I see that TJX have taken a $12 million charge costs to “investigate and contain the intrusion, enhance computer security and systems, and communicate with customers, as well as technical, legal, and other fees.”
According to some reports this is actually no where the total cost which is estimated at some $25 million once provisions have been made for all the lawsuits that are coming round the corner from various banks a individuals.
Now the initial breach seems to have been tracked back to an insecure wifi setup at one of there stores in Minnesota. Investigators told The Wall Street Journal they believe the thieves aimed a telescope-shaped antenna at the store and used a laptop to snatch data transmitted between hand-held price-checking devices, cash registers and the store’s computers. The exploit eventually led them into the central database of Framingham-based TJX, where they would repeatedly rob the system of sensitive customer data.
Seeing as the company has been so lax in its approach to securing customer data and adhering to some pretty basic security principles etc. they deserve everything that comes there way. This is not just a case of making a simple mistake, but gross miscompetence.
Wow, so much has been in the press the last couple of days about this theft of some 45.7million peoples credit card details from a database held by an US based company called TJX.
Now 45.7million is a hell of a lot of credit cards, but i have to ask what the press has been doing for the last 3 months. TJX actually announced this on the 17th of January and it has taken this long for the national press to think about pressing the “We’re all doomed!” button.
http://www.boston.com/business/globe/articles/2007/01/18/tjx_credit_data_stolen_wide_impact_feared/
For those of us in Europe TJX is better known as TKMax and is used by lots of people. So should we be concerned? Absolutely!
Apart from the inept press, it does raise some really serious issues about large corperations and the controls that are placed on their management of data and information Security.
- First of all they shouldn’t have been storing most of this data. I believe that both Visa and Mastercard say that this type of data should only be stored long enough to carry the transaction. Now there was data stolen going back to December 2002… A pretty long transaction. What the hell where they doing with this data?
- So there was a security breach.. It does happen, but for this to have been going on right under there noses for 16 months and for no one to notice until recently is just plain bad in every sense of the word. Not only did TJX have a whole in their security somewhere, but they seem to have had no audit trail of who was accessing this information and why…Controls, controls, controls…
Does this come under Messrs Sarbense and Oxley? Could we have a CEO going under the guillotine becuase of the ineptitude of his IT and Finance people. I doubt it….
So TJX have some serious problems to sort out, but who is supposed to monitoring these companies and making sure this type of thing cannot happen?
The only good news to report from this sorry mess is that the US authorities have arrested 6 people after they spent some $8m with another 4 people on Florida’s most wanted….
http://www.siliconrepublic.com/news/news.nv?storyid=single8054
I was reading an article about the rise of image based spam. Now i have seen various statistics from different anti-spam companies saying that the amount of spam emails compared to the total number of emails is anywhere between 66% and 90% of the total. I had seen 91% quoted as well. I supposed looking at the amount of email sitting in my junk and spam folders i would think the lower 66% more likely, although it is still a hell of a lot of spam. It does make me think what do these companies class as spam, but that is for another post.
What really intrigued me in the article was the fact that image base spam now comprises 25% of the total spam problem, up from 5% a year ago and that the average size of a spam mail has risen from 9KB to 13KB.
Now i can hear lots of people saying “so what!”. Well if 60% of your inbound email is spam and you don’t manage your spam correctly, then this is a lot of resources (bandwidth, storage and productivity) waisted on junk email. The fact that image spam is on the rise means that even more of the bandwidth and storage resources will be waisted.
So why are these evil spammers turning to image based based spam? The answer is easy, to keep one step ahead of the anti-spam companies. Traditional anti-spam methods just searched text so HTML or image based spam would by pass the anti-spam filters. So the anti-spam brigade added OCR and other image scanning services to allow them to catch image based spam.
Naturally enough the spammers have adapted and now have added background patterns etc. to fool OCR and other image based anti-spam services. It is of course the ever changing nature of information security that the good guys are almost always playing catch up.
So what can you do. I have seen it suggested that you should setup your mail servers to only accept mail from your white list, i.e. only accept mail from certain mail domains. Of course for the majority of companies this wouldn’t be acceptable so what can you do.
Well for goodness sake, don’t do nothing. Make sure you have a good anti-spam service whether it is hosted externally or part of your infrastructure. Don’t just depend on a free or cheap service that only looks for text based key words or denies emails from domains on a spam database.
Now i’m off to take advantage of that offer i recieved in my email this morning, an extra couple of inches…….
Well it’s almost that time of the month again, when everyone with an MS server or desktop needs to pay attention to the latest security email from Micrsoft and start testing the patches when they are issued. I see that this time the advanced notification has 12 security updates with the obligatory “some may be critical”. It always bugs me that they say there will x number and some may be critical. Why not just issue the patches and be damned with advanced notification. Nowdays you are almost guaranteed that some will be critical. Of course you could always bypass the testing and just download and install automatically like most home & SME users will.
And lets wait for the avalanche of “is Linux\Apple more sucure” headlines. Anybody that subscribes to the Cert and UNIRAS (or what ever it is called now) alerts will know that the various -ux implementations and Apple all have their fair share of vulnerabilities, it’s just that no one out there really cares enough to put too much effort into taking advantage of them.