TJX - They claim they closed the barn door...

I am at Logan Airport and I just heard CNN report that the CEO of TJX issued a statement that said that TJX waited to report the breach to better contain it.

That is the equivalent of saying 'The barn is secure, we have closed the barn door and put on new locks and hinges... The horses, however, are out of the barn.

This breach, the first one of the year, is a testament of what not to do. The good guys and the victims of data theft need to share information better than the hackers. Does TJX really think that this is the end of it? Do they actually believe that they contained and solved the problem?

In the world of Google, ask.com and other search engines, mass storage, etc. public is forever. Think about spam for a moment. The first time I published my email address back in 1994, I started receiving unsolicited email within a day. I still get at an email address that is 13 years old that I do not use, and have not used to receive legitimate mail since 1996.

My point? Once there is a leak and the info is out - it's forever (relatively speaking).

With all of the technology that's out there it is incomprehensible that company's cannot justify spending money on security. From General Clarke, Cyber terrorism expert, 'If your company spends more money on coffee than on security - you deserved to be hacked and by the way - you will be.'

The other thing I cannot comprehend is when a company says that spending thousands of dollars on security is too much money - they always find a way to spend millions on clean up.

identitystuff@gmail.com

TJX Breach Count at 200,000 or $36.4M

I was exchanging email with Jenn Abelson at the Boston Globe the past couple of days, as she is running point on the story. It was reported by her today that the tally stands at 200,000 card numbers. You know what the real story is:

This number was reported by Massachusetts Community Banks, NOT TJX!!!!

So watch this record number rise. And the associated costs.

By the way, the cost for this breach using the numbers computed by Dr. Larry Ponemon at the Ponemon Institute bring the cost to $36.4M to date. This is only the numbers that BANKS were able to figure out, not TJX or their contractors brought in to do the clean up.

TJX - The latest

Ok, Folks... I thought my open challenge to the US Navy at the end of last year would be enough for someone to email me and tell me I was full of crap, or the other more fun option - prove that you can do what you say. So here goes folks:

I double-dare any company who has had a breach to email me and challenge me to prove how I can stop future breaches from happening, shut off access to garbage (kits, scripts, and such) that was left behind, and at the end of a two week period be able to tell you who from what machine connected to what application and when they did it down to the sub second in real time. When I say 'From what machine' I mean the machine they used, not the MAC address or IP address.

In one day I will show you the top IP addresses connected to from your network, whether is World of Warcraft, or the World of Network Security. I will then, with the same piece of technology allow you to set a policy that that can't happen anymore. For that user. For that machine. For that user at that machine. For that user at that machine while on the LAN.

Don't believe me, email me at identitystuff@gmail.com and I'll prove it in 2 weeks or less. If it doesn't work, I take it back. If it works as advesrtised you pay me.

Folks, its cheaper and less embarassing to talk to Me than to the press, Wall Street, and your bosses who all won't tolerate the bad news nearly as well as I will.

Go ahead, I double dare you. You'll feel like Neo after he took the red pill... 'Remember, all I am offering is the truth and nothing more...'