TJX Co., the parent company of T.J. Maxx and other retailers, on Wednesday dropped a bombshell in its ongoing investigation of a customer data breach by announcing in a Securities and Exchange Commission filing that more than 45 million credit and debit card numbers have been stolen from its IT systems. Information contained in the filing reveals a company that had taken some measures over the past few years to protect customer data through obfuscation and encryption. But TJX didn't apply these policies uniformly across its IT systems and as a result still has no idea of the extent of the damage caused by the data breach.
As a result, TJX is a company under siege. The company recorded a fourth-quarter charge of about $5 million to cover the costs of containing and investigating the breach, as well as improving the security of its IT systems, communicating with customers, and paying legal fee. The U.S. Federal Trade Commission has launched an investigation of TJX. While the FTC wouldn't reveal the nature of the investigation or when it began, it's likely the result of the data breach. And lawsuits have begun to fly, including one by the Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock.
The intrusion into TJX's IT systems also hands the retailer the dubious honor of surpassing the 40 million stolen customers record mark, something that only CardSystems had been able to achieve. And it puts to shame the Veterans Affairs Department, which last year briefly lost track of more than 26 million records thanks to a stolen employee laptop.
The effects of the stolen TJX data, not to mention the underground cybercriminal economy that trades in customer data, already are being felt. General Dynamics, IBM, TJX, and the various law enforcement entities investigating the cyberattack still don't know who took the customer information, but it's clear where some of that information ended up. Data stolen from TJX recently surfaced at Wal-Mart stores in Florida, where it's been used to help thieves steal about $8 million in merchandise from Wal-Mart stores. The thieves used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam's Club gift cards, and then used those to hit stores in 50 of Florida's 67 counties.
TJX claims it also doesn't know "whether there was one continuing intrusion or multiple, separate intrusions," according to the SEC filing. What the company does know is that on Dec. 18, it learned of suspicious software on its computer systems. By Dec. 21, "there was strong reason to believe that our computer systems had been intruded upon and that an intruder remained on our computer systems," the filing says. Given that the intruder was still operating, U.S. Secret Service advised TJX officials that disclosure of the suspected intrusion might impede their criminal investigation and requested that the company keep a lid on the incident until law enforcement gave them the green light to announce the breach.
The company disclosed the breach on Jan. 17, only to later find that that the intrusion may have been initiated earlier than it had originally reported and that additional customer information potentially had been stolen. Based on the investigation to date, it's believed that TJX's computer systems were first accessed by an unauthorized intruder in July 2005, on subsequent dates in 2005, and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after Dec. 18.
While it's easy to wag a finger at TJX, which has more than 2,000 retail locations in the U.S. and many more in areas including Canada, Puerto Rico, and the U.K., for shoddy security, the truth isn't so simple. The company has a history of implementing some measures to protect customer information, but it didn't apply these measures consistently or firmly enough to withstand the sophisticated attack against its systems.
The customer information was taken from TJX computers in Framingham, Mass., that process and store information related to payment card, check, and certain merchandise return transactions for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico. TJX's Winners and HomeSense stores in Canada and the company's computer systems in Watford, U.K., that process and store information related to payment card transactions at T.K. Maxx in the U.K. and Ireland, also were breached.
But, transactions stored in its Framingham systems haven't included data contained in payment card magnetic stripes since September 2003. And by April 2006, the Framingham system generally also masked payment card PINs, some other portions of payment card transaction information, and some portions of check transaction information. Masked data is permanently deleted and replaced with asterisks. For transactions after early April 2004, the Framingham system also "generally" began encrypting all payment card and check transaction information, according to the filing.
Still, TJX failed to completely lock down its customer data. The cyberthieves that hit the company may have stolen payment card data from the Framingham system during the payment card issuer's approval process, in which data is transmitted to payment card issuers without encryption, the filing says. TJX's security may have been further compromised by the cybercriminals having access to the decryption tool for the encryption software that TJX uses. This could have been the result of an insider or a successful hack by the cyberthieves into a TJX database where the keys were stored.
The sophistication of the attack against its systems means that TJX has been able to identify only some of the information that was stolen, although the filing doesn't specify the exact means used to commit the breach. The investigation is ongoing, but TJX believes it "may never be able to identify much of the information believed stolen."
TJX is learning a tough lesson in comprehensive data security as well as the lengths to which attackers will go to steal data. The only bright spot to emerge from this disaster would be for other businesses to learn from TJX's mistakes. Granted, that's small consolation to the retailer, whose troubles are far from over.