Friday, December 20, 2013

Data Security Breaches - Again

The hot story today is the data security breach at Target, which is being investigated by the Secret Service.  They think data on as many as 40 million credit and debit card accounts may have been stolen.

Really makes you reconsider carrying cash, doesn't it?

What annoys me the most is that this isn't the first time.  Does anyone but me remember the stolen data from TJX Corp. (parent of T J Maxx and Marshalls) in 2006??

I was still working at a major bank in the email support group, which means I was professionally interested in (1) data security, and (2) network security.  And the TJX breach was so egregious that I read it up in detail in the IT press.  To quote from on the subject:
Cyber-thieves using a telescoping wireless antenna to intercept payment information may be responsible for the "biggest data breach ever," investigators theorize. 
The Wall Street Journal reported that hackers in St. Paul, Minnesota, parked outside a Marshalls' department store and used the antenna to decode data between hand-held payment scanners, enabling them to break into parent company TJX's database and make off with credit and debit card records of nearly 47 million customers.
If you ever wondered why everyone yells at you to set a password on your wireless router:  well, this is why.  We don't use the word "wardriving" much any more but it was a serious issue back in the middle Oughts. It still is an issue for anyone whose wireless home router isn't secured.

Not totally clear from the quote is the fact that the thieves were able to do this because TJX subsidiaries were transmitting data directly from Point-Of-Sale (POS) devices to their banks over unencrypted wireless links.  The ABC News article I linked does mention the TJX case on the last page but doesn't go into detail.  The TJX breach was discovered in December 2006 but I haven't seen a clear estimate of when they think the break-in happened; it may have gone as far back as 2003.  The tally of affected accounts eventually went over 90 million.

In the Target case it has to be the POS system that's compromised because purchases on the web site are not affected.  As Pete Seeger wrote in 1955, "When will they ever learn?"  And don't think that 40 million compromised accounts is the end of the story; it's the first estimate.

So check those credit card statements every month, folks.  The big merchants aren't necessarily looking out for you.

No comments:

Post a Comment