Opinion: CIOs should learn a lesson from the TJX hack: Don't assume data is safe from intrusion even if it's encrypted.
The hack attack on the TJX computer systems was sophisticated, spectacularly successful and thwarted the security and encryption systems that were in place at the time of the crime. That's my opinion on the attack following the reading of an SEC filing that, for the first time, provided some detail of how at least some of the information regarding nearly 46 million credit card users was put at risk over an 18-month period.
The full filing can be found at here. The customer information breach has been well-covered by eWEEK's Evan Schuman, but details of the breach have been lacking as government investigators and private firms hired by the company to review its security procedures have tried to unravel just what happened. The section of the filing under the title of Computer Intrusion provides additional detail about how, during a lengthy period from an apparent initial intrusion in July 2005 until December 2006, a computer intruder had extensively penetrated the company's systems.
In the filing the company states, "On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006, that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems."
Why do I think the hacker was a pro? Three reasons. One is the length of the intrusion. Eighteen months is a long time to have illegal access.
Two, the intruder (or intruders) did a good job of covering his (or her, or their) tracks as indicated by this statement from the filing, "In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006. Given the scale and geographic scope of our business and computer systems and the time frames involved in the Computer Intrusion, our investigation has required a substantial period of time to date and is not completed. We are continuing to try to identify information stolen in the Computer Intrusion through our investigation, but, other than the information provided below, we believe that we may never be able to identify much of the information believed stolen."
Source |
