Jaikumar Vijayan over at Computerworld has a great round up of "lessons learned" from the TJX break ins first announced a year ago today. To his five points listed below I would add a couple of observations.
Breach disclosures don't always affect revenue or stock prices ...
... but they can be costly
PCI remains a work in progress
The card payment process has issues
The bad guys remain hard to catch
All great points. I would just point out two more of my own:
Reading the the news can be very helpful. If those responsible for TJX's security and compliance had had their eyes open they would have clued in to the attacks against Lowe's and DSW and perhaps been able to avoid the credit card losses altogether.
TJX is becoming the poster child for how not to handle the PR around a data breach. Their management should come clean on the exact techniques that were used (with simultaneous assurances that the technical problems have been addressed). Was it WiFi? Was it kiosks in the back of the store? Was TJX aware of the breaches well over a year ago? If not how did law enforcement officials file briefs in a Florida court citing these breaches months before TJX's announcement?
The TJX story is far from over. I just hope the rest of the retail industry is reading the media. Especially security blogs. :-)