Thursday, August 7, 2008
Drawing the Wrong Lessons from a Breach
The other day, I was listening to the radio, and a commentator said that the most significant harm that could come from a major breach like the TJX breach was not identity theft, but was actually people losing faith in doing business over the internet. Frankly, I'm not sure he was right, given that identity theft is a major problem for consumers. However, while it might not be the biggest harm from a breach, losing faith in doing business over the internet would be an inappropriate response to a breach like that at TJX for the simple reason that the internet had nothing to do with that breach. Instead, the hackers found stores which had unsecure wireless connections, used them to install malicious software on the TJX corporate network, then used the software to harvest credit cards from TJX's systems. The internet didn't come into play until after the cards were stolen and the thieves needed to sell them. While avoiding doing business over the internet might avoid some types of risks (particularly phishing scams), it would have no effect whatsoever on a consumer's risk of being affected by a breach such as took place at TJX.