TJX Site Vulnerable to XSS Flaw
The whole TJX customer data security breach issue from earlier this year has been sort of a hot-button issue for me. I think what bothers me most is the apparent lack of fallout. A major retailer failed to follow basic security guidelines, or the regulations and standards they must comply with such as Sarbanes-Oxley (SOX), or the PCI Data Security Standard, resulting in the largest leak and potential compromise of customer data in history, and nothing really seems to have happened. The stock is doing fine. The stores are doing fine. Shoppers are still shopping and investors are still investing. At the same time, TJX is hoping to wash away consumer lawsuits for pennies on the dollar, essentially trivializing the damage and suffering they caused millions of loyal shoppers. All of that, and they still have security issues. I wrote a brief article on my About.com Internet / Network Security web site with some details of the vulnerability that was discovered on the TJX web site.
September 27th, 2007 at 7:56 pm
Tony,
I read your article on the TJX Breach and I understand your point about not feeling as if there hasn’t been enough fallout.
I think the bottomline is that people will always do what is convenient. That mindset flows across many plains – security measures at TJX will probably continue to be weak because at some level its simply not convenient to invest in security. From an administrator’s standpoint – continual DB and website reviews may be necessary, but not convenient.
Many times executives on the “C” level in many companies ignore security recommendations, policies and guidelines because its not convenient to talk to the board about why they are apparently loosing money investing in security measures that may never be used.
Unfortunately the impact from incidents like the TJX breach cant be accurately measured without a pretty hefty investment in time, money and resources to conduct a business impact analysis – and we know that doing a BIA is well… inconvenient.
Overall I feel that the age old adage – “Let the buyer beware” – applies in this case. People in general have to take responsability for their personal security and identity protection before the bigger companies start making changes.
JV
http://www.securasys.net