Given the scope and magnitude of the theft of TJX’s customers’ credit card numbers, it’s no surprise there are many recent articles about encryption of customer data. Some of the best articles I’ve read about this issue have been at eWeek.
The TJX matter remains under investigation, but there’s some information we do know from an SEC filing. First, TJX transmitted unencrypted credit card data from point-of-sale to card issuers. Second, TJX’s protocols were loose enough that the intruder(s) apparently had TJX’s key(s). Third, this theft occurred over a long period of time.
Here’s what we still don’t know. We don’t yet know what method of encryption TJX used, but some forms like shared-key are much more vulnerable than others. We don’t know if this was a matter of sloppy protocols. How and where did TJX store keys? This is akin to keeping a house key under a door mat or flower pot: there are places burglars know to look for such things, so it’s a stupid idea to store stuff where people first look.
We also don’t know if it was even an intrusion yet. We don’t know if this was an inside job at TJX (someone was able to put what’s for all intents and purposes a worm on their servers to capture data transmitted between TJX and the card companies) or, if TJX used public-private keys, if someone with legitimate access to a certificate server was involved. And we don’t know if the two sources of theft (via unencrypted transmission, via having TJX’s key) are related.
I suspect, though, that it wasn’t an inside job — the scope of the theft is so extensive and it occurred so long that someone working on the inside would have to be pretty brazen to think it would go undetected. That would mean TJX has a significant liability issue because their policies and procedures exposed their customers to fraud.
The most troubling issue to me right now, based on what we do know, is how this was able to occur over what’s now believed to be an 18 month period. Companies should have audit and review measures in place consistent with and concomitant to the size of their businesses to protect their customers. It now appears TJX — a large multi-national retailer, not a mom and pop shop — had no audits of their processing systems or encryption protocols in that time.
TJX isn’t taking responsibility. From their SEC filing:
We rely on commercially available systems, software, tools and monitoring to provide security for processing, transmission and storage of confidential customer information, such as payment card and personal information. We believe that the intruder had access to the decryption algorithm for the encryption software we utilize,” the statement read. “The systems currently used for transmission and approval of payment card transactions, and the technology utilized in payment cards themselves, all of which can put payment-card data at risk, are determined and controlled by the payment-card industry, not by us.
It seems they want to pass the buck when it appears they had few if any safeguards — strict encryption protocols, routine auditing of changes to code on their servers (to detect things like code inserted to steal credit card information before it’s encrypted) — in place to protect their own customers. That’s inexcusable.