Data breaches are a problem that all companies potentially face, and information security is a general commercial problem. A community issue if you will. But when a company is breached, responses seem to fall into one of two responses: non-disclosure or non-informative press spin. They either do not disclose publicly, or if obligated in some way, we get the “we are deeply concerned but we are on top of it” response from press or legal teams. Security through anonymity is what this is, and it does not do anyone a lot of good.
TJ Maxx is in the news again, and that is what got me thinking about this. Some
of the most important security lessons I have learned are from other
security professionals talking about the weird things they have seen. It
is the practical experience that lets you discover how criminals think,
with simple but highly clever subversions of security systems, and more
than anything else has shaped the way I approach security and how I
model security solutions. I have also learned by experience from with various cryptographers that the best algorithms are the ones that have stood up to peer review. Awareness & discussions of security in practice is tremendously beneficial.
We all want to read about what really happened at TJ Maxx, and we want to learn from the breach and see what was done, what worked, what they would have liked to have done differently, or where they made their best guess and moved forward. Like a many security professionals, I have heard many rumors about breaches and what was in involved, but we really do not know what happened. There are other cases where I have spoken to firms under NDA, some who admit to a breach, while others steadfastly refuse to admit any such thing, all while asking highly detailed and specific ‘what if’ questions. Right. Ignore the Secret Service agents in the next conference room over. A very Officer Barbrady “Move along people, there is nothing to see here” response. There is a large body of knowledge out there and few people are talking.
The September 2007 issue of the Harvard Business Review had an excellent data breach case study. It raises a lot of good issues and the difference in the viewpoints on how to handle the breach is startling. But it stops short of discussing what was done and what might have been done differently from a more forensic view. This is great for considering how to prepare your breach response, not so great on how to guard against the breach itself.
I would love to see a case study of TJ-Maxx
breach, or perhaps as part of the settlement that they be made to
disclose what happened in exchange for immunity from further legal
penalties. If I was an investigative journalist, I would be looking for some way to get a behind the scenes look at what is going on.
Update:
As this discussion has popped up over on the Information Week Blog, here is the reference for anyone who is interested. And yes, they may have gotten through a wireless access point, but that is just the entry point. Scanning for services, injection of code, and the retrieval of data are all other aspects of the break in that are not discussed, and other layers of defense that failed ... or were absent.
Comments
You can follow this conversation by subscribing to the comment feed for this post.