These so called "security experts" taking shots at TJX, aren't! To insinuate that there was no security prior to the breach and that now protection methods are being introduced is just plain ignorance. They're feeding on the mob-mentality without thinking. I'm sure that there was plenty of security in place. There's no way that they would have been untouched this long without a fairly formidable security system. Did anyone ever consider an inside job, disgruntled employee, or untrustworthy worker at a trusted business partner. How about a software vendor with a developer that likes to create backdoors to their code. If Microsoft developers put in "secret access methods", then no one is immune.

Then there's the banks using TJX as a way to explain their own losses. As for some of the fraud reports, "get serious"! One aledged claim filed by a customer said their card was used at a gas station and Wal-Mart. "WAL-MART!" "Mr. Computer Thief. You've just hacked through 10-layers of security and made off with millions worth of credit cards. What are you going to do next? I'm going to Wal-Mart!" I don't think so.

As a security consultant, I suggest that those being critical of TJX or other victims wake up and smell the coffee. Hackers will find in a way despite the best efforts of the IT professionals trying to protect themselves. There are too many fools who get off on breaking in to a system rather than using their knowledge to make millions legitimately by helping companies lock down their enterprise.

Every "expert" out there can Monday-morning-quarterback these events but in the end, doing so only shows their ignorance of the criminal mind. Computer crime will continue for the foreseeable future and it's up to the "security experts" to spread awareness and to offer help in protecting the public. Criticizing a company for being hacked is tantamount to blaming shooting victims for attending elementary school. They should have known that every 2nd-grader is packing heat.

If you're a true "expert", then be happy. Your business should have doubled these past few weeks as everyone re-examines their security policies.

Having spoken to someone who recently worked for TJX's IT Audit function all I can say is that this was a long time coming. When Audit highlighted IT security issues to senior management the response was often "So what, its not as if we're going to be losing one red blouse?".

So Mr. Security Consultant's assumptions above are wrong, if the tone at the top was that poor then you can be sure that TJX just didn't care about security.... best efforts my ar$e. Hope someone takes them to the cleaners!

An earlier comment seems to argue that we shouldn't question why breaches happen. No one I know ever said there was no security in place, I'm sure there was a lot. The question is, why didn't it work?

Real money is lost in these attacks, that's why hackers attack. This is a zero-sum game, someone is losing that money and that is justification enough to ask why the breach happened.

Another reason to raise questions is that I used to be a TJ Max customer but I have no idea if my info was exposed. I am tired of receiving letters from banks telling me my financial information may have been compromised.

So I'll ask the broader community, when is it appropriate to ask questions like "If a plan is in place now, why wasn't it in place before?" I'll post all responses so share you thoughts with other readers.

Question to Jamie about his post which includes: "Did anyone ever consider an inside job, disgruntled employee, or untrustworthy worker as a trusted business partner."

Security measures have always included access controls on employees and business partners. I'm not sure how the role of insiders changes the responsibility of TJX or the consequences for the customers.

It's pretty clear to me that Jamie (first comment above), a self-described security consultant, has had some of his professional efforts breached. Oh Well. That's still no reason to defend the position of a huge corporation that didn't put enough effort into its security systems until it was too late for many of its customers.

Other readers might be interested in knowing the Privacy Rights Clearinghouse has a guide on how to deal with a security breach, it's at
http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm"

One concern I have is confidential data being extracted from corporate data bases by employees for legitimate purposes and placed in files on laptops - for example in Excel format. From what I can see, this is a fairly common practice, and once the data is in such a format, any safeguards imposed by the source database are no longer in effect. The file can be easiy transferred to portable media by a dishonest employee, or the laptop could be stolen.

I think that this problem will continue to grow.