Jaime Chanaga, CISSP, CISA

On February 21, Carol Meyrowitz, President and CEO of The TJX Companies, Inc. posted a letter on the TJX.com website, informing consumers on the progress and preliminary findings of the recently disclosed credit data security breach they've suffered.  (See: http://www.tjx.com/tjx_message.html)

TJX is attempting to keep the general public informed of the findings uncovered so far in the ongoing credit card data breach investigation--that action is commendable.  TJX has gone one step further to admit that the scope of the problem was not accurate at the beginning of the investigation.  The ongoing investigation has revealed the data security breach to be more widespread and may have occurred much earlier than previously estimated. 

As an information security professional and as a consumer, I value and appreciate the updated communication attempts by TJX.   However I find it troubling that other retailers are not coming forth in the wake of these unfortunate events plaguing TJX, to detail to the public and consumers their commitment to more robust data security practices.   

A few months ago on this blog, I wrote about the Payment Card Industry (PCI) Security Standards Council (www.pcisecuritystandards.org).  The PCI Security Standards Council publishes the PCI Data Security Standard or commonly referred to as PCI DSS.  Quoting from the PCI Security Standards Council's website:

"The PCI DSS version 1.1, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data."

The PCI DSS is a good starting point for any retailer, merchant, or credit card processor to lay the foundations for stronger information security practices and defenses.  Up to this point TJX has not said if they adhere to the PCI DSS or if they intend to do so going forward.  TJX and other retailers, should publicly state and provide consumers with greater assurances that they are following industry standard methodologies for technical and operational security of our credit card transactional data. 

One important step in this direction is for retailers to publicly detail what industry standards for operational and technical security they are adopting.   Some may argue that in publishing that information may place retailers at a higher risk level of attack by hackers trying to prove an organization is deficient in their security.   Although that may be true, honest disclosure about what a company is doing to earn my trust as a consumer, is something I would value and welcome. 

Note to TJX:  Thank you for communicating to the public the progress of your investigation.  Please consider adhering to the PCI DSS and sharing with the public any other proactive measures you will be taking to ensure this unfortunate data breach does not happen again.

The Story:

A public school elementary substitute teacher in Norwich, Connecticut may face up to 40 years in prison for an incident that happened while she taught seventh-grade students.

Last month, Julie Amero, was convicted of exposing students in her class to pornography on her classroom computer.  Amero contends the pornography displayed on the computer was caused not by her willful actions, but rather accidentally caused by spy-ware and ad-ware programs.  Authorities in Connecticut who prosecuted this case believe it was not accidental and continue to believe she is guilty of her crime.

My commentary:

According news reports, the school Principal admitted the school district hadn't renewed the software license for the firewall software that protected the computer in Amero's classroom.  This fact doesn't sit well with me.  Why isn't the school district on trial?  Where is the moral, ethical, and fiscal responsibility of the school administrators and school district officials in ensuring that ALL computers in the school district have the appropriate anti-virus/anti-spyware and firewall software?

One other fact bothers me.  The prosecution, according to media reports, didn't search the computer's hard drive for the presence of spyware or ad-ware!   That is poor computer forensics examination of the seized computer's hard drive--there is no excuse for that on the part of the prosecution.

In my opinion, part of the blame rests also with the school board, the school administration who knowingly allowed the use of classroom computers by teachers without the appropriate anti-virus/spyware and firewall security software protections in place.  Are any parents mad at the school district about this fact?

This case looks to be based on poor evidence handling by the authorities and a prosecution more interested in headline grabbing than searching for the truth. Unfortunately, here is a teacher who's been crucified based on technically circumstantial evidence.  I'm sorry but this is still the United States of America, where I thought people were presumed innocent until proven guilty.  In my book, the burden of proof in this case is at best circumstantial and not even close to meeting a higher degree of conclusive proof based on sound computer forensics examination of the classroom computer's hard drive. 

OK, I'll get off my soap box for now--Just my $0.02 from a distance.  To learn more about this case here is a link:

ABC News
http://abcnews.go.com/US/print?id=2872230

Tonight, I had the opportunity of attending the 2007 SC Magazine Awards Gala held in San Francisco.  The list of finalists for consideration in any of the 28 categories can be found at http://www.scmagazine.com/us/awards/categories/finalists.  Congratulations to all the winners!