How long have we been hearing about this TJX mess? It's hard to believe, but the news broke last January: Intruders had stolen credit card transaction data about customers of US clothing and home products retailers TJ Maxx, Marshalls and other TJX stores. Back then, TJX claimed that "a limited number" of customers were affected. "And by 'limited' we mean substantially less than millions," a spokeswoman said.
This week, we got a harder number: 94 million customers.
How could TJX have been so spectacularly wrong?
One word: optimism.
Oh sure, these people might just be lying SOBs who deliberately covered up the awful news. But what we know suggests they really were concerned — just clueless as to how bad it could get.
Consider this: Back in January, TJX thought the breach came in mid-May 2006. But within weeks, an investigation by IBM and General Dynamics found that the first intrusion had happened almost a year earlier, in July 2005 — not seven but 17 months before it was discovered.
In January, TJX said the number of customers affected was under a million. But the New Hampshire Bankers Association, which represents banks that issue credit cards in that state, estimated that up to four million people were affected just in New England.
By March, TJX's estimate had ballooned to 45.6 million credit accounts in filings with the US Securities and Exchange Commission. The company is still officially sticking with that number. But in court filings last week, a group of banks said that 94 million separate credit and debit card accounts were affected — 65 million Visa accounts and 29 million MasterCard accounts.
That's 100 times TJX's first estimate, and so astonishingly out of whack with the original statement that if it was an intentional lie, it was doomed to be unbelievable from the start.
But optimism? Yeah, we can believe that.
After all, IT people know how seductively dangerous optimism can be. It's the reason we routinely overrun project budgets and timelines. It's why user training always takes longer and is less effective than we expect it to be. It's the root cause of most of our software problems and hardware headaches.
We underestimate what can go wrong. And when it does, we're not prepared. In fact, we're blindsided.
And when it comes to security, optimism is deadly. It means we underestimate the risks before a breach and underestimate the damage once it happens.
Unfortunately, optimism is popular with management, especially at the top. Short schedules, lowball budgets and rosy security outlooks are what they want to hear. Realistic assessments of time, cost and risk? That's the stuff that gets the messenger shot.
But that's what we have to deliver.
How? With a little sugarcoating, maybe. Or backed by lots of statistical detail. Or with downside examples based on experience — our own or our competitors'.
Exactly how to rein in that desire for optimism depends on company culture and politics. But it has to be done.
And the first step is getting rid of unrealistic optimism throughout the IT shop. We have to recognise that problems, time bombs and dead ends exist, so we can find them and deal with them.
That doesn't mean gloom and doom should rule IT — just a healthy skepticism about how smoothly things will go, along with a sharp eye for worst-case scenarios.
A can-do attitude? Sure. A nothing-can-go-wrong view? Never.
As for TJX, for all the trouble optimism has caused through the course of this security fiasco, maybe this isn't the time to abandon those rose-coloured glasses.
With the FTC, Canadian privacy regulators, state officials and 94 million customers breathing down its neck, TJX had better hope things just don't get any worse.