Printed in RIS News Executive News Brief 4-17-07

TJX's disclosure that 46.5 million customer records had been hacked from the company's computers and the widespread reporting of the theft as the largest corporate security breach has sent shock waves throughout the retail community. Accounts and transactions affected included credit and debit card transactions from a period of 17 months.

Exclusive to RIS News Greg Buzek, founder and president of IHL Consulting, offers his opinion on the impact the TJX incident has had, and will continue to have. According to Buzek the incident grabbed the attention of the executives, but the mindset of IT professionals may be harder to hold. A very public situation like this gets the attention of the board rooms and everyone at the executive ranks, he says. The real question is whether the message gets down to the level of the people responsible for implementation. There is a proverb that says pride comes before a fall.I'm afraid that often, even when something as high profile as this breach happens, most people just think it cannot happen to them. So I'm not convinced enough is being done to root out weaknesses.

A second aspect of this is that in the "hairball" nature that most retailers IT systems are integrated today, it is very difficult to lock down every vulnerability. There are simply too many access points, says Buzek. Still, with that being said, the weakest link is often a human one that unknowingly gives access to key systems via social engineering.

According to all reports, the thieves are very organized, and, much to the dismay of executives everywhere, still at large. Even after TJX finally detected the breach, the intruders apparently had the upper hand. The company waited nearly a month to announce the theft a strategic feint taken on advice from the Secret Service to prevent intruders from learning that investigators were watching. But even without such public disclosure, the theft of card numbers stopped when the access was detected.

These are not kids hacking systems, says Buzek. These are highly trained professionals, working normal business hours. While retailers come to work to sell and protect customer data, these people come to work to find weaknesses and hack the systems because it is big business. Most of the major attacks are now coming from the Ukraine and other former Soviet republics where the US does not have an extradition treaty. So even if we can track it, we can't do anything about it. And it is big business. The average price for buying a new credit identity these days is reported to be between $5 to $14 per identity. Let's assume that these 46.5 million records were sold for $5 each. That's over $232 million in revenue for the hackers even if they never try to buy something themselves. This is big business now.