UPDATE--TJX data theft called largest ever: 45.7M credit card numbers

Security breach detailed in financial filing

Detailing the sheer magnitude of a crime first reported earlier this year, TJX yesterday disclosed in financial reports that at least 45.6 million credit and debit card numbers were stolen in 2005 and another 130,000 last year by hackers who have yet to be caught.

According to Gartner security expert Avivah Litan, the volume of stolen data gives TJX the dubious distinction of being the biggest known victim of hacker-based card fraud in history.

“This is the biggest card heist we’ve heard of so far,” said Litan, an expert in e-commerce-related security.

TJX, which has 125,000 employees and operates hundreds of T.J. Maxx and other stores in the United States and the United Kingdom, did not immediately return a call for comment about the investigation. Earlier this year TJX publicly stated it had contacted law enforcement in December 2006 when it “learned of suspicious software” within its computer systems.

According to the Securities and Exchange Commission filing, since last December TJX has been working with the Department of Justice, the Secret Service, and the U.S. Attorney in the Boston office in a criminal investigation to nab the intruders. TJX also is supplying information to the California attorney general’s office, the Canadian Provincial Privacy Commissioners, and the U.K. Information Commissioner, as well as to the London metropolitan police.

Although Florida law enforcement has identified four suspects who may be part of the case, Litan said her “educated guess” is that the trail will lead to organized crime rings in Eastern Europe.

“Organized crime rings farm out a substantial part of the work, such as the counterfeiting, usually to crack addicts,” she noted.

Litan said her sources view the TJX data-theft case as a targeted attack by hackers who broke in through unprotected wireless LANs, and made their way through the TJX network to the controllers to set up operations inside the TJX network to capture card data. “They basically used a program to just capture the data,” Litan said, noting this was “educated conjecture.”

In the SEC filing, TJX suggests hackers were tampering with customer data.

TJX states that before the computer intrusion was discovered, the company may have inadvertently deleted “in the ordinary course of business the contents of many files that we now believe were stolen. In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006.”

TJX adds, “We are continuing to try and identify information stolen in the Computer Intrusion through our investigation, but other than information provided below, we believe we may never be able to identify much of the information believed stolen.”

While this suggests the hackers may have encrypted or otherwise changed TJX data, TJX did not immediately return calls to clarify this statement further.

In regards to the U.K.-based investigation of systems used in England and Ireland, TJX also stated that “technology used by the Intruder in the Computer Intrusion during 2006 on the Watford system could also have enabled the Intruder to steal payment card data from the Watford system during the payment card issuer’s approval process, in which data including the track2data, are transmitted to payment card issuers without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX."

TJX said it expects to incur $5 million in costs in connection with the computer intrusion. So far, customers don’t seem to be scared off by the news. Net sales for the 2007 fiscal year at TJX were $17.4 billion, up 9% over fiscal 2006.

Litan said the TJX case not only points to how exposed networks that process card payments can be, but that “it’s time for the U.S. to bite the bullet on stronger card authentication.” The banks have a lot at stake, Litan noted, saying the banks are the first entities that have to pay for card fraud, and they try to get that back from retailers.

“Banks will have to pay for this fraud, and then they’ll try to get that money back from TJX,” she said.

The magnitude of the theft -- merely the most prominent in what seems to be a never-ending string -- is sure to fan the flames for more investigations such as the one recently launched by the Federal Trade Commission.

And it's also sure to have TJX executives sharpening their pencils to craft one of those increasingly common apology letters that have become standard fare in these situations. Network World recently took a look at the best of breed when it comes to this sort of thing.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies