TJX Data loss and security breach case

Paper Roll of Numbers and Data
Buy at AllPosters.com

The case first came into the public eye at the start of 2007. No one then was aware of what it would grow into.

On 17th January 2007, TJX released the information that thieves had had access to credit card information stored on its network. It was suggested that a breach had occurred and suspicious software was discovered on December 18th 2006. They notified law enforcement. Search Security - 18th Jan 2007

In January, a number of banks reported increased fraud incidents believed to be linked, including transactions from the US, Hong Kong and Sweden.(Security Focus)

In February, TJX released the information that the thieves had had access earlier than December (between May 2006 and January 2007), and over one million cards were believed affected.

Then in March 2007, the ongoing investigation released news that it believes there had been breaches back as far as July 2005 (Search Security - 21st Feb 2007).

These earlier intrusions did not steal credit card data they merely accessed it. However they also accessed data such as driving licences, which is useful for identity theft. Because of the way TJX stored data, which was completely unencrypted and held long-term, transactions as far back as 2002 were affected.

In April 2007, a set of banks announced they were beginning legal proceedings against TJX for its data storage.

AllPosters.com

On the 8th May 2007 the Wall Street Journal revealed the fraud was tied to Wi-fi. The thieves began by exploiting poor network security on a wireless network, allowing them to intercept card transactions, and then used their open access point to track back to the company's central database. TJX were storing customer's personal data (and complete credit card numbers) in an unencrypted format, allowing the thieves to simply download them. This meant that every piece of credit card data on the system had potentially been compromised - at least 45.7 million accounts were affected.

In October 2007 It was suggested as many as 95 million card numbers were exposed. TJX retailiated saying that most were expired when they were compromised. (6)

Buy at AllPosters.com

The entire operation proved to be a sophisticated set up, where the credit cards and data were carefully used to launder the money, not simply sold online.

8th May 2007 the Wall Street Journal revealed the fraud was tied to Wireless (Search Security). The thieves began by exploiting poor network security on a wireless network at a store. This allowed them to sit outside and intercept customers' credit card numbers as they made transactions.

They then used their open access point to track back to the company's central database.

TJX were storing customers' personal data (and complete credit card numbers) in an unencrypted format, allowing the thieves to simply download them. This meant that every piece of credit card data on the system had potentially been compromised - at least 45.7 million accounts were affected. They were also storing data from transactions as far back as 2002, meaning that anyone who had made a transaction in the store in that period was potentially at risk.

The stolen credit card details were then used to buy gift cards to various stores which could be exchanged for goods. To launder the money, the gift cards were used for jewellery or electronic goods. (Computer weekly)

The full costs of the breach will probably never be known, but here are a few that are:

September 2007 - A Class action suit from consumers is settled as TJX will provide $30 vouchers to all consumers affected. Those who lost their driver's licence information will get three years of credit monitoring and $20,000 fraud insurance. (Security Focus)

October 2007 - Visa fines TJX $880,000 (SC Magazine US)

November 2007 - TJX settles with Visa for $40.9M to cover the costs of reissuing the cards. (Ecommerce Times)

April 4th 2008 - TJX settles with Mastercard for $24M (Boston Herald)
It is suggested that only 1% (Bloggersnews) of those affected by the breach will be able to claim from the class action suit, but that would still be another $13,650,000.

August 8, 2008 the TJX President issued a statement saying they :

"regret any difficulties you may have experienced as a result of the sophisticated criminal attack(s) on our computer system in 2005 and 2006"

However he goes on to say that they are glad the people responsible are facing charges. (TJX Message)

Although the damage had already been done, the investigation managed to successfully track the people believed responsible and charges were brought against those within juristiction.

One of the ringleaders (from Miami) got five years in jail and a $300,000 fine (Computer weekly).

Another got thirty years in a Turkish jail. It was proved to be an organised operation which used the credit cards to buy giftcards which were then used to buy goods in a money laundering operation.