Skip Links

TJX Data Breach

UPDATE--TJX data theft called largest ever: 45.7M credit card numbers

Security breach detailed in financial filing

By , Network World
March 29, 2007 09:51 AM ET

Network World - Detailing the sheer magnitude of a crime first reported earlier this year, TJX yesterday disclosed in financial reports that at least 45.6 million credit and debit card numbers were stolen in 2005 and another 130,000 last year by hackers who have yet to be caught.

According to Gartner security expert Avivah Litan, the volume of stolen data gives TJX the dubious distinction of being the biggest known victim of hacker-based card fraud in history.

“This is the biggest card heist we’ve heard of so far,” said Litan, an expert in e-commerce-related security.

TJX, which has 125,000 employees and operates hundreds of T.J. Maxx and other stores in the United States and the United Kingdom, did not immediately return a call for comment about the investigation. Earlier this year TJX publicly stated it had contacted law enforcement in December 2006 when it “learned of suspicious software” within its computer systems.

According to the Securities and Exchange Commission filing, since last December TJX has been working with the Department of Justice, the Secret Service, and the U.S. Attorney in the Boston office in a criminal investigation to nab the intruders. TJX also is supplying information to the California attorney general’s office, the Canadian Provincial Privacy Commissioners, and the U.K. Information Commissioner, as well as to the London metropolitan police.

Although Florida law enforcement has identified four suspects who may be part of the case, Litan said her “educated guess” is that the trail will lead to organized crime rings in Eastern Europe.

“Organized crime rings farm out a substantial part of the work, such as the counterfeiting, usually to crack addicts,” she noted.

Litan said her sources view the TJX data-theft case as a targeted attack by hackers who broke in through unprotected wireless LANs, and made their way through the TJX network to the controllers to set up operations inside the TJX network to capture card data. “They basically used a program to just capture the data,” Litan said, noting this was “educated conjecture.”

In the SEC filing, TJX suggests hackers were tampering with customer data.

TJX states that before the computer intrusion was discovered, the company may have inadvertently deleted “in the ordinary course of business the contents of many files that we now believe were stolen. In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006.”

TJX adds, “We are continuing to try and identify information stolen in the Computer Intrusion through our investigation, but other than information provided below, we believe we may never be able to identify much of the information believed stolen.”

While this suggests the hackers may have encrypted or otherwise changed TJX data, TJX did not immediately return calls to clarify this statement further.

In regards to the U.K.-based investigation of systems used in England and Ireland, TJX also stated that “technology used by the Intruder in the Computer Intrusion during 2006 on the Watford system could also have enabled the Intruder to steal payment card data from the Watford system during the payment card issuer’s approval process, in which data including the track2data, are transmitted to payment card issuers without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News