COLUMN

TJX breach: There's no excuse to skip data encryption

By Dennis Fisher 18 Jan 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

It's bad enough that attackers are able to get inside the perimeters of the companies, but they certainly shouldn't be able to find any unencrypted customer records once they get there.

Those laws have resulted in the almost daily reports of data thefts at universities, government agencies and companies large and small. Clearly, this kind of legislation is a net positive for consumers, alerting millions of people to threats to their credit ratings and bank accounts that they otherwise would be unaware of. The laws also have helped push the issue of data security into the boardroom and the executive suite, which is where it belongs. Multimillion dollar fines tend to do that.

However, the constant drumbeat of media reports on these incidents seems to have had the effect of making many consumers blasé about the dangers. I see people on TV who have been affected by these thefts saying there's nothing they can do about it, so they're not going to worry. I hear corporate PR folks saying that they're working diligently to protect consumer data, but these incidents are almost unavoidable in today's world.

TJX data breach: Data breach at TJX could affect millions Top IT execs could take heat for TJX breach Did TJX take the right steps after data breach? How to survive a data breach Complying with breach notification laws

Absurd. The truth is, there's plenty that both corporations and consumers can do to effect change. To start with, any enterprise that stores customer data--which is to say all of them--should be encrypting that data. There's no excuse for not taking such a basic precaution.

Companies complain that database encryption products are cumbersome, expensive and difficult to manage. Really? You know what else is expensive and difficult to manage? A data theft. It's bad enough that attackers are able to get inside the perimeters of the companies, but they certainly shouldn't be able to find any unencrypted customer records once they get there. The same goes for government agencies. Just do it.

Next, there needs to be some standard on how long companies are allowed to store customer data. It's not enough for them to say in their privacy policies that they won't sell or misuse customer data. Once it's stolen, they don't have much control over how it's used. Companies like TJX, BJ's Wholesale Club, Guess, Victoria's Secret and others that have been hit by data thefts have no real reason to keep data such as credit card numbers, phone numbers and addresses indefinitely. They do it to build out their marketing databases and they do it because no one has said that they can't.

Behind the firewall with Dennis Fisher: Read previous columns by Dennis Fisher: Federal government pushes full-disk encryption Security pros glean insight from '06 Microsoft Kernel Patch Protection should be lauded Microsoft Vista could improve Internet security Oracle should heed critical report touting SQL Server security

Finally, consumers can start voting with their wallets and staying away from companies who are careless with their data. Why continue to spend money in a store that has proven it would rather save a few thousand dollars by not securing their networks than protect your personal information? There are plenty of other places to shop. Don't be lazy and just shrug it off; let these companies know that what they're doing just isn't good enough, not anymore.

It's also time to stop pretending that all data thefts are created equal--they're not. A careless employee leaving a laptop in a taxi or a Starbucks is one thing. No matter how good your security policy is, you can't stop people from being dumb. But for large multinational companies like TJX with multimillion dollar security budgets to suffer breaches on the networks holding their most sensitive data is something else entirely. That's just plain laziness, or perhaps ignorance. Either one is unforgivable for a company with more than $16 billion in revenue last year.

Tags: Identity Theft and Data Security Breaches,  Disk Encryption and File Encryption,  IT Security Audits,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Data security best practices for PCI DSS compliance Disk Encryption and File Encryption Database monitoring, encryption vital in tight economy, Forrester says Sophos integrates encryption into endpoint security Cryptography for the rest of us Encryption in data management should never be ignored, expert says Security budget issues to resonate at RSA Conference Portable security storage device could replace OTP devices Mass. officials explain new data protection regulations A simple substitution cipher vs. one-time pad software Are encrypted, self-deleting USB storage drives worth the investment? Massachusetts data protection, encryption law extended IT Security Audits How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game PCI DSS Q&A: Answering your questions Maltego demo: Identifying a website's trust relationships PCI QSA assurance program penalizes assessors Strategies for email archiving and meeting compliance regulations IT auditing applications and tools for ISO 27002 certification

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary