No one wants to be Paul Butka today.
The TJX Cos., the retail giant for which Butka is CIO, revealed Wednesday that an "unauthorized intrusion" into its transaction management systems could expose hundreds of thousands of its customers to credit card fraud and identity theft.
It's possible no one may be fired. But speculation is at fever pitch and industry insiders who know about corporate embarrassment -- and reactions to it -- say that when top brass starts swinging the proverbial ax, they're most likely to drop it on senior IT executives.
"More than likely, there will be a sacrificial lamb," said security analyst Pete Lindstrom of Burton Group Inc. in Midvale, Utah. "I would expect it to be the CIO or a senior-level CISO to be let go."
But that doesn't necessarily mean any single person was at fault.
"Now, it's possible, there will be some sort of investigation that finds that this couldn't have been stopped. And it's really hard to tell. They may never know how that stuff got in."
If TJX decides against firing anyone, said Jack Phillips, a managing partner at the Boston-based Institute for Applied Network Security, it means senior corporate executives will decide the correct systems, software and procedures were in place -- and agree that even the best systems, and best CIOs, do not come with 100% guarantees.
Given the scope and size of TJX, the company was probably about as secure as any retail company could be, Phillips said.
Still, TJX officials must factor consumer confidence into any decision they make. The stakes are high. "Someone has to take the fall for it," Phillips said. "This would have to escalate to the highest-level technology person."
The Framingham, Mass.-based retail company operates 2,000 stores around the world, including T.J. Maxx, Marshalls, HomeGoods and Bob's Stores. TJX didn't offer details of how the attacker breached its systems and declined to estimate how many customers may have been affected by the data breach. In a press release, TJX said it had hired General Dynamics Corp. in Falls Church, Va., and IBM to strengthen the security of its computer systems.
"Since discovering this crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems, and we believe customers should feel safe shopping at our stores," said Ben Cammarata, chairman and acting CEO of TJX in a statement issued yesterday and posted on the company's Web page.
TJX said it discovered the breach in mid-December, but the company put off an announcement of the crime while it worked with law enforcement agencies to investigate it.
The company has identified a limited number of customers whose private information was stolen and is notifying them directly. TJX officials said they do not know if they will be able to identify the names of other customers who are at risk.
In a press release issued yesterday, TJX said the attacker accessed a system that manages customer transactions and returns for its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The systems that process transactions for its T.K. Maxx stores in the U.K. and Ireland and its Bob's Stores in the U.S. may also have been compromised, according to the release.
According to the Privacy Rights Clearinghouse, a San Diego-based privacy rights advocacy group, the TJX breach is the 10th data security breach disclosed this month in the U.S. Since the organization started tracking data breaches in February 2005, more than 100 million records of U.S. residents have been exposed.
"This is certainly a comment about the threat environment. The sophistication of the bad guy is on the rise," Phillips said. "A strong security posture can still be beaten. So there is that void, that middle ground between a reasonable security posture and a very intelligent hacker."
If Butka or another top-ranking IT executive takes heat for the TJX breach, it won't set a precedent. The recent resignation of Pedro Cadenas Jr., chief information security officer (CISO) and acting CIO at the U.S. Department of Veterans Affairs, is the most recent example of an IT exec taking the fall for security snafus.
Experts say the CIO is often the first executive to be called to task for any IT security violation, despite the fact that problems with security generally involve a number of departments.
According to Phillips, the problem at many companies is executives don't know whom to blame because they haven't assigned responsibility for risk.
Still, Phillips said despite the flap over the incident, it only highlights what we already know -- data is always compromised.
"It will seem to the public as though the sky is falling," he said, "but in terms of sheer numbers, it's still a blip on the radar."
Shamus McGillicuddy and Linda Tucci contributed to this article. Let us know what you think about the story; email [email protected].