The TJX data breach case

The TJX Case

The TJX data breach is probably one of the best known electronic security breaches in recent years. TJX the company behind TKMax and others, had credit card details relating to potentially 40 million accounts affected by unauthorised access to their data. At that time the complete data for card transactions was being stored unencrypted on their network.

However, it is so recent that there are very few descriptions of what occurred. The information exists in summaries and multiple links. This is a brief summary of the case drawn from multiple sources.

The Investigation
On 17th January 2007, TJX released the information that thieves had had access to credit card information stored on its network. It was suggested that a breach had occurred and suspicious software was discovered on December 18th 2006. They notified law enforcement.

In January, a number of banks reported increased fraud incidents believed to be linked, including transactions from the US, Hong Kong and Sweden.(2)

In February, TJX released the information that the thieves had had access earlier than December (between May 2006 and January 2007), and over one million cards were believed affected.

Then in March 2007, the ongoing investigation released news that it believes there had been breaches back as far as July 2005 (1). These earlier intrusions did not steal credit card data they merely accessed it. However they also accessed data such as driving licences, which is useful for identity theft (4). Because of the way TJX stored data, transactions as far back as 2002 were affected.

In April 2007, a set of banks announced they were beginning legal proceedings against TJX for its data storage.

On the 8th May 2007 the Wall Street Journal revealed the fraud was tied to Wi-fi. The thieves began by exploiting poor network security on a wireless network, allowing them to intercept card transactions, and then used their open access point to track back to the company's central database. TJX were storing customer's personal data (and complete credit card numbers) in an unencrypted format, allowing the thieves to simply download them. This meant that every piece of credit card data on the system had potentially been compromised - at least 45.7 million accounts were affected.

In October 2007 It was suggested as many as 95 million card numbers were exposed. TJX retailiated saying that most were expired when they were compromised. (6)

The Fines
The full costs of the breach will probably never be known, but here are a few that are:

September 2007 - A Class action suit from consumers is settled as TJX will provide $30 vouchers to all consumers affected. Those who lost their driver's licence information will get three years of credit monitoring and $20,000 fraud insurance.

October 2007 - Visa fines TJX $880,000

November 2007 - TJX settles with Visa for $40.9M to cover the costs of reissuing the cards.

April 4th 2008 - TJX settles with Mastercard for £24M
It is suggested that only 1% (http://www.bloggernews.net/110467)of those affected by the breach will be able to claim from the class action suit, but that would still be another $13,650,000.

The Aftermath
On August 8, 2008 the TJX President issued a statement saying they :

"regret any difficulties you may have experienced as a result of the sophisticated criminal attack(s) on our computer system in 2005 and 2006"(3)

However he goes on to say that they are glad the people responsible are facing charges.

Charges were brought against the people believed responsible, and one of the ringleaders got 5 years in jail (5). Another got 30 years in a Turkish jail. It was proved to be an organised operation which used the credit cards to buy giftcards which were then used to buy goods in a money laundering operation.

PCI-DSS
The Payment Card Industry Data Security Standard was not in place at TJX at the time the attacks took place. Visa had agreed to hold of on fines until the end of 2008 as long as the company showed diligence in working towards the standard. Understandably, the data breach and what it revealed about the security practices at TJX were held to leave the company liable for its non-compliance.

Resources
(1) http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1245727,00.html
(2) http://www.securityfocus.com/news/11438
(3) August 8 2008 http://www.tjx.com/tjx_message.html
(4) http://www.priv.gc.ca/cf-dc/2007/TJX_rep_070925_e.cfm
(5) http://www.computerweekly.com/Articles/2007/09/17/226804/tjx-data-breach-criminal-gets-five-years-in-jail.htm
(6) http://www.scmagazineus.com/Visa-fines-TJX-credit-card-processor/article/58255/

Further resources:

http://www.ecommercetimes.com/story/60554.html?wlc=1244542274
http://www.scmagazineus.com/Visa-fines-TJX-credit-card-processor/article/58255/
http://www.finextra.com/fullstory.asp?id=19497
http://www.securityfocus.com/brief/594
http://www.bankinfosecurity.com/articles.php?art_id=811

More about PCI DSS

An introduction to the PCI-DSS Standard