The TJX credit-card data breach --
the largest ever -- was sort of amazing, in that it went on for a few years before it was detected and disclosed. It was established at the outset that the company
didn't comply with credit-card companies' strict security guidelines, but a story in today's Wall Street Journal
spells out the depths of TJX's incompetence when it came to security. Investigators believe that the hackers used directional antennas to intercept signals sent over the WiFi networks at the company's stores, which were encrypted only with the easily cracked WEP standard, since TJX never bothered to update to WPA. You wouldn't think that would be too much of a problem, because apart from the network being encrypted, the company had installed other layers of encryption and security, right? Wrong. Once the hackers had gained access to the TJX network through a single store, they used keyloggers to get access to the company's central database at its headquarters, and they established their own accounts and the major theft began. Again, TJX made this easier on the crooks by transmitting credit-card data to banks without encryption. Banks continue to see claims from fraudulent activities related to the theft, and they're left holding the bag -- so it's little wonder
some of them have sued TJX in hopes of recovering damages. This illustrates one of the biggest problems when it comes to identity theft and data protection: companies responsible for leaks and losses aren't typically the ones that have to deal with or pay for the fallout. For instance, in this case, TJX's financial liability has thus far been limited, and any fines it will have to pay will likely be minimal, despite its ridiculously shoddy security. The company has no incentive to enact better security if it feels no repercussions from a breach, so why should it bother? These misaligned incentives exacerbate the problem, and don't help anyone.
