|
| |
|
|
|
|
|
|
|
TJX Breach Details Revealed |
|
|
|
Attorneys suing retailer TJX have added to their original
complaint, relying on newly discovered details regarding the company’s widely
reported security breach.
In a news story in E-Week, it was revealed that TJX failed to
comply with nine of 12 applicable PCI requirements and that the data thief
managed to walk away with 80 gigabytes of data on TJX customers.
Other revelations:
- Many of the TJX violations were "high-level
deficiencies," according to a TJX consultant.
- In May 2006, a traffic capture/sniffer program was
installed on the TJX network by the data thief, and remained undetected for seven
months.
- TJX knew of the security problems as early as 2004. But
took no action.
- The data breach affected more than 100 million credit and
debit card account numbers.
- Visa and MasterCard have fined TJX. Visa said it issued
"a substantial fine" in connection with the TJX data breach, but the amounts
of the fines were not disclosed.
Among the security issues at TJX:
- An improperly configured wireless network;
- Failure to isolate cardholder data devices from the rest
of network traffic;
- Failure to properly manage the systems used to store,
process and transmit cardholder data;
- Storing prohibited cardholder data;
- Using usernames and passwords "that were easy to
penetrate"; and
- Weak or non-existent security software and systems.
The most damning allegation in the new court filings are
charges that TJX new about the security
problems and failed to disclose or remedy those problems, conduct which might
increase the company’s liability under the law.
|
|
|
ETA Members Only |
| member information
membership status
member-only content | |
|
|
|
|
