The system security breach suffered by retailer TJX Companies Inc. is a wake up call for many organizations to bolster their security infrastructure, but Canadian businesses are slower on the uptake than their American counterparts, said one expert.
Although data protection is on the radar, Canada typically has a “wait and see attitude” around adopting new technologies, said Fiaaz Walji, Canadian country director with San Diego-based Web filtering software vendor Websense Inc. Organizations generally don’t tend to budget for things outside the basic IT infrastructure costs, like hardware and software.
TJX, the U.S. parent company of Canadian retailers Winners and HomeSense, earlier this year reported a system breach that exposed customer financial and personal data from at least 45.7 million credit and debit cards.
A report issued by the Office of the Privacy Commissioner of Canada in September highlighted the fact that TJX did not employ adequate security in its use of the Wired Equivalent Privacy (WEP) encryption protocol, and despite a conversion to the more robust Wi-Fi Protected Access (WPA), the switch was already too late.
Customer information relating to store transactions was likely accessed from the Retail Transaction Switch (RTS) servers protected by a WEP system that, according to the report, is easily bypassed by hackers and therefore unreliable. As far back as 2003, the Institute of Electrical and Electronic Engineers (IEEE), the developers of the WEP encryption protocol, recommended the standard be switched to WPA.
TJX, however, did not begin its conversion to WPA until October 2005, some months after the first breach occurred.
The TJX incident demonstrated the vulnerability of WEP and what happens to companies that aren’t fast enough in deploying the more robust WPA, said Amit Kaminer, a Toronto-based analyst with research firm Seaboard Group. Despite the benefits of wireless to an organization, the technology presents a slew of novel challenges to network security, especially when adding new applications, he said.
If an enterprise network is not properly protected, it isn’t difficult for hackers to penetrate security, said Kaminer. WEP, said Kaminer, is breakable in under one minute, and unless the company is monitoring for network vulnerabilities, the presence of a hacker may not be evident.
“If you’re not yet using WPA, and you’re not taking other security precautions, you are not being prudent,” Kaminer said. Kaminer said the WEP system is enhanced when deployed in tandem with other technologies, like VPN, SSL and data segmentation. But even then, the performance is still only “okay” but not as effective as WPA. WPA, however, is “hardly breakable; even if someone got in, the key is changing. Once you have the key, it’s not very useful because it’s a dynamic feature,” he said.
Although WEP to WPA conversion costs are not massive, the damage a business could suffer is quite significant, said Kaminer. In fact, the TJX incident is acting as a catalyst for businesses to get proactive around enterprise security, as evidenced by a trend whereby companies are making the migration.
So far, a third of North American retailers have deployed WPA. The remainder, however, “have a long way to go”, said Avivah Litan, lead analyst with Stamford, Conn.-based research firm Gartner Inc.
She said retailers don’t perceive security spending as high priority, preferring to invest more on revenue-generating activities. Besides, she added, retail payment systems are often outmoded with modern components simply patched on top.