Saturday, March 31, 2007

TK Maxx security breach comes as no suprise

The security breach at TJX, owners of TK Maxx, which has led to the disclosure of 45 million customer's credit and debit card information comes as no surprise to us in the IT Security community.

Unlike banks, insurance companies and they're like who are regulated by the Financial Services Authority (FSA) in the UK, there are very little legislative and regulatory pressures on the retail industry to operate best practice security, which given that they have infrastructure in place to take payment card details is something we should all be worried about, to say the least.

The only reason we know about this security breach is 1) because the breach is too large to hide, and 2) the parent company has obligations under certain State law in the US to divulge security breaches. There's no such obligations for UK companies. Unless of course you count the 2006 Fraud Act which gives banks (not retail companies) the obligation for reporting losses due to fraud involving payment cards (however many banks know that they can easily get around this).

There's the Data Protection Act of course, but the Information Commissioner is pretty toothless. You don't hear of companies being fined £1 million by the Information Commissioner, like Nationwide was last month by the FSA.

From my experience, companies only implement good security controls if they've either been impacted by a security incident which has cost them a lot of money, or they've been audited by a regulatory board or client and have been forced to improve security. It's shocking to see the lack of protection around customer information in retail companies. Many retail companies don't even have any standard security monitoring devices on their network or servers, so for all we know, our information could be being disclosed every day and the companies aren't even aware of it, never mind us, their customers.

No comments: