This story appeared on Network World at http://www.networkworld.com/columnists/2007/012207-bradner.html
TJX security lapse: Willfully and with malice of forethought?
By Scott Bradner, Network World, 01/22/07
If leading newspapers are to be believed, TJX Companies is trying for the record for the number of stolen credit cards. Both the Wall Street Journal and The New York Times reported that the number of card numbers exposed or stolen in the December 2006 break-in at TJXŐs data center may exceed the 40 million card numbers exposed by the 2005 breach at CardSystems Solutions. (See "The winner so far: CardSystems Solutions".)
TJX issued a press release stating it had been victimized but it now appears that one of the perpetrators of this crime was the company itself.
In late 2004 the payment card industry (PCI), which includes debit and credit card issuers, laid out a set of PCI Security Standards that, as of June, had to be met by anyone handling credit card numbers electronically.
Revised standards went into effect this month. These standards, both old and new, are quite comprehensive and are a good model of how any high-value corporate information should be protected. Some of the rules are easy to implement and some are hard, such as rule 1.4: ŇProhibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files)." This rule means, for example, that you cannot have a public Web server that stores credit card numbers on its own disks (or on a shared file system).
According to The Wall Street Journal, TJX was not compliant with the PCI Security Standards. There are a number of different parties involved in the credit/debit card business. First there is the bank that issues the card. Then there is the merchant where you use the card to buy something, and there is the merchantŐs bank that acquires the money for the merchant (known as the acquiring bank). Sometimes there also is a clearinghouse that helps the processing. Under PCI rules, acquiring banks are responsible for ensuring that their merchants are meeting the security standard.
There appear to be three crooks -- of commission or omission -- in this case. Clearly the person or persons who broke into the TJX system would likely be a crook of commission. But there are two other crooks of omission and they are just as liable in my opinion. Fifth Third Bank, TJXŐs acquiring bank, and TJX itself failed to ensure that TJX met the security standards.
At best, this episode will be expensive for TJX -- if it turns out that the 40 million number is right, the cost to TJX will be $7.2billion (if a potentially self-serving survey by PGP is right). It would have been much less expensive to just meet the standards in the first place.
What I want to know is why one of the far too many lawyers out there does not launch a class-action suit against both Fifth Third Bank and TJX. It appears that both of them willfully and with malice aforethought decided to not require (in the case of the bank) or implement (in the case of TJX) the required security standards. If it costs the average person just 10 hours to deal with cleaning up after a stolen card, that would be another $7 billion in real costs plus punitive damages based on the U.S. average wage. Maybe a result such as this would wake up the 69% of merchants who are not yet compliant.
Disclaimer: Even for Harvard, $14 billion would be quite a wake-up call. But the university has not expressed an opinion on these crimes of omission.