The customer information was taken from TJX computers in Framingham, Mass., that process and store information related to payment card, check, and certain merchandise return transactions for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico. TJX's Winners and HomeSense stores in Canada and the company's computer systems in Watford, U.K., that process and store information related to payment card transactions at T.K. Maxx in the U.K. and Ireland, also were breached.
But, transactions stored in its Framingham systems haven't included data contained in payment card magnetic stripes since September 2003. And by April 2006, the Framingham system generally also masked payment card PINs, some other portions of payment card transaction information, and some portions of check transaction information. Masked data is permanently deleted and replaced with asterisks. For transactions after early April 2004, the Framingham system also "generally" began encrypting all payment card and check transaction information, according to the filing.
Still, TJX failed to completely lock down its customer data. The cyberthieves that hit the company may have stolen payment card data from the Framingham system during the payment card issuer's approval process, in which data is transmitted to payment card issuers without encryption, the filing says. TJX's security may have been further compromised by the cybercriminals having access to the decryption tool for the encryption software that TJX uses. This could have been the result of an insider or a successful hack by the cyberthieves into a TJX database where the keys were stored.
The sophistication of the attack against its systems means that TJX has been able to identify only some of the information that was stolen, although the filing doesn't specify the exact means used to commit the breach. The investigation is ongoing, but TJX believes it "may never be able to identify much of the information believed stolen."
TJX is learning a tough lesson in comprehensive data security as well as the lengths to which attackers will go to steal data. The only bright spot to emerge from this disaster would be for other businesses to learn from TJX's mistakes. Granted, that's small consolation to the retailer, whose troubles are far from over.