Hack Attack Means Headaches For TJ Maxx - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Hack Attack Means Headaches For TJ Maxx

Parent company TJX may have violated Visa security rules by storing credit-card data

Fallout from a hacker attack on the IT systems of TJX, whose properties include T.J. Maxx, Marshalls, and HomeGoods retail stores, intensified last week, as credit card fraud related to the incident was reported in several states and outside the United States, and as lawsuits were launched against the company, including a consumer class-action suit.

The attack, which was reported two weeks ago, is taking a financial toll on TJX. The company said last week it will record a fourth-quarter charge of 1 cent per share, or about $4.5 million, related to the hack, including the costs to investigate and contain the intrusion, enhance computer security, and communicate with customers. Things are likely to get worse, as a number of documents sent by Visa to financial institutions that issue cards and manage Visa transactions indicate TJX was storing credit and debit card data in violation of the Payment Card Industry Data Security Standard created by Visa and MasterCard.

Merchants like TJX aren't supposed to store cardholder data because a thief can use that information to create a counterfeit credit or debit card. "I can see storing data for a few hours or a day until transactions clear, but some of the stolen data goes back to 2003," says an executive at a California credit union that issues Visa cards and has been stung by the TJX hack. "That's a long time to be out of compliance."

TJX was storing customer information that's recorded on Track 2 of a Visa card's magnetic stripe, which generally includes the account number, the expiration date, and the card verification value, a three- or four-digit code that's used to verify the card's authenticity. That data is enough for crooks to make fake cards and run up charges. Track 1 is where alphanumeric data, including the cardholder's name and address, is recorded; apparently TJX wasn't storing that data.

Hence, chairman and founder Ben Cammarata's assertion, in a video on the company's Web site, that customer names and personal identification numbers weren't compromised. "It would be unlikely for cyberthieves to commit identity fraud using the information taken," Cammarata said. As a result, TJX has no plans to offer credit monitoring services for its customers. "Credit monitoring does not detect fraudulent charges on your credit and debit accounts," he said.


TJX didn't respond to requests for interviews. But one analyst says it's unlikely that TJX was intentionally storing the data. "It's usually a problem with the legacy systems these companies are using," says Gartner research director Avivah Litan. "These systems were put in place years ago when there was no thought given to cyberattacks. No one would ever program a system like that today."

InformationWeek Download

More than 60 banks in Massachusetts have reported compromises of customer accounts as a result of the security breach, and that figure is expected to grow, according to the Massachusetts Bankers Asso- ciation. Despite the fact that TJX says the hack occurred in December, the California credit union executive started see- ing an increase in counterfeit cards used to commit fraudulent transactions before then. And, according to a Jan. 23 e-mail distributed to financial institutions by Visa's director of fraud control, there's been an increase in fraud activity on certain TJX accounts since mid-November, particularly in California, Florida, Illinois, New York, and Texas.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll