BreachExchange mailing list archives
Re: TJX breach shows that encryption can be foiled
From: "Casey, Troy # Atlanta" <Troy.Casey () mckesson com>
Date: Mon, 2 Apr 2007 15:44:12 -0400
It should make for a short list of suspects, assuming TJX was doing a reasonable job of key management...but it does seem that they would have been in a bigger hurry than this to declare that the data was encrypted -- assuming that it, in fact, _was_ encrypted. That said, following their behavior pattern of releasing little to no information about this, nothing is said about what sort of encryption or what cipher strength was in use. A lot of encryption technology has been obsoleted in recent years and if they were using a weak algorithm it may not have been necessary for the thieves to lay hands on their key in order to decrypt. Given how long the breach went on, I'd say the bad guys had plenty of time, in theory at least, to break an algorithm or "guess" the key by automation...especially if they threw a couple hundred Nigerian laptops at the problem :-) -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of B.K. DeLong Sent: Monday, April 02, 2007 3:33 PM To: lyger Cc: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled If that isn't a loaded statement. So TJX is claiming all their credit card data is always encrypted at-rest? How many people would have access to such a "decryption tool". This sounds fishy. On 4/1/07, lyger <lyger () attrition org> wrote:
http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_show s_that_encryption_can_be_foiled/
Encryption alone is no panacea for threats to consumer data, according
to specialists who say the technology's limit can be seen in the problems reported by TJX Cos. of Framingham. The notion of using complex math formulas to scramble electronic information is gaining steam as a way to protect individuals' privacy,
an area of growing concern for retailers and banks as data thefts become more brazen. But recent details to emerge on how hackers accessed the parent of stores including T.J. Maxx and Marshalls show how encryption can be defeated by clever thieves -- and suggest the breach may have been an
inside job.
A securities filing by TJX on Wednesday disclosed that the incident may have compromised more than 45 million credit and debit card numbers, the most in any single incident. In the filing, TJX also stated that "we believe that the intruder had access to the decryption
tool for the encryption software utilized by TJX." [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years.
-- B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years.
Current thread:
- TJX breach shows that encryption can be foiled lyger (Apr 01)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 02)
- Re: TJX breach shows that encryption can be foiled Adrian Sanabria (Apr 02)
- Re: TJX breach shows that encryption can be foiled Avery Sawaba (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 03)
- Re: TJX breach shows that encryption can be foiled James Childers (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- <Possible follow-ups>
- Re: TJX breach shows that encryption can be foiled Dissent (Apr 03)