T.J. Maxx Parent Company Data Theft Is The Worst Ever - InformationWeek
Software // Enterprise Applications
01:11 PM

T.J. Maxx Parent Company Data Theft Is The Worst Ever

The intrusion hands the retailer the dubious honor of surpassing the 40 million stolen customers record mark, something that only CardSystems had been able to achieve.

While it's easy to wag a finger at TJX, which has more than 2,000 retail locations in the U.S. and many more in areas including Canada, Puerto Rico, and the U.K., for shoddy security, the truth isn't so simple. The company has a history of implementing some measures to protect customer information, but it didn't apply these measures consistently or firmly enough to withstand the sophisticated attack against its systems.

The customer information was taken from TJX computers in Framingham, Mass., that process and store information related to payment card, check, and certain merchandise return transactions for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico. TJX's Winners and HomeSense stores in Canada and the company's computer systems in Watford, U.K., that process and store information related to payment card transactions at T.K. Maxx in the U.K. and Ireland, also were breached.

But, transactions stored in its Framingham systems haven't included data contained in payment card magnetic stripes since September 2003. And by April 2006, the Framingham system generally also masked payment card PINs, some other portions of payment card transaction information, and some portions of check transaction information. Masked data is permanently deleted and replaced with asterisks. For transactions after early April 2004, the Framingham system also "generally" began encrypting all payment card and check transaction information, according to the filing.

Still, TJX failed to completely lock down its customer data. The cyberthieves that hit the company may have stolen payment card data from the Framingham system during the payment card issuer's approval process, in which data is transmitted to payment card issuers without encryption, the filing says. TJX's security may have been further compromised by the cybercriminals having access to the decryption tool for the encryption software that TJX uses. This could have been the result of an insider or a successful hack by the cyberthieves into a TJX database where the keys were stored.

The sophistication of the attack against its systems means that TJX has been able to identify only some of the information that was stolen, although the filing doesn't specify the exact means used to commit the breach. The investigation is ongoing, but TJX believes it "may never be able to identify much of the information believed stolen."

TJX is learning a tough lesson in comprehensive data security as well as the lengths to which attackers will go to steal data. The only bright spot to emerge from this disaster would be for other businesses to learn from TJX's mistakes. Granted, that's small consolation to the retailer, whose troubles are far from over.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll