The disclosure that TJX Cos.' computer breach leaked information on more than 45 million accounts makes it clear that retailers need to take steps to combat ID theft. The amount of customer information stolen by surreptitious hackers included credit card numbers, debit card numbers, driver's license numbers and customer names and addresses from shoppers at TJ Maxx and Marshall's.
How did this happen? The investigation is ongoing. But according to publicly available information, problems with encryption (or the lack of it) contributed to the breach. Encryption serves as a foundation for information security in retail environments, and when encryption breaks, a breach is inevitable.
Historically, companies have encountered difficulty in implementing encryption on a large scale. Only recently have advanced technologies emerged that allow both small and large retailers to implement strong encryption across all their stores and processing centers. Most retailers, however, have not begun to implement these new technologies that provide essential protection.
According to a 2005 estimate, encrypting data could cost as little as $6 per customer account, compared with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach. The price of encrypting information has dropped dramatically since then, and the level of protection has increased.
TJX has already incurred costs of $5 million in responding to the breach, and it faces 19 separate class action suits. This may be just the tip of the iceberg, since 30 states are investigating the company, and so is the Federal Trade Commission and privacy agencies in Canada.
On top of that, consider the customer's perspective. Reminded of the headlines raised over this incident, they may ask themselves if they feel comfortable using their credit cards in the company's stores.
The incident may impact the overall retail industry. A bill that was introduced in the Massachusetts legislature would require retailers, not banks, to cover the tremendous antifraud related costs in the event of a breach.
The TJX breach could have been prevented by following established best practices and by using new technologies. Throughout the industry, information security problems have proven to be difficult to solve, but many laws and standards now exist to guide companies on keeping credit card data safe.
The Payment Card Industry's (PCI) Data Security Standard, for instance, describes what data should be protected and what data should be destroyed when no longer needed. Companies that accept credit card information must update their systems with new security solutions.
These solutions would automatically encrypt information from the moment of creation, such as during a card swipe at a register, and would guarantee persistent protection wherever the information moves or resides. Advanced encryption software is capable of achieving this goal.
This article was edited from a story by J. Patrick McGregor, president and CEO of BitArmor Systems, an enterprise encryption vendor based in Pittsburgh, which appeared in the Pittsburgh Business Times.
Entire contents ©2016, Sumner Communications, Inc. (203)
748-2050. All rights reserved. No part of this service may be
any form without the express written permission of Sumner Communications,
Inc. except that an individual may download and/or forward articles
to a reasonable number of recipients for personal,