funsec mailing list archives
TJX Assents to Audits Of Data-Security System
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Fri, 28 Mar 2008 09:54:00 -0400
In a press release, TJX, of Framingham, Mass., said it disagreed with the allegations in the FTC complaint, noting that prior to the breach, the company's data security "was similar to that of many major retailers." http://online.wsj.com/article/SB120664225435369131.html?mod=todays_us_market place TJX Assents to Audits Of Data-Security System By JOSEPH PEREIRA March 28, 2008 TJX <http://online.wsj.com/quotes/main.html?type=djn&symbol=tjx> Cos., which last year disclosed a major data-security breach, agreed to have its systems that safeguard customers' credit-card data audited every other year for the next two decades under a settlement with the Federal Trade Commission. The FTC said the discount retailer failed to take "readily available security measures" to protect its customers' data, allowing an intruder to gain access to tens of millions of credit cards and the personal information of 455,000 consumers. "Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued," the FTC said. Financial penalties aren't part of the agreement. The FTC has yet to receive authority from Congress to assess fines, despite multiple petitions. The agency chastised the retailer for not encrypting the data, establishing firewalls, using complex passwords or regularly updating antivirus software to make it difficult for hackers to steal customers' financial data. The required audits will cover "everything from the electronic storage of the data to password protections to the file cabinets in which some of the paperwork may be stored making sure that the data is secure," said Joel Winston, the FTC's director for privacy and identity protection. In a press release, TJX, of Framingham, Mass., said it disagreed with the allegations in the FTC complaint, noting that prior to the breach, the company's data security "was similar to that of many major retailers." The company added that it has spent millions of dollars to further strengthen its systems security. "Complying with a government audit is not a trivial exercise," said Avivah Litan, security analyst for Gartner Inc. "It's a lot of red tape and having to fill out lots and lots of forms." In addition to the FTC-required audit, TJX also has agreed to conduct another audit of its security systems every year under terms of a separate agreement with a network of credit-card associations that includes Visa Inc. and MasterCard. TJX disclosed in January 2007 that hackers broke into its computer network and stole at least 45.7 million cards. The number of cards affected by the data theft was later estimated at more than 100 million in court filings by banks that sued TJX. The company still faces probes by the attorneys general of 39 states, including Massachusetts, which is leading the investigation. The retailer also is under investigation by the Secret Service for possible criminal misconduct. Separately, Reed Elsevier's Lexis Nexis unit agreed to a similar settlement with the FTC. The company said in 2005 its database systems were hacked. Passwords were taken in that case. Write to Joseph Pereira at joe.pereira () wsj com
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- TJX Assents to Audits Of Data-Security System Richard M. Smith (Mar 28)
- Re: TJX Assents to Audits Of Data-Security System Valdis . Kletnieks (Mar 28)
- Re: TJX Assents to Audits Of Data-Security System Rich Kulawiec (Mar 28)
- Re: TJX Assents to Audits Of Data-Security System Dennis Henderson (Mar 28)