TJX Data loss and security breach case

The TJX case was easily one of the largest data theft cases in recent history with 45 Million credit cards compromised. When the case initially emerged it was believed to be an isolated incident, and then investigators discovered that the system had be compromised at least a year earlier than believed.

Despite the fact that many people know the name, the details of the case are scattered across a number of links. This lens is designed to pull the third party information together into a rough timeline, and give people an overview of what actually occurred during the case and investigation, as well as how to protect their own organisation.

Perhaps most disturbingly, it does not appear to have been an inside job. The company's network security was penetrated externally.

In January, a number of banks reported increased fraud incidents believed to be linked, including transactions from the US, Hong Kong and Sweden.(Security Focus)

In February, TJX released the information that the thieves had had access earlier than December (between May 2006 and January 2007), and over one million cards were believed affected.

Then in March 2007, the ongoing investigation released news that it believes there had been breaches back as far as July 2005 (Search Security - 21st Feb 2007).

These earlier intrusions did not steal credit card data they merely accessed it. However they also accessed data such as driving licences, which is useful for identity theft. Because of the way TJX stored data, which was completely unencrypted and held long-term, transactions as far back as 2002 were affected.

In April 2007, a set of banks announced they were beginning legal proceedings against TJX for its data storage.

The entire operation proved to be a sophisticated set up, where the credit cards and data were carefully used to launder the money, not simply sold online.

8th May 2007 the Wall Street Journal revealed the fraud was tied to Wireless (Search Security). The thieves began by exploiting poor network security on a wireless network at a store. This allowed them to sit outside and intercept customers' credit card numbers as they made transactions.

They then used their open access point to track back to the company's central database.

TJX were storing customers' personal data (and complete credit card numbers) in an unencrypted format, allowing the thieves to simply download them. This meant that every piece of credit card data on the system had potentially been compromised - at least 45.7 million accounts were affected. They were also storing data from transactions as far back as 2002, meaning that anyone who had made a transaction in the store in that period was potentially at risk.

The stolen credit card details were then used to buy gift cards to various stores which could be exchanged for goods. To launder the money, the gift cards were used for jewellery or electronic goods. (Computer weekly)

The full costs of the breach will probably never be known, but here are a few that are:

September 2007 - A Class action suit from consumers is settled as TJX will provide $30 vouchers to all consumers affected. Those who lost their driver's licence information will get three years of credit monitoring and $20,000 fraud insurance. (Security Focus)

October 2007 - Visa fines TJX $880,000 (SC Magazine US)

November 2007 - TJX settles with Visa for $40.9M to cover the costs of reissuing the cards. (Ecommerce Times)

April 4th 2008 - TJX settles with Mastercard for $24M (Boston Herald)

It is suggested that only 1% (Bloggersnews) of those affected by the breach will be able to claim from the class action suit, but that would still be another $13,650,000.

Although the damage had already been done, the investigation managed to successfully track the people believed responsible and charges were brought against those within jurisdiction.

One of the ringleaders (from Miami) got five years in jail and a $300,000 fine (Computer weekly).

Another got thirty years in a Turkish jail. It was proved to be an organised operation which used the credit cards to buy giftcards which were then used to buy goods in a money laundering operation.

The Payment Card Industry Data Security Standard is designed to reduce the chances of such attacks, the likelihood of such attempts succeeding, and the damage done if one takes place.

It was not in place at TJX at the time the attacks took place. Visa had agreed to hold off on fines until the end of 2008 as long as the company showed diligence in working towards the standard. Understandably, the data breach and what it revealed about the security practices at TJX were held to leave the company liable for its non-compliance.

Have an opinion on the case? Involved with or concerned about PCI DSS? Leave your comments here.

This article was migrated from Squidoo after the site's closure. Please find comments from the old guestbook below. Beneath these comments are the current guestbook.

ctavias0ffering1 5 years ago

Excellent lens very easy to understand. 5*

javr 3 years ago from British Columbia, Canada

Companies should do what they can to avoid storing ANY credit card numbers at all.

BlackHeart1 3 years ago

You made it!! You submitted this lens for the top Internet Lens section and you made it to the top 5 ... Be sure to go check this page: http://www.squidoo.com/top-5-internet on the first of the month to see what your position in the top 5 is and don't forget to tell your friends and visitors about it too