There is absolutely no excuse whatsoever for TJX to EVER be in possession of customers credit card numbers, much less be storing them. None! The transactions of people buying goods in their stores should pass through for authorization with the merchant account bank at point-of-sale and never be in the possession of the store. Put the company management in jail and throw away the key.

TJX has the misfortune of being the proud owner of a data breach so large that it just couldn't be covered up, brushed-off or explained-away. Sheer size (and not particular incompetence) gave them away.

"TJX (is guilty) of employing fuzzy math in an attempt to contain the damage". Really? Well they're not real good at the fuzzy math thing either, are they?

The main accomplishment of SB1386-type laws is this: When a credit-card-using company suffers an intrusion (and, contrary to what you might think, most of them do) they now spend gobs of money on 'consultants' and waste hundreds of man-hours to prove that, in fact, the intruders did not get to any sensitive, customer data.

As an alternative to doing a little root-cause analysis and fixing the problem it appears to be working. Except for poor TJX and a few other, equally unlucky companies of course.

Just after the Exxon-Valdiz spill I recall seeing a mock interview with the CEO of Exxon where a suitably earnest "reporter" demanded to know what Exxon was doing about the ecological disaster they had unleashed upon the Arctic.

"Oh, we are taking this extremely seriously I assure you. We are currently in the process of spending millions of dollars on marketing and consultants to try and rectify the damage"

Wouldn't it have been cheaper for TJX to hire a good information / security person responsible to prevent this. Maybe not - I see this all over, sorry, it seems that companies never learn AND this comes of a long ( 30 ) years in systems business. Is it really too expensive to hire people who know what to do ?

The fundamental problem here is that the card authentication systems all have the same problem - security depends on static information like PINs, knowuing expiry dates, printed numbers on the back of cards and so on. It relies on every retailer having cast-iron security systems and is just wide open to snooping and fraud. The chip-and-pin sticking plaster system is hardly any more secure than the old signature-based system.

Until such time as the finance industry realises this and moves to a system that uses some form of one time password system, then all systems suffer from what is essentially a replay attack. Biometric identification systems also suffer from this if the reading is taken remotely (who knows if that fingerprint scan was spoofed or not?). Of course people won't want to carry around separate one-time password systems for each bank account, credit and debit card they carry, but if the finance industry got their heads together then it is surely possible to come up with a common device that can be used for authentication on multiple accounts.

I've no doubt there are a lot of technical and organisational difficulties here (for example, trusted third party authentication systems). No doubt there will be privacy concerns too for what amounts to a personal identification systems. I've also no doubt that some aspects of this can be broken, but if it is difficult enough then it just won't be cost-effective for the crooks.

In the meantime one extremely easy anti-fraud measure could be taken - that's to give credit, debit and electronic banking customers the option to be notified by SMS or email of every transaction as it happens. In fact it could be tied into the authentication systems which are inherently real-time. It won't stop the fraudulent transaction, but the use of a compromised card's detail would no doubt be picked up quicker than currently. I know - I've just been through this experience myself and if I'd had a notification of every card authentication attempt I would have picked it up much earlier.

Incidentally, none of this means retailers don't need to take proper care of personal data - they do. There's plenty of EU legislation on the matter. However, when you have a system that is fundamentally flawed as our current authentication systems then breaches will happen - guaranteed.

Or automatically send second pin via SMS to pre-registered phone during transaction after authentication with known pin. Fraudster would have to have the right phone as well as card and pin.

Should work?

I agree with the first comment, why were they storing all those details? Once a transaction is complete, they only need to store the transaction ID and the auth code for it. They certainly don't need to be storing the full card number and other details.

I guess the mobile phone companies would love it. I guess it would work, and it would enhance the authentication mechanism. However, the downside of putting something like that into the actual authentication path is that it could be plagued by delays, poor reception, flat batteries, forgotten phones and so on. Imagine the queues at the checkout whilst somebody waited for their second SMS pin to come through. You'd need some form of way of dealing with those situations.

The advantage of the notification system is that I think it would be remarkably simple and cheap to implement and wouldn't delay the authentication. If you did the notification via SMS and somebody did spot something dodgy then it would be very easy to allow the card owner to reply with a suspect transaction message. It won't eliminate frauds, but they could be identified much quicker and the perpetrators might realise they are in grave danger of being identified much quicker.

Ultimately I'd still like to see the one time password identification scheme (that's until some bright spark in Government grabs the idea for ID cards). Lots of people are used to one-time passwords for signing onto their company systems.

Simple solution to all credit card fraud was thought of over 10 years ago and patented. SImply, store set of unique numbers on the credit card and each time used press a button to display a unique processing code for that transaction. Code would be confirmed by bank, same way as current CVC/Security code but would be a unique code to that transaction. US Patent 5627355A1 covers basic outline and was filed in May 1997 (Banks currently promoting a handheld terminal to put your card into to achieve same goal) Physical Credit Card sized Products that could achieve this simple process have been available on the market for over 4 years. This simple solution could reduce 90%+ of all fraud and if in place the TK Maxx theft would not have been as serious. Could they have claims for a counter lawsuit on the basis that the banks had not utilised all means necessary to protect them if a problem did occur?

"Wouldn't it have been cheaper for TJX to hire a good information / security person responsible to prevent this......."

Perhaps they did.. but like so most companies probably ignored what he said. I would like to think I'm a good security person and the biggest problem is Management buy-in, especially when everbody is fighting for the same pot of resources.

This is how the average Execs mind works.-

Marketing make pretty adverts and bring in customers, (alledgely) and hence revenue.

Security keeping saying that we should do things in a particular way, and justs costs money. And hey! we didn't get attacked last year so we must be safe.

Where do you think the resources get allocated?

By the way there are many reasons to store payment card numbers, recurring payments, online profiles etc. It's permitted by the Payment card industry (e.g VISA, Mastercard, AMEX) but it is now mandatory to be compliant with the PCI DSS. This dictates how PAN numbers can be stored safetly (encryopted, limited access etc) CVC/CVV/CV2 or pin numbers cannot be stored.

Earlier this year, Ontario, Canada's Information Privacy Commissioner, Dr Ann Cavoukian, reported on the theft of a laptop replete with individually identifiable data on patients at Canada's leading children's hospital.

While her solution was data encryption, her analysis has broader application.

The fact of the matter is that healthcare and the information technology that supports electronic health records and the like cannot claim to have in place or even in plan patient-identity protections adequate in the face of opportunistic, pandemic-scope identity-related crime, such as occurred with TJX.

The Commissioner urged all Ontario hospitals and anyone collecting personal health information not to store it electronically if patient identities can't be protected.

It therefore follows, doesn't it, that "Ontario hospitals and anyone collecting personal health information" should not be storing it electronically?

What do people think?