So there’s been a stack of news stories on TJX and the issues with their database. I want to comment on an aspect of the story not getting a lot of coverage. In the Cinciannati Enquirer story, “Fifth Third has role in TJX hole,” Mike Cook is quoted as saying “If you are a consumer and you’re part of the TJX breach, you are hoping it’s 10 million people because the chance of your name being misused goes down considerably depending on the size of the data breach.”
I don’t buy it. What we’re doing is telling criminals they need to scale up their exploit techniques and networks. We did that with spamming and phishing. Bad idea.
Some other news tidbits I found interesting:
- Mass TV channel WHDH reports that Attorney General Coakley victim of identity theft
- In “TJX Data Theft Just Keeps Getting Worse,” Chris Wysopal points out what a bad idea it is to give your drivers license to return something to a store. I wonder, are the people who operate the ‘return management networks’ liable?
- Dissent writes On the alleged “costs” of breaches
- The Wall St Journal reports that a “Bill Would Punish Retailers
For Leaks of Personal Data.” I think that this is a bad idea today. We don’t have honest advice about cost-effective ways to prevent these things [see update], so retailers aren’t the right place for liability. (Perhaps liability for storing old data, or collecting SSNs, drivers licenses, etc. But not for holding current credit card information.)
- Risk Management insight: “Way Out of Perspective” compares the results of TJX suffering a breach, and ‘some kid who ran a warez ring.’
It’s my understanding that the shopping bags in the photo aren’t full of clothes. (Photo from here, original context unclear.)
[Update: by ‘these things’ I was intending to imply not only credit card issues, but the gamut of information security issues that might arise. If you think we do have economic advice to give, consider submitting a paper to the workshop on the economics of information security: they explicitly ask for papers on ‘optimal security investment’]