Canadian Government: TJX Ignored Security Needs; So Do Other Retailers, Says 60 Minutes
NEW YORK -- Detailed reports from the Canadian government and the popular CBS television news program '60 Minutes' have brought the details of card security back to the surface again, just in time for this year's holiday season.
The news program aired a segment focusing on retailer card security vulnerabilities on Nov. 25. During the segment a reporter sat with a computer security expert in a van outside different major retail outlets and demonstrated how--with nothing more than a laptop computer and easily accessible software--he could hack the computer systems of many different retail outlets, all of which were handling customer credit card information.
The story focused as well on the differences between the Wired Equivalent Privacy security protocol for retail wireless networks and the Wi-Fi Protected Access security protocol. It suggested that the WEP protocol could easily be defeated even though it is apparently widely used among retailers. WPA protocol is much harder to defeat but has not been widely implemented due to increased hardware and software costs.
The story also touched upon the TJX card breach, which was of great concern to credit unions that took card losses from that incident that first made public in mid December 2006, as a example of how badly card security can be handled.
The story discussed a recent report from Jennifer Stoddard, the Commission of Privacy for the Canadian Government, which has issued a report more quickly than U.S. regulators that took TJX to task. The late September report, which received scant attention in the U.S. vigorously criticized TJX for its handling of card security in advance of the breach.
"TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time. The breach occurred in July 2005, conversion [to a stronger standard] began in October 2005, and the pilot project was completed in January 2007," the report stated.
Stoddard also noted that while TJX was taking steps to move to a more secure information security protocol, it did nothing to protect the card data it already had from being hacked.
"TJX had a duty to monitor its systems vigorously. If adequate monitoring of security threats was in place, then TJX should have been aware of an intrusion prior to December 2006," Stoddard said. "In our view, the risk of a breach was foreseeable based on the amount of sensitive personal information retained and the fact that the organization issuing industry standards had identified the weakness of WEP encryption. Information should have been segregated and the systems better monitored."
Stoddard's report was silent as to why exactly TJX was so slow to make the necessary changes to its security protocols, but the 60 Minutes segment quoted from internal TJX emails which suggested that the costs of making the change were the primary reasons the retailer was dragging its feet. Moreover, the emails suggested the leadership of the company was being warned by junior executives that the old security technology left the firm extremely vulnerable to possible breaches.
The 60 Minutes story did touch upon TJX's defense that the company had in place the same security protocols that the rest of the retail industry had and the Canadian report also acknowledged it. The Canadian report also pointed out that other retailers were upgrading, however.
"We note that there were organizations that converted to WPA due to risk analyses of their business needs, and were ahead of the curve in ensuring that their customers' personal information was adequately safeguarded. However, whether or not other retailers made the move to enhance their data by using better encryption methods, the fact of the matter is that TJX was the organization subject to the breach," Stoddard reported.
Since then, TJX has said it no longer stores the same volume of cardholder data and that it is making the final upgrade to a more secure card protocol, one that complies with the card industry's data security standards.
The 60 Minutes segment spotlighted retailer awareness of the security issues in question, yet much still needs to be done to protect card security. Interestingly, a National Retail Federation spokesman appearing on the program suggested that the real fault for the card security breaches rests with card brands and issuers that "forced" retailers to hold onto cardholder data for at least some time to address charge backs.