Mark the year 2007 as the moment when everything changed about IT security in retailing. Prior to 2007, the slow-to-change retail industry was napping behind the curve when the wake-up bell rang -- the biggest theft of customer data in history occurred at TJX Companies, operator of T.J. Maxx and Marshalls.
The confirmed total of stolen records, according to a recent story in the Wall Street Journal, is at least 45.7 million credit and debit card numbers from about a year's worth of transactions, and it could go higher.
Details emerging from the theft are chilling. It began in 2005 at a Marshalls near St. Paul, Minneapolis. Hackers used a telescope-shaped antenna and a laptop during peak sale periods to decode and capture data streaming through the store's wireless network. They first tapped into handheld units used to manage inventory and send prices to cash registers.
After cracking the encryption code, the hackers captured user names and passwords from employees logging into TJX's corporate database. They began collecting transaction data from large storage files. To avoid duplicating work, they left encrypted messages noting which files had already been copied.
The hackers, who haven't been caught, sold credit card data to a gang in Florida, who used it to steal $8 million from Wal-Mart and other stores. But this is just the tip of the iceberg. So far, TJX-related fraud has occurred in at least six other states and eight countries. The fallout from this theft will be enormous.
Banks will be forced to spend hundreds of millions of dollars to replace compromised credit cards and accounts. And that doesn't take into account losses from fraudulent transactions, which could reach $20 million. It also doesn't take into account costs for security upgrades, attorney's fees, lawsuit liability and consultants, which Forrester Research estimates could surpass $1 billion over five years.
As a result of this theft, TJX will be forced to absorb significant financial write downs, but, ultimately, so will the retail industry as a whole.
Currently, there are 21 U.S. and Canadian lawsuits filed against TJX attempting to establish the precedent that retailers bear full financial responsibility for such breeches as opposed to banks.
Several states are proposing legislation to this effect, and a Congressman from Massachusetts plans to move forward at the federal level.
You can't unring a bell and retailers napping behind the IT curve will be forced to answer this wake up call whether the CFO tries to hit the snooze button or not.