The bozo brigade marches strong in 2007

Editor’s Note: Starting next week, the Storage newsletter will have a new author: Network World Senior Editor Deni Connor. As Network World’s longtime storage expert, Deni will bring to the newsletter a wealth of knowledge about enterprise storage and disaster recovery issues. We thank you for reading this newsletter!

The year is young, but the bozo brigade is already out in force.

Last Wednesday, TJX Corp, the company that owns retail stores Marshalls, T.J. Maxx and HomeGoods, admitted that a month earlier it had uncovered evidence of an “unauthorized intrusion” into its computer systems, an intrusion that compromised the data on perhaps a million TJX customers going back to 2003. They had been hacked.

The company said the intrusion involved credit card, debit card, check, and merchandise return data of stores in the U.S. and Canada, and perhaps also in Britain and Ireland. On the one hand, this is not the same sort of problem I reported on last year. Then, I reported several times on how less-than-conscientious workers and poor IT management – particularly in the area of “chain of custody” issues – had resulted in tapes dropping out of the back door of trucks, disappearing off loading docks as they awaited transport to archiving sites, and so forth. No, this one is quite different, as the problem comes from a concerted attack on corporate data.

Companies keep data, a fact that keeps all readers of this newsletter employed. But they aren’t supposed to keep everything, and they are supposed to set up safeguards that make sure they aren’t providing a smorgasbord for the first enterprising hacker to come along. In fact, there are industry guidelines akin to governmental regulations that provide guidance as to the sort of customer data that should be maintained, how long it should be kept, and how it should be protected.

TJX may not have followed those industry guidelines, keeping too much customer data and, it now seems, apparently keeping that data in an unencrypted form. A slight boo-boo, I suppose.

One part of this problem, however, is exactly like what happened last year. I took companies to task not just for losing data, but also for being laggards in getting the news out to the public so that their customers might protect themselves. Taking aim at the offsite repositories that seemed to be constantly in what-ever-happened-to-those-tapes mode, I said, “Whenever media is lost by an archiving site, either in transit or within the company’s own facility, MAKE SURE THE REPOSITORY INFORMS YOUR CORPORATE OFFICERS WITHIN 12 HOURS OF THE DISCOVERY OF THE LOSS! Put a statement to this effect in your service-level agreement, and impose a stiff penalty for nonperformance”

I was right, but alas, not nearly as circumspect as I should have been.

Customers have a right to know when their data has been compromised, a right that must be attended to immediately no matter what the public relations consequences. A 12 to 24 hour time span seems appropriate.

How far off is the time when consumers (or more likely, their banks and those banks’ insurers) band together and demand an immediate alert when something like this happens? With regulatory compliance becoming increasingly significant, it’s a good bet that we’ll be seeing directives regarding this “alerting gap” in the near future. When the consequences for noncompliance include liability for the corporate officers, things will get interesting indeed.

More Stoopid IT Tricks as they occur.

P.S. When IT management drops the ball and the story makes it into the newspapers, it is almost always a security-related issue. Can you verify a case of another bit of IT foolishness? If you want to blow the whistle on another candidate for a Stoopid IT Tricks award, let me know. I promise to follow up on objective, verifiable information from whistle-blowers, to keep informants’ names out of the public eye, and to share the silliness with my international readership. Thanks!