Payment systems culprit in TJX heist

Security experts contend that criminals found a common weakness in retailers' defenses by targeting TJX's payment card systems

Confirmed as the largest exposure of consumer information on record in the United States, the network intrusion experienced by TJX Companies  highlights serious data security risks posed by outdated payment card systems, experts observed.

In an annual report filed with the SEC on March 28, TJX offered many more details of the attack that allowed intruders to make off with more customers' information than it had previously shared with the public.

According to the report, an undetermined number of outsiders repeatedly broke into a portion of the company's IT systems between 2005 and 2007, exposing the personal information -- including credit and debit card numbers -- of roughly 45.6 million people.

TJX specifically said that the attackers were able to penetrate an area of its network used to store payment card and transactional data at two different locations.

At the time that TJX hired IBM and General Dynamics to begin investigating the break-in during Dec. 2006, the consultants found that the malware tools used by the data thieves were still present in the company's systems.

Ironically, the TJX data heist, which has already led to fraud in the U.S. and overseas, displaces another incident related to a hack of payment card systems as the most sizeable breach of all time. In mid-2005, card processor CardSystems Solutions had its IT systems hacked  to the tune of more than 40 million consumer records.

Security experts said it is no coincidence that the two largest consumer data thefts on record involve break-ins to payment card systems.

In addition to holding the sensitive customer information that cyber-criminals and offline fraudsters need most to carry out their schemes, companies that have not moved to upgrade their systems over the last several years are likely running applications that do not offer much resistance to attack, analysts said.

"These older payment systems were not designed with security in mind, and the people building them only really started paying attention to security in the last few years, so, it's easy to blame TJX for coming up short, but I'd bet there are a lot of other companies in the same shoes," said Aviviah Litan, analyst with Gartner.

Things have improved slowly since major credit card issuers forced the adoption of the PCI (Payment Card Industry Data Security Standard) in 2004, which was co-authored by Visa USA and MasterCard, the analyst said. However, many older systems remain vulnerable despite the guideline, Litan said.

MasterCard, among others, has commented publicly that TJX's systems were not compliant with PCI standards when they were attacked.

The analyst said that sources were telling her that the attack carried out against TJX originated in Eastern Europe and likely took advantage of an unprotected wireless network somewhere at the company to break into the software controllers that drive its point-of-sale registers in addition to hacking into its back-end systems.

Most companies do not monitor all their point-of-sale controllers, and from there, the criminals were likely able to find a way to penetrate the firm's back-end servers, she said.

"The software being used to process payments at many companies is highly exposed, and there needs to be an additional standard out there that requires data to be released after a certain amount of time on the register," said Litan. "And getting in through a wireless server isn't uncommon either, it's usually the easiest point of contact, and its not encrypted, the passwords are defaults, and people can get in and find their way around the network; that seems to be the modus operandi for many of these types of attacks."

Other experts agreed that unprotected wireless networks and aging payment card systems serve as a potent recipe for data theft from large retailers.

Andrew Jaquith, an analyst with The Yankee Group, said that many large retailers have wireless systems in place for use by in-store personnel that are relatively unprotected yet connected to the firms' wider corporate networks. Locking down those systems is a relatively simple process, he said, but protecting data on payment card systems is not.

"In general companies have had a hard time figuring out how to protect customer information, even after the emergence of PCI," Jaquith said. "When people were designing these things a few years ago, in many cases, they made design and implementation decisions that have combined to create opportunities for exposure; they weren't thinking about where to store and protect the most sensitive information, such as credit card data."

Many companies are in the process of replacing their payment processing systems to get closer to compliance with PCI, but the transition moves slowly based on the complexity and expense of the technologies, the analyst said.

"To be fair, the guidance for PCI has gotten a lot better over last couple of years, but if you roll back clock a few years, there wasn't a lot of guidance from the card consortiums to the merchants about how to handle sensitive data," said Jaquith. "Some companies did the best job they could, some punted and focused on other areas of security, and many built systems in a random fashion; this isn't a problem that will be solved by anyone overnight."

The silver lining of disastrous data incidents such as the TJX breach is that they may serve to motivate many firms that are lagging in their plans to upgrade payment card systems security, experts said.

"Incidents like the one experienced by TJX provide the best argument for not holding onto large amounts of sensitive information, but there's no evidence yet that these events have pushed other companies to improve their own data security efforts," said Lillie Coney, associate director with the Electronic Privacy Information Center in Washington, DC.

Making a case for how a data breach could affect a company's bottom line should be simple, but many business leaders are unwilling to dip into their coffers for new IT defense systems, she said.

"If you consider the problem in terms of risk analysis and the potential cost of an incident that exposes sensitive information, including the damage to a company's reputation, it shouldn't be a hard case to make," Coney said. "But getting companies to think like that is still a challenge as the IT workers don't have a way to position the issue from a bottom-line standpoint; eventually someone will make a case for liability with one of these breaches, and that's when people will really get it."