their systems. Even if the attacker was able to get a hold of a encryption key, what happened to key rotation and management? Also, at one point someone found TJX to be compliant, it begs the question whether the auditors were looking for these kind of requirements, said David Taylor, VP Data Security Strategies at Protegrity.
It remains to be seen what kind of sanctions and impact the TJX breach will have on the company. According to Taylor, “right now the PCI requirements don’t have the same type of enforcements like the ones that FASB (Financial Accounting Standards Board) is already using.”
Just as a reminder, CardSystems, who was until now leading the chart with 40 million stolen credit cards was practically forced out of business and subsequently acquired by Pay by Touch in 2005.
Leave a comment
You must be logged in to post a comment.