TJX will be glad when this year is over. The $17 billion-a-year parent company of T.J. Maxx, Marshall's, and several other discount retail chains has spent the past eight months dealing with the largest breach of customer data in U.S. history, the details of which are starting to come to light.
Last December, TJX says it alerted law enforcement that data thieves had made off with more than 45 million customer records. Since that time, at least one business, Wal-Mart, has lost millions of dollars as a result of the theft, while TJX has spent more than $20 million investigating the breach, notifying customers, and hiring lawyers to handle dozens of lawsuits from customers and financial institutions. Should TJX lose in the courts, it could be on the hook for millions more in damages.
But there's an even broader TJX Effect: The data breach, which actually took place over a period of years, has put the entire retail industry on the defensive and stirred up demands for all businesses that handle payment card information to do a better job of protecting it. Legislators are invoking TJX's name to fast-track data-security bills.
Few details of the TJX debacle have been made public by the company or investigators. As recently as June, TJX said in a regulatory filing that it didn't know "who took this action, whether there were one or more intruders involved, or whether there was one continuing intrusion or multiple, separate intrusions." Still, important details can be gleaned from internal and external sources.
Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. "The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals," says the source. In a March filing with the Securities and Exchange Commission,TJX acknowledged finding "suspicious software" on its computer systems.
The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX's networks, according to the source. The firewalls on TJX's main network weren't set to defend against malicious traffic coming from the kiosks, the source says. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. The kiosks "shouldn't have been on the corporate LAN, and the USB ports should have been disabled," the source says.
In May, The Wall Street Journal cited a separate entry point, reporting that data thieves had accessed an improperly secured Wi-Fi network from the parking lot of a Marshall's store in St. Paul, Minn. The thieves reportedly used a wireless data poaching tactic called "wardriving" and exploited the deficiencies of the aging Wired Equivalent Privacy wireless security protocol.
The Wall Street Journal cited sources close to the investigation, and TJX wouldn't comment. Mark Loveless, senior security researcher for network-access control vendor Vernier, who goes by the online handle of "Simple Nomad," says it's possible the cyberattackers stumbled across a vulnerable store location while patrolling a strip mall or shopping center in their car using a laptop, a telescope antenna, and an 802.11 wireless LAN adapter. While the TJX store wasn't likely at the top of their list, they found that it was accessible and yielded information they could use to further penetrate TJX's IT systems. "The allure was too good to pass up," he posits.
TJX admits that some of the data was stolen during the payment card approval process, in which data is transmitted to payment card issuers without encryption. That might refer to a hacking technique called "skimming," a variation of which was used to steal 238 payment card account numbers earlier this year from four 24-hour Stop & Shop stores in Rhode Island and one in Massachusetts.
That scam worked like this: When the data thieves entered a store, one of them distracted a clerk while another swapped the store's PIN-pad terminal with a nearly identical device that had been electronically altered to capture customers' account numbers and PINs. The switch took as little as 12 seconds, according to the U.S. Attorney's Office for the District of Rhode Island. Several days later, the thieves returned to the store, replaced the original terminal, and made off with the altered one containing customers' account information.
TJX says it was first tipped to a security problem on Dec. 18, 2006. Incident response experts from General Dynamics and IBM confirmed within a few days that there had in fact been an intrusion.
However, some financial institutions say they noticed an increase in fraudulent activity on cards in their networks in November, which would put the break-in, or break-ins, earlier--probably much earlier. "We were notified of the TJX compromise by Visa--as well as in the news--in January," says the CFO of one credit union, which then reissued payment cards to the customers whose data might have been stolen.
TJX says that "due to the type of technology used in the intrusion as well as deletions of transaction data in the ordinary course of business," it may never be able to identify "much of the information believed stolen." The company says the stolen data includes account information for about 45.7 million separate payment cards, though TJX claims that 75% of those cards were either expired at the time of the theft or the stolen information didn't include the security code data from the magnetic stripe on the cards. The company thinks that driver's license numbers, military IDs, and state IDs for 455,000 customers, together with their names and addresses, also were stolen.