Analysis: TJX Breach Doubles; What Difference Does It Make?

Some experts say the new estimate – 94 million compromised accounts – is purely a matter of legal jousting between banks and the retailer.

by Katherine Walsh

Ninety-four million. That’s the new estimated number of credit card accounts that were compromised by the TJX security breach that came to light late last year. The new number, which is two times the original TJX estimate of 46 million, was revealed in a court filing from a group of banks who are suing TJX over the breach as reported in the Boston Globe and other media outlets.

The bank group includes, among other plaintiffs, the Massachusetts Bankers Association and Fifth Third of Ohio. The new breach estimate was determined through investigations conducted by Visa and MasterCard. The filing estimates damages to banks will fall between $68 million and $83 million.

The next questions are: Is that number real?

And what difference does it make?

Although 94 million represents the number of unique accounts compromised, it is unlikely that it refers to 94 million different individual customers. One person can have multiple accounts. Even taking that fact into account, some observers say the number is suspiciously high. “We are all skeptical, but you have to believe [the banks],” says Avivah Litan, a VP and research director at Gartner. “The truth is, forensics is more of an art than a science…it depends on how good the investigator is and what they find.” [For a detailed look at some of digital forensics’ challenges, see The Rise of Anti-Forensics.] The gap in the estimates also indicates that TJX didn’t have adequate audit logs to conduct a proper analysis, she adds.

Bruce Schneier, CTO of managed security services provider BT Counterpane, agrees that the number is unusual, and because of that, he is cautious about believing that the data is real. “The problem is that we don’t know how they came up with that number and we can’t see the data behind it. And it’s in [the banks’] best interest to make the numbers as big as possible,” – because they’ll get a larger settlement from TJX for a larger breach – “so it just feels strange.”

TJX is standing behind its original estimate of compromised accounts. Litan and Schneider believe TJX is unlikely to be monetarily affected by these new numbers. In order for the banks to receive more money from the retailer, they would have to prove more damage, and that could be difficult. TJX has previously said that 75 percent of the 45.7 million credit and debit card numbers were expired or contained masked data on the magnetic strips, which would render them useless to thieves. “Unless [banks] can prove damage to all 94 million accounts, it won’t really affect [TJX],” says Litan. Schneider, who believes that this court filing represents nothing more that “legal jousting,” agrees: “It doesn’t make that much of a difference. [The banks] are looking for more money, but unless they can prove actual damage, it won’t mean anything.”

Regardless of the actual number of affected accounts, many security experts say that TJX may have knowingly left sensitive customer data vulnerable.TJX was not compliant with PCI standards, which could have prevented the breach from ever occurring, according to Bob Russo, general manager of the PCI Security Standards Council. Russo says that had TJX been compliant with the PCI Data Security Standard, none of these class action lawsuits would be taking place. DSS includes requirements for policies, procedures, network architecture, software design and security management, and is intended to help organizations like TJX protect customer account data. “No company that has experienced a breach has been compliant with [the PCI standard],” says Russo. “Clearly this is something companies need to start pay attention to.” [See CSO’s previous look atthe PCI standard.]

In the wake of the breach, TJX has offered credit monitoring identity theft insurance to 455,000 customers, in addition to $30 gift certificates and a 15 percent purchase discount for customers who were affected.

Reach CSO Associate Staff Writer Katherine Walsh at kwalsh@cxo.com.