Data breach at TJX

Cryptography will be good a good solution for data breach

 

Abstract: One of the reason why TJ Maxx suffered Data Breach is lack of encryption. . It’s not enough to just specify encryption.A data breach at TJX Cos. could have affected more than 94 million consumer accounts, or more than double what the retailer estimated previously, a group of banks asserted in court documents this week. The challenge for encryption products in this environment is their ability to take this policy information and map it to an encryption key, and enforce those policies when decryption keys requested. Some older technologies like Public Key Infrastructure (PKI) tend to have very fixed, high overhead policy to key mapping techniques.

TJX, which operates more than 2,400 stores under names that include TJ Maxx, Marshalls and A.J. Wright, disclosed in March that data from 45.7 million credit and debit cards were stolen from its computers by hackers over 18 months. Personal information from 451,000 customers who returned goods was also stolen in what was already the largest data breach ever.

This shows that data is most vulnerable in storage, not when traveling over the network. Instead, it has been stolen by malicious employees, carelessly handled backup tapes, and, in the case of TJ Maxx, compromised code reading data out of storage (Securitas Operandi, "For an Interesting Account of the TJX Breach, Read Their 10-K", May 3, 2007, Peter Gregory). Handling these threats from the inside should be a core consideration for any security architecture.

Solution: From a cryptographer’s perspective, in an ideal world, every piece of data written to a disk or tape would be encrypted. It’s not enough to just specify encryption, though. If a user has access to a machine, they have access to all the encrypted data on the machine, or in that machine’s network connections. This yields a very easy to deploy encryption scheme, but one that has very little ability to map encryption to complex access control policies.

The challenge for encryption products in this environment is their ability to take this policy information and map it to an encryption key, and enforce those policies when decryption keys requested. Some older technologies like Public Key Infrastructure (PKI) tend to have very fixed, high overhead policy to key mapping techniques.

Reason for choosing this article:  This data breach is recorded as the one of biggest data breach in year 2007. 4,51,000 customers underwent identity theft. It is not due to lost laptops, or trash. The information is vulnerable to intruders because it is not protected As a security student, I would say that Confidentiality is poor. Since it is one three components of security, I chose this article.

 

Reference:

http://www.reuters.com/article/companyNewsAndPR/idUSN2438304920071025