TJX, the owners of TKMaxx were the targets of one of the largest data theft cases so far. The consequences are still ongoing, but over 45 million credit cards were affected and customer identity data such as driving licences was also stolen. This is an overview of the case, the investigation, and the long-term effects of the data theft.
TJX Data loss and security breach case
The TJX Case was one of the largest data theft cases so far. Over 45 million credit cards were affected, along with driving licences and other ID.
About the TJX Case
One of the largest theft cases
The TJX case was easily one of the largest data theft cases in recent history with 45 Million credit cards compromised. When the case initially emerged it was believed to be an isolated incident, and then investigators discovered that the system had be compromised at least a year earlier than believed.
Despite the fact that many people know the name, the details of the case are scattered across a number of links. This lens is designed to pull the third party information together into a rough timeline, and give people an overview of what actually occurred during the case and investigation, as well as how to protect their own organisation.
Perhaps most disturbingly, it does not appear to have been an inside job. The company's network security was penetrated externally.
An overview of the case
The largest data theft in recent memory
The case first came into the public eye at the start of 2007. No one then was aware of what it would grow into.
On 17th January 2007, TJX released the information that thieves had had access to credit card information stored on its network. It was suggested that a breach had occurred and suspicious software was discovered on December 18th 2006. They notified law enforcement. Search Security - 18th Jan 2007
In January, a number of banks reported increased fraud incidents believed to be linked, including transactions from the US, Hong Kong and Sweden.(Security Focus)
In February, TJX released the information that the thieves had had access earlier than December (between May 2006 and January 2007), and over one million cards were believed affected.
Then in March 2007, the ongoing investigation released news that it believes there had been breaches back as far as July 2005 (Search Security - 21st Feb 2007).
These earlier intrusions did not steal credit card data they merely accessed it. However they also accessed data such as driving licences, which is useful for identity theft. Because of the way TJX stored data, which was completely unencrypted and held long-term, transactions as far back as 2002 were affected.
In April 2007, a set of banks announced they were beginning legal proceedings against TJX for its data storage.
Wi-fi at risk
A brief overview of the case and investigation
On the 8th May 2007 the Wall Street Journal revealed the fraud was tied to Wi-fi. The thieves began by exploiting poor network security on a wireless network, allowing them to intercept card transactions, and then used their open access point to track back to the company's central database. TJX were storing customer's personal data (and complete credit card numbers) in an unencrypted format, allowing the thieves to simply download them. This meant that every piece of credit card data on the system had potentially been compromised - at least 45.7 million accounts were affected.
In October 2007 It was suggested as many as 95 million card numbers were exposed. TJX retailiated saying that most were expired when they were compromised. (6)
How it was done
A sophisticated attack
The entire operation proved to be a sophisticated set up, where the credit cards and data were carefully used to launder the money, not simply sold online.
8th May 2007 the Wall Street Journal revealed the fraud was tied to Wireless (Search Security). The thieves began by exploiting poor network security on a wireless network at a store. This allowed them to sit outside and intercept customers' credit card numbers as they made transactions.
They then used their open access point to track back to the company's central database.
TJX were storing customers' personal data (and complete credit card numbers) in an unencrypted format, allowing the thieves to simply download them. This meant that every piece of credit card data on the system had potentially been compromised - at least 45.7 million accounts were affected. They were also storing data from transactions as far back as 2002, meaning that anyone who had made a transaction in the store in that period was potentially at risk.
The stolen credit card details were then used to buy gift cards to various stores which could be exchanged for goods. To launder the money, the gift cards were used for jewellery or electronic goods. (Computer weekly)
Fines and settlements
The effects on TJX and the costs of data loss
The full costs of the breach will probably never be known, but here are a few that are:
September 2007 - A Class action suit from consumers is settled as TJX will provide $30 vouchers to all consumers affected. Those who lost their driver's licence information will get three years of credit monitoring and $20,000 fraud insurance. (Security Focus)
October 2007 - Visa fines TJX $880,000 (SC Magazine US)
November 2007 - TJX settles with Visa for $40.9M to cover the costs of reissuing the cards. (Ecommerce Times)
April 4th 2008 - TJX settles with Mastercard for $24M (Boston Herald)
It is suggested that only 1% (Bloggersnews) of those affected by the breach will be able to claim from the class action suit, but that would still be another $13,650,000.
The legal consequences
August 8, 2008 the TJX President issued a statement saying they :
"regret any difficulties you may have experienced as a result of the sophisticated criminal attack(s) on our computer system in 2005 and 2006"
However he goes on to say that they are glad the people responsible are facing charges. (TJX Message)
Although the damage had already been done, the investigation managed to successfully track the people believed responsible and charges were brought against those within jurisdiction.
One of the ringleaders (from Miami) got five years in jail and a $300,000 fine (Computer weekly).
Another got thirty years in a Turkish jail. It was proved to be an organised operation which used the credit cards to buy giftcards which were then used to buy goods in a money laundering operation.
A way to limit exposure
The PCI DSS Home Page
The Payment Card Industry Data Security Standard is designed to reduce the chances of such attacks, the likelihood of such attempts succeeding, and the damage done if one takes place.
It was not in place at TJX at the time the attacks took place. Visa had agreed to hold off on fines until the end of 2008 as long as the company showed diligence in working towards the standard. Understandably, the data breach and what it revealed about the security practices at TJX were held to leave the company liable for its non-compliance.
How to implement PCI DSS
|PCI Compliance, Fourth Edition: Understand and Implement Effective PCI Data Security Standard Com...|
Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. In particular, credit card data is preferred by cybercriminals. Is ...
|PCI Compliance: The Definitive Guide|
Although organizations that store, process, or transmit cardholder information are required to comply with payment card industry standards, most find it extremely challenging to...
Have an opinion on the case? Involved with or concerned about PCI DSS? Leave your comments here.
This article was migrated from Squidoo after the site's closure. Please find comments from the old guestbook below. Beneath these comments are the current guestbook.
ctavias0ffering1 5 years ago
Excellent lens very easy to understand. 5*
javr 3 years ago from British Columbia, Canada
Companies should do what they can to avoid storing ANY credit card numbers at all.
BlackHeart1 3 years ago
You made it!! You submitted this lens for the top Internet Lens section and you made it to the top 5 ... Be sure to go check this page: http://www.squidoo.com/top-5-internet on the first of the month to see what your position in the top 5 is and don't forget to tell your friends and visitors about it too