TK Maxx 'should disclose hacking details'

US discount retailer TJX, owner of UK retailer TK Maxx, revealed in a regulatory filing on Wednesday that at least 45.7 million payment card details had been stolen by hackers.

The hack was first detected in December 2006, but the filing revealed that the breach was far more extensive than first thought. Analysts have already labelled it the single largest security breach ever.

Speaking to ZDNet UK at the Black Hat 2007 security conference in Amsterdam, David Litchfield, managing director of NGS Software, who has found a number of vulnerabilities in Oracle database software, said that companies should give technical details of hacks so the security community could learn how to combat similar breaches in the future.

"TK Maxx has not specified how it was done," said Litchfield. "It could have been any number of vulnerabilities. [The hackers] are supposed to have had access for two years, so we're looking at a vulnerability from two years ago — take your pick."

"You always hear of breaches — 50,000 credit card numbers stolen, 100,000 security numbers. That's not interesting — we need to know how they did it. We need to know they were running XYZ system, exploiting XYZ flaw, using such and such a rootkit — that's what we need to know. Why people don't talk about this is beyond me — it will teach people what not to do," Litchfield added.

Billy K Rios, senior security researcher with Ernst and Young, who has previously worked on penetration testing US government systems, said that the need for those defending networks to balance security with usability gave hackers an advantage.

"It's indicative of the problems every company is facing which is entrusted with customer data," Rios told ZDNet UK. "You have attacks of a global nature, all of the time."

"Any system can be hacked — these guys are smart. The people defending the networks know what they're doing, but an attacker can go full fledge, all out, all the time. Guys in charge of defence have to make their systems usable — the attacker doesn't have to compromise," Rios added.

Raghav Dube, who works as a senior security researcher for Ernst and Young performing penetration and security tests, said that companies needed to rigorously test their systems to make sure that if the shell defences were breached, the internal system is hardened enough to withstand attacks.

"A lot of it boils down to companies having to have due diligence. What can happen if someone breaks into your network? Can they access customer data on a database? If you leave a system open, it's not a question of if, but when you'll be hacked."

Black Hat Europe is a two-day conference held in Amsterdam, which brings together security professionals from the private and public sector.