Home > CIO News > Top IT execs could take heat for TJX breach
CIO News:
EMAIL THIS LICENSING & REPRINTS

Top IT execs could take heat for TJX breach

By Kate Evans-Correia, News Director
18 Jan 2007 | SearchCIO.com

IT news and analysis for CIOs
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

No one wants to be Paul Butka today.

The TJX Cos., the retail giant for which Butka is CIO, revealed Wednesday that an "unauthorized intrusion" into its transaction management systems could expose hundreds of thousands of its customers to credit card fraud and identity theft.

It's possible no one may be fired. But speculation is at fever pitch and industry insiders who know about corporate embarrassment -- and reactions to it -- say that when top brass starts swinging the proverbial ax, they're most likely to drop it on senior IT executives.

Someone has to take the fall for it.
Jack Phillips
managing partner, Institute for Applied Network Security
"More than likely, there will be a sacrificial lamb," said security analyst Pete Lindstrom of Burton Group Inc. in Midvale, Utah. "I would expect it to be the CIO or a senior-level CISO to be let go."

But that doesn't necessarily mean any single person was at fault.

"Now, it's possible, there will be some sort of investigation that finds that this couldn't have been stopped. And it's really hard to tell. They may never know how that stuff got in."

If TJX decides against firing anyone, said Jack Phillips, a managing partner at the Boston-based Institute for Applied Network Security, it means senior corporate executives will decide the correct systems, software and procedures were in place -- and agree that even the best systems, and best CIOs, do not come with 100% guarantees.

More on information security
CIOs take heat for security snafus

Insider security threats: Watch out for the quiet ones

Lax polices, not bad auditors responsible for stolen data

Virtual Vault

CIOs need to tap marketing to improve online security
Given the scope and size of TJX, the company was probably about as secure as any retail company could be, Phillips said.

Still, TJX officials must factor consumer confidence into any decision they make. The stakes are high. "Someone has to take the fall for it," Phillips said. "This would have to escalate to the highest-level technology person."

The Framingham, Mass.-based retail company operates 2,000 stores around the world, including T.J. Maxx, Marshalls, HomeGoods and Bob's Stores. TJX didn't offer details of how the attacker breached its systems and declined to estimate how many customers may have been affected by the data breach. In a press release, TJX said it had hired General Dynamics Corp. in Falls Church, Va., and IBM to strengthen the security of its computer systems.

"Since discovering this crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems, and we believe customers should feel safe shopping at our stores," said Ben Cammarata, chairman and acting CEO of TJX in a statement issued yesterday and posted on the company's Web page.

TJX said it discovered the breach in mid-December, but the company put off an announcement of the crime while it worked with law enforcement agencies to investigate it.

The company has identified a limited number of customers whose private information was stolen and is notifying them directly. TJX officials said they do not know if they will be able to identify the names of other customers who are at risk.

Protecting from the inside out

Data breaches will continue to be a problem until companies realize a strong perimeter isn't enough.

"What they call best practices tend to really focus on the perimeter," said Neil Weicher, CTO at NetLib Encryptionizer, a Stamford, Conn.-based vendor of data encryption software. "The DBAs [database administrators], if something happens, the DBA can really legitimately say, 'I was just following best practices.' Right now the focus is on how to keep people from the data. What people need to focus on is what happens when people get to that data."

Weicher said companies need to use technology like encryption to ensure that data is unusable when criminal reach it. He compares this approach to the banking industry practice of putting exploding red dye packets in bags of money.

"They have the perimeter protection," he said. "They have vaults, silent alarms, armed guards. But they still put red dye in the bags because they know that at some point someone is going to get to it. People need to start protecting data in the same way, because you are never going to get to the point where people can't get to it."

-- Shamus McGillicuddy
In a press release issued yesterday, TJX said the attacker accessed a system that manages customer transactions and returns for its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The systems that process transactions for its T.K. Maxx stores in the U.K. and Ireland and its Bob's Stores in the U.S. may also have been compromised, according to the release.

According to the Privacy Rights Clearinghouse, a San Diego-based privacy rights advocacy group, the TJX breach is the 10th data security breach disclosed this month in the U.S. Since the organization started tracking data breaches in February 2005, more than 100 million records of U.S. residents have been exposed.

"This is certainly a comment about the threat environment. The sophistication of the bad guy is on the rise," Phillips said. "A strong security posture can still be beaten. So there is that void, that middle ground between a reasonable security posture and a very intelligent hacker."

If Butka or another top-ranking IT executive takes heat for the TJX breach, it won't set a precedent. The recent resignation of Pedro Cadenas Jr., chief information security officer (CISO) and acting CIO at the U.S. Department of Veterans Affairs, is the most recent example of an IT exec taking the fall for security snafus.

Experts say the CIO is often the first executive to be called to task for any IT security violation, despite the fact that problems with security generally involve a number of departments.

According to Phillips, the problem at many companies is executives don't know whom to blame because they haven't assigned responsibility for risk.

Still, Phillips said despite the flap over the incident, it only highlights what we already know -- data is always compromised.

"It will seem to the public as though the sky is falling," he said, "but in terms of sheer numbers, it's still a blip on the radar."

Shamus McGillicuddy and Linda Tucci contributed to this article. Let us know what you think about the story; email: Kate Evans-Correia, News Director



Sound Off! -   Be the first to post a message to Sound Off!


Tags: Enterprise data security and privacyEnterprise information security managementRetail industryVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2007 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts