TJX Assents to Audits Of Data-Security System

["Richard M. Smith" <rms () computerbytesman com>]

In a press release, TJX, of Framingham, Mass., said it disagreed with the
allegations in the FTC complaint, noting that prior to the breach, the
company's data security "was similar to that of many major retailers."

 

http://online.wsj.com/article/SB120664225435369131.html?mod=todays_us_market
place

 


TJX Assents to Audits Of Data-Security System


By JOSEPH PEREIRA
March 28, 2008

TJX <http://online.wsj.com/quotes/main.html?type=djn&symbol=tjx>  Cos.,
which last year disclosed a major data-security breach, agreed to have its
systems that safeguard customers' credit-card data audited every other year
for the next two decades under a settlement with the Federal Trade
Commission.

The FTC said the discount retailer failed to take "readily available
security measures" to protect its customers' data, allowing an intruder to
gain access to tens of millions of credit cards and the personal information
of 455,000 consumers.

"Banks have claimed that tens of millions of dollars in fraudulent charges
have been made on the cards and millions of cards have been cancelled and
reissued," the FTC said.

Financial penalties aren't part of the agreement. The FTC has yet to receive
authority from Congress to assess fines, despite multiple petitions.

The agency chastised the retailer for not encrypting the data, establishing
firewalls, using complex passwords or regularly updating antivirus software
to make it difficult for hackers to steal customers' financial data.

The required audits will cover "everything from the electronic storage of
the data to password protections to the file cabinets in which some of the
paperwork may be stored making sure that the data is secure," said Joel
Winston, the FTC's director for privacy and identity protection.

In a press release, TJX, of Framingham, Mass., said it disagreed with the
allegations in the FTC complaint, noting that prior to the breach, the
company's data security "was similar to that of many major retailers." The
company added that it has spent millions of dollars to further strengthen
its systems security.

"Complying with a government audit is not a trivial exercise," said Avivah
Litan, security analyst for Gartner Inc. "It's a lot of red tape and having
to fill out lots and lots of forms."

In addition to the FTC-required audit, TJX also has agreed to conduct
another audit of its security systems every year under terms of a separate
agreement with a network of credit-card associations that includes Visa Inc.
and MasterCard.

TJX disclosed in January 2007 that hackers broke into its computer network
and stole at least 45.7 million cards. The number of cards affected by the
data theft was later estimated at more than 100 million in court filings by
banks that sued TJX.

The company still faces probes by the attorneys general of 39 states,
including Massachusetts, which is leading the investigation. The retailer
also is under investigation by the Secret Service for possible criminal
misconduct.

Separately, Reed Elsevier's Lexis Nexis unit agreed to a similar settlement
with the FTC. The company said in 2005 its database systems were hacked.
Passwords were taken in that case.

Write to Joseph Pereira at joe.pereira () wsj com

 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.