TJX breach shows that encryption can be foiled
Encryption alone is no panacea for threats to consumer data, according to specialists who say the technology's limit can be seen in the problems reported by TJX Cos. of Framingham.
The notion of using complex math formulas to scramble electronic information is gaining steam as a way to protect individuals' privacy, an area of growing concern for retailers and banks as data thefts become more brazen.
But recent details to emerge on how hackers accessed the parent of stores including T.J. Maxx and Marshalls show how encryption can be defeated by clever thieves -- and suggest the breach may have been an inside job.
A securities filing by TJX on Wednesday disclosed that the incident may have compromised more than 45 million credit and debit card numbers, the most in any single incident. In the filing, TJX also stated that "we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX."
TJX spokeswoman Sherry Lang declined to elaborate on the document, but outside security consultants say the language hints that a company employee or contractor, or someone known by an employee or contractor, was able to gain access to TJX's computers and obtain the formula needed to unscramble data.
"It's hard to know from the filing if it was an external or internal weakness," said Steven Sprague, chief executive of Wave Systems Corp. in Lee, a maker of software for encryption devices. Gwenn Bezard, research director for security consulting firm Aite Group in Boston, said the language "supports the involvement of an insider," which is becoming a growing problem as thieves learn that low-paid employees are often an easy path to accessing company data.
TJX's securities filing marked the most extensive details the company has given to date on the matter it first disclosed to customers in January. In it the company stated it found unauthorized software on its systems in December, through which thieves apparently stole data on millions of accounts from systems in Framingham and in Watford, in the United Kingdom.
Moreover, thieves may not have even needed access to the encryption tool because, as the filing also states, the intruder or intruders may have had the ability to steal payment card data during the approval process, when personal information is transmitted without encryption.
These weaknesses are noteworthy since various state and federal lawmakers, and consumer groups, have called for increased encryption requirements among other laws they say are needed to prod companies to do more to protect individuals' data.
A trade group of credit card companies known as the Payment Card Industry Security Standards Council already requires large merchants to encrypt data for it to be stored.
Bill Bartow, vice president of Tizor Systems Inc., a data security firm in Maynard, said the lesson is that companies should think about how they handle encryption and decryption software as well. TJX's filing, he said, "says that encryption alone isn't enough to protect your data, and there's a possibility that TJX didn't do a good job of protecting its keys. If that's the case, it's that the encryption is only as good as your process for protecting the keys."
The filing also discloses for the first time that the company now faces a multistate investigation by the attorneys general of roughly 30 states, led by Massachusetts Attorney General Martha Coakley, who has previously said she would press the company for more details on the matter.
The filing states that this month Coakley's office sent TJX a demand for documents concerning the break-in "as part of that office's review of allegations that the company may have violated state law regarding consumer protections and related matters."
A Coakley spokeswoman declined to elaborate. Eight other states have filed similar requests, the filing states. It also mentions investigations by other regulators including the Federal Trade Commission, as previously reported.
Ross Kerber can be reached at kerber@globe.com. 