Perspective: Who says security breaches are small potatoes?

The impact of computer security breaches is not hypothetical. The financial consequences are real and can be immediate.

The economic cost of unauthorized computer intrusions is illustrated in the first-quarter earnings report posted by TJX Companies.

By way of background, TJX refers to itself as the leading off-price retailer of apparel and home fashions within the United States and globally. TJX operates 830 T.J. Maxx, 763 Marshalls, 271 HomeGoods, 127 A.J. Wright stores, and 35 Bob's Stores in the United States. TJX also states that it operates 185 Winners and 69 HomeSense stores in Canada, as well as 211 T.K. Maxx stores in Europe.

According to its first-quarter earnings report, TJX suffered unauthorized intrusions into portions of its computer systems that process and store information related to credit card, debit card, and check and "unreceipted" merchandise return transactions that were discovered during the fourth quarter of the prior fiscal year.

TJX has been investigating the intrusions with the assistance of computer security and incident response experts. Management believes customer information was stolen and that this information primarily relates to portions of transactions at its stores (not including Bob's Stores) from 2003 through part of 2004, and from mid- to late 2006.

The financial upshot is that TJX recorded an after-tax charge of approximately $12 million for costs incurred during the first quarter relating to the intrusions. That's in addition to an after-tax charge of approximately $3 million for costs recorded during the prior fourth quarter.

The charges include costs to investigate and contain the intrusions, as well as to strengthen computer security and systems. It also includes costs relating to communications with customers and for technical, legal and other related charges. The company continues to experience ongoing costs related to the intrusions, but still cannot estimate a range or its potential exposure. Such costs and losses, it says, could wind up being material to TJX's results.

Without knowing whether TJX took adequate steps to try to prevent the intrusions before they occurred, there are obvious lessons here. Plainly, companies of all types should want to avoid the costs of investigations, customer communications, and technical, legal and monitoring costs--not to mention potential exposure for related losses--which arise from computer system breaches.

Thus, companies should educate themselves now, if they have not done so already, as to how best to strengthen their computer security. Breach prevention bears a cost. But that expense pales in comparison to what a company will spend after a breach takes place. Better to be penny-wise rather than pound-foolish, and companies would be smart on the front-end to take steps that prevent breaches from ever occurring

Biography
Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

More Perspectives

[n3td3v]

the government allow the cyber terrorists to get electronic arms

you let hackers release information and software at international computer security conferences and this is the result you get.

hackers at security conferences are being allowed to release their information and tools to script kiddies and cyber terrorists, under the assumption the hackers are legitimate "security researchers", the problem is the information and tools these security researchers think are going to force people to be more secure and be more aware to a particular attack vector doesn't work in reality, what you get is certain areas of corporate america is security breaches like TJX, and no legal action is taken back to the original hacker/researcher at the international security conference who aided the script kid and cyber terrorists from carrying out the breach.

these security researchers are supplying the bad guys with guns to do their malicious actvity, and no one is stopping them.

if this was arms in the real world, like iran supplying terrorists with guns to attack america is iraq, something would be done, but when its computer hackers at security conferences putting the electronic guns into the hands of script kiddies, cyber criminals and cyber terrorsits, everyone sits back and let it happen.

when is cyber terrorism and the supply of tools and information cyber terrorists need to carry out these breaches going to be stopped by heavily restricting the release of tools and information at high profile international security conferences, which in turn end up being hosted by hundreds of sites across the world for any would-be cyber terrorist to download and launch attacks against the western economy.

[Dalkorian]

but is censorship the answer?

I'm not sure I can go with the idea that information being made
public is evil. Do you really believe this problem would go away if
the GOVERNMENT started committing CENSORSHIP on these
conferences? Or would the cyber terrorists just use "back alley"
tactics to spread their information?

Make it all public and force the public to grow up and defend itself.
It might be painful at first, but in the end we'll all be better off for
it.

[dargon19888]

Bzzzt! Knee Jerk Idoicty

Remember Morris' Worm?
Maybe it was before your time. Circa 1988?

If it wasn't for communication between System Admins, we'd have been hosed for a lot longer that a couple of days.

You need to have a way to get information about potential breeches out to the admin community.

With respect to TJX, while the author, a lawyer, didn't condemn TJX for lax security measures, reports indicated that they had not implemented any security on their wi-fi networks within the store and the perpetrators gained information and access through this major security faux paux.

So get real junior. Ignorance is bliss, but it will cost you.

[Marcus Westrup]

Shadow World

Hackers (the bad kind) have an industry of their own now. Information is traded in secret, money is made, and the corruption grows. In many ways the bad guys are better funded and organized than the commercial security industry.
The problem is not that security people are exposing weaknesses - it?s not being able to keep black hats from finding them first.

[marileev]

Organized cyber criminals

Marcus, you're absolutely right, the Haephratis were a prime example of organized cyber criminals - http://news.bbc.co.uk/1/hi/technology/5313772.stm

Ruth & Michael Haephrati setup a fake solutions company called Target Eye and would send sales CDs to company execs. The CDs contained malware (keyloggers) to capture valuable company information. Others simply use phishing as a method to glean sensitive data http://www.essentialsecurity.com/news.htm?pagename=Phishing_and_the_Road_to_Recovery

[keydet89]

Not that it matters, really...

It's nice that you've point that out, but the fact remains that most C-level management is NOT going to do what it takes to protect that sensitive personal data that they have on their network (notice that not once do I make any reference to 'secure'). It's the 'but it won't happen to me' attitude that prevails...and when it does, wow, what an effect it has! This kind of thing will continue...prehaps not on the scale of TJX...to the point where you won't see it here anymore because it isn't news.

Harlan
http://windowsir.blogspot.com
Author: "Windows Forensic Analysis"

[Jerics]

Notify Customers?

Well I checked with my banks and two of my card numbers were on the list and I had to get new cards. They still haven't notified me. So how many more weren't notified that "cost" them. Hmmm---interesting.

[mveronica]

Cost didn't go towards notifying customers...

"The charges include costs to investigate and contain the intrusions, as well as to strengthen computer security and systems. It also includes costs relating to communications with customers and for technical, legal and other related charges. "

The article doesn't state that costs went towards notifying customers, which may explain why they di an inadequate job informing their victimized customers.

You would think that informing those victimized would be the first step and would cost the least amount of money so it does seem rather odd that that was not their first step to recovering from the breach.

[marileev]

Double Victimization

When a bank fails to communicate these breaches effectively with their customers, their credibility as a financial organization can go down the toilet and leave the customer feeling that they're also a victim of the bank.

Here's a story where a B of A customer sadly got just that when someone hijacked her account http://redtape.msnbc.com/2007/05/id_thief_bounce.html

[wbenton]

Common Security Sense 101

DO NOT OUTSOURCE SECURITY!

As the article said:

>>>companies should educate themselves now, if they have not done so already, as to how best to strengthen their computer security.<<<

It MUST be done in-house if it's to be done properly.

Walt