BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TJX breach shows that encryption can be foiled

From: "Casey, Troy # Atlanta" <Troy.Casey () mckesson com>
Date: Mon, 2 Apr 2007 15:44:12 -0400
It should make for a short list of suspects, assuming TJX was doing a
reasonable job of key management...but it does seem that they would have
been in a bigger hurry than this to declare that the data was encrypted
-- assuming that it, in fact, _was_ encrypted.

That said, following their behavior pattern of releasing little to no
information about this, nothing is said about what sort of encryption or
what cipher strength was in use.  A lot of encryption technology has
been obsoleted in recent years and if they were using a weak algorithm
it may not have been necessary for the thieves to lay hands on their key
in order to decrypt.  Given how long the breach went on, I'd say the bad
guys had plenty of time, in theory at least, to break an algorithm or
"guess" the key by automation...especially if they threw a couple
hundred Nigerian laptops at the problem :-)

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of B.K. DeLong
Sent: Monday, April 02, 2007 3:33 PM
To: lyger
Cc: dataloss () attrition org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled

If that isn't a loaded statement. So TJX is claiming all their credit
card data is always encrypted at-rest? How many people would have access
to such a "decryption tool". This sounds fishy.

On 4/1/07, lyger <lyger () attrition org> wrote:




http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_show
s_that_encryption_can_be_foiled/


Encryption alone is no panacea for threats to consumer data, according



to specialists who say the technology's limit can be seen in the 
problems reported by TJX Cos. of Framingham.

The notion of using complex math formulas to scramble electronic 
information is gaining steam as a way to protect individuals' privacy,



an area of growing concern for retailers and banks as data thefts 
become more brazen.

But recent details to emerge on how hackers accessed the parent of 
stores including T.J. Maxx and Marshalls show how encryption can be 
defeated by clever thieves -- and suggest the breach may have been an

inside job.


A securities filing by TJX on Wednesday disclosed that the incident 
may have compromised more than 45 million credit and debit card 
numbers, the most in any single incident. In the filing, TJX also 
stated that "we believe that the intruder had access to the decryption



tool for the encryption software utilized by TJX."

[...]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org) 
http://attrition.org/dataloss Tracking more than 203 million 
compromised records in 609 incidents over 7 years.




--
B.K. DeLong (K3GRN)
bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over
7 years.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.
Previous By Date Next
Previous By Thread Next

Current thread: