title:

TJX: Willfully and with malice of forethought?

By Scott Bradner

If the Wall Street Journal is to be believed, TJX Companies, Inc. (TJX) is trying for the record for the number of stolen credit cards. Both the Journal and the New York Times reported that the number of card numbers exposed or stolen in the December 2006 break in at TJX data center may exceed the 40 million card numbers exposed by the 2005 breach at CardSystems Solutions. (see The winner so far: CardSystems Solutions - http://www.networkworld.com/columnists/2005/062705bradner.html) TJX released a press release in which it claimed it had been victimized but it now appears that one of the perpetrators of this crime was TJX itself.

In late 2004 the payment card industry (PCI), which includes both debit and credit card issuers, issued a set of "PCI Security Standards" that, as of last June, had to be met by anyone handling credit card numbers electronically. (http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf) This set of standards was updated last year and the revised standards went into effect this month. (https://www.pcisecuritystandards.org/tech/index.htm)

These standards, both old and new, are quite comprehensive and would be a good model of how any high value corporate information should be protected. Some of the rules are easy to implement and some are quite hard. One of the harder ones might be rule 1.4 "Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files)." This rule means, for example, that you can not have a public web server that stores credit card numbers on its own disks (or on a shared file system).

According to the Wall Street Journal TJX was not compliant with the PCI Security Standards.

There are a number of different parties involved in the credit or debit card business. First there is the "issuing bank" that you deal with to get a card, then there is the "merchant" where you use the card to buy something, then there is the merchant's bank that acquires the money for the merchant (known as the "acquiring bank") and sometimes there is also a clearinghouse that helps the processing. Under PCI rules acquiring banks are responsible for ensuring that their merchants are meeting the security standard.

There appear to be three crooks -- crooks of commission or omission - in this case. Clearly the person or persons that broke into the TJX system is likely to be a crook of commission. But there are two other crooks of omission and are just as liable in my opinion. Fifth Third Bank, TJX's acquiring bank and TJX itself failed to ensure that TJX met the security standards.

At best, this episode will not be cheap for TJX - if it turns out that the 40 M number is right the cost to TJX will be $7.2B (if a potentially self serving survey by PGP Inc is right - http://www.ponemon.org/press/Ponemon_2006%20Data%20Breach%20Cost_FINAL.pdf). It would have been far far cheaper to just meet the standards in the first place.

What I want to know is why one of the far too many lawyers out there does not launch a class action suit against both Fifth Third Bank and TJX. It appears that both of them willfully and with malice of forethought decided to not require (in the case of the bank) or implement (in the case of TJX) the required security standards. If it costs the average person just 10 hours to deal with cleaning up after a stolen card that would be another $7 B in real costs plus punitive damages. (Based on the US average wage.) Maybe a result like that would wake up the 69% of merchants who are not yet compliant.

disclaimer: Even for Harvard $14 B would be quite a wake up call but the university has not expressed an opinion on these crimes of omission.