Posted by Richard Stiennon
September 9th, 2007
Repercussions from the biggest reported data breach incident in history
are still being felt. Last months arrest of a dealer in stolen credit
cards in Istanbul is just one example of how information stolen from TJX
Companies is still being used by criminals. As I prepare for a talk I am
giving at tomorrows Security Standard event in Chicago I realize that
TJX, the holding company that owns TJ Maxx, Marshalls, and a bunch of
other retail operations is being less than transparent about the breach
they first announced last January 17.
According to TJXs official communications through their press releases
and an SEC filing they first become aware of the presence of
unauthorized software on their computer systems on December 18 and they
reported it for the first time to Federal authorities on December 22nd.
There have been several speculative articles about how the breach
occurred but never explicit descriptions from TJX. One article in the
Wall Street Journal claims that the thieves broke in via a poorly setup
wireless access point in a Marhsalls store tein St. Paul, Minnesota.
Another less circulated story is that thieves broke into multiple TJ
Maxx stores via kiosks that were kept in the back of the store for
accepting job applications. I believe that there were multiple incidents
over a period of at least four years and that TJX had such bad security
procedures that it was open season on their data by many hackers.
Question number one that I would love to hear the answer to: Exactly how
and when did these breaches occur?
Now lets get back to the date that TJX reports they first learned of any
incident, December 18th, 2006. Remember the arrests in Florida of the
criminal gang that were using stolen TJX credit card information to
manufacture fake credit cards and puchase fresh gift cards? Well,
Florida prosecutors filed documents in court regarding their
investigation in November 2006! They new where the stolen credit cards
had come from , TJX, and they cited documents provided by TJX that
indicated they were stolen in May of 2006. Pretty strange that TJX now
denies that. From an article at the Boston Globe.:
However, a document filed by Florida police officials says that TJX
reported a breach involving thousands of card numbers to the Secret
Service in March of 2006, nine months earlier. Florida officials
filed the document in connection with the arrests of six people
charged with using information taken from TJX to sal millions of
dollars with worth of goods.
Question number 2: When did the first breach occur and when did TJX
Reporting of these details is important for one reason: to help other
companies prepare for similar incidents. You would not want some other
retailer to get caught with no defenses and succumb to similar attacks.
Of course, the Lowes case from 2003 was excellent early warning. If TJX
had any sort of security capability at all that incident alone should
have woken them up. They could have easily avoided this mess if only
they had been listening to the early warnings.
Visit the InfoSec News Bookstore