Credit cards of 45 million TK Maxx customers compromised

The TK Maxx data breach, originally announced by parent company TJX in January 2007, has taken a fresh turn as it emerged yesterday that the data thieves stole records containing transaction details of more than 45 million cards, including transactions at TK Maxx stores in the UK and Ireland. According to the company, this information could have been unencrypted, and thus unprotected. It is thought to be the largest data breach of its kind worldwide.

Hundreds of thousands of consumers are waking up today to find out that by buying that innocent pair of jeans a year ago, they may have fallen foul of the world’s biggest computer hack.

The retailer said the intruder first accessed its systems in July 2005 and on subsequent dates in 2005 and from mid-May last year to mid-January this year. No customer data was stolen after December 18 last year (Scotland Yard and the Information Commissioner's Office were informed after the theft was discovered in December), but it begs the question – how was the hacker allowed to retain access to sensitive data for so long without being detected? How was such an obviously organised and well prepared criminal not on SOCA’s radar, especially as a great deal of credit card fraud is used to finance organised crime?

Tom Newton, product manager at SmoothWall, suggests that while TK Maxx should bear the brunt of the responsibility for not ensuring its security policies were robust enough to identify and block the intruder, perhaps the security agencies should have done more to identify the malicious parties involved.

He said: “Following the broadside from the Corporate IT Forum back in January, and this week’s defence at the E-crime Congress in London, one must ask exactly what SOCA is doing to advise and protect businesses against e-crime. TK Maxx is a high-profile target and to be a victim for almost 18 months suggests that the hacker really knew their stuff – if that is not a serious crime then what is?”

“SOCA’s remit is to work with leading security experts and UK business to ensure that e-crime is eradicated. While I applaud its efforts in what is an ever-evolving and difficult market, bolder steps need to be taken to identify and stop these criminals. Why stop with credit card details? If the hacker gets the taste for success, he or she will move on to bigger, more high-profile targets like government or public service systems. What effects will that have on the public?”

“The UK has made great strides in stopping these activities, but the authorities simply do not have the resources to cope with today’s level of e-crime. The onus is on therefore on businesses to secure their own futures with a multi layered approach to protect systems from the latest virus and security threats. TK Maxx may have learnt its lesson, but without legislation to penalise businesses for poor security practice such as this, it will happen again and again.”

Jamie Cowper at PGP Corporation commented: "This is a frightening illustration that when retailer systems are hacked - even if it occurs on the other side of the world - the card details of customers in every country are at risk because of the way companies share and store information globally."

"With standards such as the Payment Card Industry Data Security Standard (PCI DSS) coming into force in June 2007, retailers such as TJX will have to safeguard its customers' card information - or face losing their credit card facilities altogether. Security technologies such as encryption can greatly simplify the process of protecting information - but the recent spate of data breaches in the news suggests that many companies are still a long way off being compliant with this and other data protection standards."

Greg Day, McAfee security analyst, said: "Today's full declaration by TJX is a graphic example of how a breach in information security can impact both a business and its customers. The announcement today is however just the tip of the iceberg, as organisations across the globe continue to evaluate and look to implement security policy to protect against external and internal threat."

According to reports, customers of TK Maxx have already had card details used in fraudulent circumstances. Understandably many consumers, and not just those who shop at TK Maxx, will be concerned about their cards being compromised in the future.

Unfortunately, standard network security solutions may no longer be sufficient to block advanced hackers. Mike Smart, European Product Manager, Secure Computing commented: "The visibility of this type of attack further strengthens the need for wider reaching preventive technology. We find that 80% of confidential data is typically undetectable by 90% of firewalls used by most companies. As a result, sensitive data can leak from the organisation without their knowledge. Especially with the rise of real time unencrypted communications, such as instant messaging and web mail - hacking into a corporate network and extracting data unnoticed is easy. This attack demonstrates that standard network security solutions are no longer sufficient to cope with the capabilities of today's hacker. All solutions employed need to be looking for application based protection and not network based. Those days are sadly, long gone."

Alex Raistrick, Director Northern Europe, ConSentry Networks added : “Even though the specific cause of TK Maxx’s problems has not been made clear at this stage, it’s a no-brainer that many security breaches are a result of the wrong people gaining access to sensitive information. Large companies like TK Maxx clearly need to implement better identity based controls to defend sensitive information. The most effective approach is to allow only appropriate and authorised users access to this kind of data, by creating a full usage log, which gives a trail of activity to prevent a breach of security as seen on this scale. Retail organisations need wake up and have more of a focus on user-based authentication controls, as the fewer people that have access to sensitive personal content, the better."

A solution could be found with behavioural based anti-malware software. Pete Baxter, General Manager, EMEA for Sana Security: "Anti-virus software often doesn't spot a malware threat or hack immediately, and as a result, the damage is being done within seconds. Behavioural based anti-malware software recognises any non-typical activity on the network and stops it dead before it can go any further. Security savvy retail organisations are increasingly turning to behaviour-based solutions to protect their customers' details. I'm confident we'll see an uptake in the coming months following high-profile cases such as this."

Read more here