Today, I read a very interesting article by Evan Schuman of eWeek regarding the TJ Maxx data theft. The title of it made me pause: “The Nightmare Scenario: What if TJX Did Everything Right?”. I admit, I had thought of that previously but dismissed it since TJX was being rather tight-lipped about the incident. To me, that silence meant they must have been negligent in some way. And, since my wife’s data was stolen in the TJX database hack, that sealed my opinion. However, as I said, the title of that article caused me to reflect, what IF TJ Maxx did everything right?
It appears that TJX WAS encrypting data and it appears that the thieves got around that encryption by stealing a copy of the software encryption key AND by stealing the data just before it was encrypted. That should make ANY retailer perk up and take note.
This information in itself still does not mean that TJX did everything right; it just means that there may be more to the story. MasterCard did confirm that TJX had violated the PCI rules, but maybe the majority of the problem was because the thieves were really good at their job as opposed to TJX being really bad.
We still do not know exactly HOW the thieves got access to the encryption software, if it was an inside job or if they found it during their intrusion. But, maybe we will get more information in the coming days and weeks. Anyone with an e-commerce website or retail store should pay particular attention to this case because there are sure to be some valuable lessons learned.
As for me, I suppose I should reserve final judgment until the dust settles. I am still not shopping there, although I bet they are about the most careful retailer out there when it comes to sensitive data.