T.J. Maxx Parent Company Data Theft Is The Worst Ever

While it's easy to wag a finger at TJX, which has more than 2,000 retail locations in the U.S. and many more in areas including Canada, Puerto Rico, and the U.K., for shoddy security, the truth isn't so simple. The company has a history of implementing some measures to protect customer information, but it didn't apply these measures consistently or firmly enough to withstand the sophisticated attack against its systems.

The customer information was taken from TJX computers in Framingham, Mass., that process and store information related to payment card, check, and certain merchandise return transactions for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico. TJX's Winners and HomeSense stores in Canada and the company's computer systems in Watford, U.K., that process and store information related to payment card transactions at T.K. Maxx in the U.K. and Ireland, also were breached.

But, transactions stored in its Framingham systems haven't included data contained in payment card magnetic stripes since September 2003. And by April 2006, the Framingham system generally also masked payment card PINs, some other portions of payment card transaction information, and some portions of check transaction information. Masked data is permanently deleted and replaced with asterisks. For transactions after early April 2004, the Framingham system also "generally" began encrypting all payment card and check transaction information, according to the filing.

Still, TJX failed to completely lock down its customer data. The cyberthieves that hit the company may have stolen payment card data from the Framingham system during the payment card issuer's approval process, in which data is transmitted to payment card issuers without encryption, the filing says. TJX's security may have been further compromised by the cybercriminals having access to the decryption tool for the encryption software that TJX uses. This could have been the result of an insider or a successful hack by the cyberthieves into a TJX database where the keys were stored.

The sophistication of the attack against its systems means that TJX has been able to identify only some of the information that was stolen, although the filing doesn't specify the exact means used to commit the breach. The investigation is ongoing, but TJX believes it "may never be able to identify much of the information believed stolen."

TJX is learning a tough lesson in comprehensive data security as well as the lengths to which attackers will go to steal data. The only bright spot to emerge from this disaster would be for other businesses to learn from TJX's mistakes. Granted, that's small consolation to the retailer, whose troubles are far from over.