From the Globe and Mail we hear:

Thousands of Canadian credit-card holders have been victimized by fraud after a security meltdown at the U.S. parent company of retail chains Winners and HomeSense, according to sources in the financial community. They suggested that number could rise as banks and other credit-card issuers continue to gather information on what has become one of the most high-profile privacy thefts in recent memory.

Bruce Spitzer , a spokesman for the Massachusetts Bankers Association, was quoted in an Associated Press story, expects this is not the end of the story, saying:

``We expect that this is going to continue and the fraud may widen, … This is just the first reports we have confirmed.''

This continuing story drives home the point that the victims in this case are not just TJX. Companies must take more responsibility for how they manage information. An unfortunate and fatalistic opinion circulating is that security breaches will always be with us and we have accept our inability to prevent such loses. See for example, a comment to my first post on the TJX incident:

As a security consultant, I suggest that those being critical of TJX or other victims wake up and smell the coffee. Hackers will find in a way despite the best efforts of the IT professionals trying to protect themselves.

(I wouldn't suggest using that second sentence in a job interview.) If someone actually believes that, then why bother with security? Of course there are things we can do to mitigate risks even and to think in black and white terms that hackers will always succeed and we'll always lose is naive.

Those of us who have woken up and smelled the proverbial coffee know full well the challenges we face. We also know we have responsibilities. Dismissing a breach like TJX’s as the inevitable work of bad guys is too passive for me. Facing our mistakes and learning from them is part of the solution. But for those can’t stomach the responsibility, go ahead and keep blaming the messenger.