On the surface, it looks like we actually made some improvements in protecting private data in 2007. According to the Privacy Rights Clearinghouse, the number of publicly disclosed data breaches actually decreased, from 346 incidents in 2006 to 310 in 2007. Unfortunately, there are still more clouds than sunshine. In 2007, the 310 data breach incidents resulted in a total of 162 million records exposed, more than three times as many as in 2006 (when there were about 50 million).
Here's another frightening data point: Five of the 10 biggest data breaches occurred in 2007, including the record setter. Massachusetts-based TJX now holds the dubious honor for the largest data breach of all time--a whopping 94 million records were exposed!
As we fade into the twilight of the first decade of the 21st century, information security progress continues to move one step forward and then two steps back. The worst news of all is that this isn't a technology issue. It really comes down to negligence, ignorance, poor processes, and general laziness. To paraphrase security guru Bruce Schneier, "People remain the weakest link in the security chain."
I am an internal optimist by nature, but I continue to believe that the state of information security is far worse than the general public knows. I don't expect much improvement with data breaches in 2008 and wouldn't be at all surprised to see another doozy. With the way things are, the TJX incident could look like a sophomoric hack by year's end.
I just finished watching Leslie Stahl do a piece called "Hi-Tech Heist" on 60 Minutes in which she describes the theft of credit card and other personal information from TJX. These are a couple quick Defensive Computing thoughts on the subject.
I can't imagine using a credit card at T.J. Maxx, Marshall's, Bob's Stores or any of the other stores owned by TJX. In the 60 Minutes piece, the focus was on the poor Wi-Fi security and keeping sensitive customer information for much too long. But, after the hackers got into the Wi-Fi network, they were able to get to the master database of customer information, meaning that there were many other security problems along the way.
And, as was mentioned in the story, the bad guys poked around the internal TJX computers for about a year and half without getting noticed. The word inexcusable doesn't begin to describe the many security problems. Unless I hear that TJX has laid off people responsible for computer security, they will never see a credit card of mine again.
The story ends on a happy note, TJX has upgraded all their Wi-Fi to use the newer, better type of encryption known as WPA. But this is far from the end of the story. It may not be well known, but WPA encryption can be good or bad.
Because it is vulnerable to a brute force attack, the crucial point is the length of the password. A short password, or a word in the dictionary, offers no better security than the much maligned WEP encryption. But a really loooooooooong password is very secure. WPA supports passwords up to 63 characters long. You can think of it as a "pass sentence" rather than a password.
The WPA password only needs to be entered once on each computer, so there is no excuse not to use a long password. If you can't think of one yourself, then Steve Gibson has a Web page that will generate long passwords.
The WPA encryption may also be turned off if a WEP-using computer joins the network. Many consumer grade routers can do either WEP or WPA but not both at the same time.
Finally, if WEP is still being used at retailers, as the story pointed out, then online purchases may very well be more secure than brick and mortar.
Update: Robert Vamosi of CNET wrote an interesting story on this in his Security Watch column - What's behind retail data breaches
Update November 25: A reader comment mentioned WPA-PSK and WPA2 Enterprise. Let me explain the terms. The simplest way of using WPA encryption involves a single password for the entire network. It is entered once when configuring the router and once at each computer accessing the wireless network. This mode of operation is called "Pre-Shared Key" or "PSK" or "Personal" and is what I was referring to.
Companies with the necessary technical skill, can use WPA in such a way that each user gets his or her own password. The software that validates passwords is a Radius server. This mode of operation has multiple names. An old Belkin router calls it simply "WPA with Radius Server", it has also been called "WPA Enterprise" and "server-based infrastructure mode".
(Credit:
TJX)
Editors' note: This blog initially misstated the number of years of credit monitoring that TJX is offering in the proposed settlement. It is offering three years, or two additional years if the customer is already signed up for a credit monitoring service.
The TJX Companies announced on Friday a yet-to-be-finalized settlement for several class action suits resulting from various data breaches over the last few years.
TJX, which operates such discount retail chains as T.J. Maxx and Marshalls in the U.S. and Winners and HomeSense stores in Canada, is offering claimants three years of credit monitoring (or two additional years if the customer already has a credit monitoring service), credit insurance for up to $20,000 in losses, and the cost of replacing driver's licenses. A second group will receive one or two $30 vouchers good at any TJX-owned store.
Additionally, all T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and all Winners and HomeSense stores in Canada will hold a three-day customer appreciation sale sometime in 2008 in which merchandise will be reduced by 15 percent.
In a press release (PDF) associated with the settlement announcement, Carol Meyrowitz, chief executive of the TJX Companies, said, "We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system."
In March, TJX said that up to 45.7 million customers may have had their credit information compromised. It is believed to be the largest data security breach ever.
Recently, Neal Krawetz of Hacker Factor released a report (PDF) citing various vulnerabilities in how large retail chains, including TJX, collect and store customer credit card information. You can read more about Krawetz's findings here or hear a podcast interview with him here.
Yesterday's Boston Globe reports a link between a 24-year-old Ukrainian and the data breach at TJX Companies. The United States Secret Service arrested Maksym Yastremskiy on July 26 outside a nightclub in the beach resort town of Kemer, Turkey. It is unclear whether he is the mastermind behind the theft of more than 45 million TJX credit card accounts stolen over a two-year period.
Yastremskiy's arrest was first reported in the The Wall Street Journal two weeks ago, although he was not linked to TJX until now. The Wall Street Journal report says a sealed indictment filed in U.S. federal court charges him with trafficking stolen credit cards and identity theft, and suggests that the recent arrest of others by French police may have aided U.S. investigators. Yastremskiy allegedly sold batches of TJX-linked credit cards online for as little as $20 per card.
U.S. authorities are now seeking extradition of Yastremskiy from Turkey.
- prev
- 1
- next
