TJX Is Biggest Data Breach Ever

jcatcw writes "Jaikumar Vijayan reports for Computerworld that TJX is finally offering more details about the extent of the compromise which, at 45.6M cards, is the biggest ever. He has been following the story since it started. The systems that were broken into processed payment card, checks, and returns for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico, and customers of Winners and HomeSense stores in Canada and T.K. Maxx in the U.K. Customer names and addresses were not included in the stolen data. So far the company has spent about $5 million in connection with the breach. Several lawsuits that have been filed against the company, including a suit by the Arkansas Carpenters Pension Fund, one of its shareholders, for failure to divulge more details about the breach."

Suggested

[Stanistani (808333)]

Suggested new tag for stories like this - pwnshop

Re:

[SomeoneGotMyNick (200685)]

TJ Maxx - Where tchotchkes go to die.....

Re:

[Anpheus (908711)]

Whoosh, much?

our bank did good

[networkBoy (774728)]

first we heard of this was our bank re-issuing visa cards for anyone who had shopped there in the past.
-nB

New PINs too

[PIPBoy3000 (619296)]

The worst part was getting a new PIN that didn't have the easy-to-remember "69" in the digits. Now I'm stuck with one that has no sexual connotations at all. Sniff.

Re:

[LordSnooty (853791)]

Tip: walk to any ATM and change it.

Re:

[ncc74656 (45571)]

Tip: walk to any ATM and change it.

What ATM lets you change the PIN on your ATM card? That sounds like it'd be a security hole bigger than Mr. Goatse.cx's backside.

Re:

[Jester998 (156179)]

I heard about the TJX breach a long time ago, but didn't know who it affected until my bank sent me a new VISA card too. :p

Re:

[IAmTheDave (746256)]

I've shopped at TJ Max!

My VISA company sucks...

Legal ramifications

[Mister Whirly (964219)]

When a breach like this happens, is the company legally obligated to inform those who may have had their information compromised?? If so, how the hell do you do that with 45 million people?

Re:

[mrhandstand (233183)]

I'm a QDSP (VISA PCI certified assessor - been through VISA requirements training). Yes, you have to notify those who have been effected - as for how - snail mail. After all, they HAVE your info...

Re:

[mrhandstand (233183)]

Nope...wasn't me. I certed about a month ago. If you have other questions let me know.

Re:

[Mister Whirly (964219)]

I did read the article, and that is why I am wondering - how do you go about informing people when you are not sure who or the extent of the data affected? Do they have to inform you of a "maybe" incident if they even suspect something?

All encompassing

[HomelessInLaJolla (1026842)]

The breach is sure to lend urgency to efforts by the major credit card companies to get retailers to implement PCI requirements...So far about 50% of Tier 1 merchants...are fully compliant

TJX is a Tier 1 merchant and may even qualify to be a processor

PCI requirements, even for Tier 1 merchants, don't seem to have much credibility when a rogue gang of six people [computerworld.com] can infiltrate TJX and Wal-Mart.

Losses experienced by Wal-Mart and the banks issuing the credit cards total more than $8 million and are still being calculated

I'd like more technical details. Are there any theories about how the attackers breached the system? Who wrote the front line software which they breached? Who wrote the operating system it runs on? Who wrote the database system which was being used? Who was in charge of network monitoring and security at the time? What tools were they misusing (obviously) that they weren't able to catch this ahead of time?

The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door.

Patriot illegal HP domestic wiretap Enron insider FBI trading Martha 9/11 Stewart Congressional inquiry comes to mind.

Re:

[larkost (79011)]

Those six people were caught using the credit card information, that is not to say that they were the ones who obtained it in the first place. They probably purchased the sub-set of the information that they were using from someone else (who might still be a step or two removed from the initial cracker). There seems to be a whole ecosystem of people trafficking in data like this, with the initial providers only working through multiple layers of intermediaries.

watching too many episodes of 24 ..

[rs232 (849320)]

'The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door'

An interesting exercise in fallacious reductio ad absurdum. Just because they passed the cards don't mean they wrote the code and the Florida police caught them port-scaning the server and only arrested them to give the real criminals time slip out the back door.

Do you seriously think the hackers would drive about Florida trying to pass the stolen cards, especially months after it went public. The six are more likely to be down stream crooks that purchased the stolen card details not realising where they came from.

Re:All encompassing (Score: 5, Interesting :)

deep insight? the odds are against it.

[Gary W. Longsine (124661)]

Of course, the attacker might have a team of experts, moles planted in the corporation, and their own Tom Cruise who slapped magnetic signs on a white van, posed as a janitor, rappelled into the hermetically sealed server room, looked under keyboards for the post-it with the root password, modified the corporation's custom software on the fly and installed the resulting trojaned version (all without touching the floor) and then cleaned the urinals on his way out so that nobody would suspect a thing for years in a mission-impossible-style coordinated assault requiring deep insight to the code, but given that most such incidents of data theft are quite a bit less sophisticated, I doubt deep insight was required.

Deep insight is mainly useful to attackers who seek a very specific set of data from a particular target. People after credit card data typically just cast a wide net and exploit the low hanging fruit. Let a worm loose, it gets in somewhere. See what it finds. Exploit it. Much, much simpler. Of course since we lack the technical details you mentioned (and others) we have no idea what really happened, and the technical details would probably be interesting. I suspect that the weeks long delay in releasing the information that came out today was due to the fact that the investigators suspected, or merely feared, an inside job.

This is a common and largely emotional response to an attack like this. "Somebody broke into our highly secure system and stole 45 million customer records complete with credit card numbers? Inconceivable!" ("You keep using that word. I do not think it means what you think it means.")

It's certainly *not* a requirement to have "deep insight" into the code or even the specific computing infrastructure of the typical corporation in order to steal data. In fact, ordinary insight is sufficient once you have access, given the attacker has basic technical skills. Rather than deep insight, what is usually seen is a plodding industrial spam-like approach.

• bots are built and released to the wild internet (network worms, email worms, web trojans, etc.)
• a single system behind a company firewall is infected with the bot (e.g. through a web browser, or a laptop hit by a worm at a coffee shop)
• the bot spreads behind the company firewall, infecting many machines, attracting much attention
• company managers crack the whip over IT to clean up the mess without re-installing the infected systems, often against the advice of people who understand the problem who say things like, "we have no way to know what damage has been done, the only secure fix is to re-image the infected systems," which sounds are like one hand clapping to managers who have been told to contain IT costs
• some of the infected systems are "noisy", probing around the network trying to spread itself
• some of the infected systems are "stealthy", the bot does not attempt to spread further from them, it seeks data on the local system including what processes are running on the system
• some of the infected systems appear to have data of interest to the attacker
• the bot is instructed to install a root kit and possibly remove itself from the system
• the attacker explores the systems of interest, looking for files, looking at database contents, stealing what they want, etc.

From the article:
"In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it was referring to.

This sounds like a smokescreen. The "technology" might be quite simple and common. Any of these could apply, for example:

• the intruders used scp to upload files to a remote host so our IDS logged the connection, but we can't tell what was in the files
• the intruders used ftp, but our IDS system was configured to log only meta-data

Re:All encompassing

[monkeydo (173558)]

Wal-Mart giftcards over $500 require ID to redeem. So they were buying only $400 giftcards. Cashiers were suspicous of people using multiple $400 giftcards to make large purchases.

Sounds like damage control doublespeak

[Critical Facilities (850111)]

From TFA:
Customer names and addresses were not included with any of the payment card data believed stolen from the Framingham systems, TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for transactions

Also from TFA:
It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said.

Sounds like they're just desparately trying to control the obviously egregious oversights that happened here. It also sounds like they're still trying to figure out what has happened. To say that heads are rolling is probably the biggest understatement ever.

The Answer is...

[WED Fan (911325)]

The simple answer for users, and it exists now: Revokeable Credit Cards.

The long term is separation of credit and banking from the Social Security system.

Re:

[afidel (530433)]

The answer is smart cards. I had a credit card with a smartchip in it from 2000-2005 and the chip was used exactly three times, twice at burger kings and once at a haircut place. None of the major retailers had the readers (or the readers didn't enforce smartcard use for cards with the flag). The only other use was for extra security in online banking, which is already probably the most secure part of the CC system due to SSL. If CC companies and merchants were serious about security smartcards with picture

Re:

[hacker (14635)]

The answer is smart cards. I had a credit card with a smartchip in it from 2000-2005 and the chip was used exactly three times, twice at burger kings and once at a haircut place.

How is THAT the answer, when only 3 places in the 5 years you've used the card, support reading the chip on it? Doesn't sound very pervasive to me.

Re:

[afidel (530433)]

It's the answer to the need for security, but unfortunately the people who need to implement the security don't seem to really care about it. It apparently costs them less to do nothing and pay out for breaches than it would to implement real security. Unfortunately it costs the powerless consumers orders of magnitude more in time, frustration, and real costs to fix the problem but that isn't the concern of the companies because it doesn't show up on the balance sheet and there is no real alternative.

The Complicator's Card

[Beardo the Bearded (321478)]

The answer isn't expensive smart cards with new infrastructure. As you've stated, the smart card chips aren't used in the majority of places.

Fortunately, we don't have to so that. It's way simpler.

1. Require all credit cards to add a photograph to the back as well as a signature panel. Overlay parts of the photo with holograms to make sure it's tough to copy. (It's not like the "lost card" field does fuck all when you've lost the card.)

2. Put identity photographs in everyone's credit history. If you're getting a mortgage or credit card or something else where you have to go in person, then it's pretty obvious if you're faking it.

3. Have the credit agency computers call a number listed in the credit history every time the history is accessed. ("This is Equifax. Beardo has applied for a $500k mortgage. If you are not aware of this transaction, call 1-800-HEY-WAIT.")

That's it.

The reason we won't see this - ever - is because it will cost the banks money to implement. When they can instead blame the victims for their DARING to have their stuff stolen, why bother to invest in making a secure environment? After all, it's perfectly secure from the bank's point of view.

Re:No No! No!

[mpapet (761907)]

I agree with another post that mentions smart cards. Much more difficult to create fraudulent transactions when you _must_ insert the card into a reader for authentication.

But this is not about "banking" transactions. This is an almost unregulated gray area where the retailer is processing/managing it's own credit accounts. It sounds like those accounts stored individuals banking information along with their internal account info. (duhh!) This explains the ability for some bad guys to buy things elsewhe

Re:

[Misch (158807)]

Today's lesson: Don't get one of those store credit cards. You shouldn't be in debt to a retailer, ever.

Most of the time, the "store card" is offered by a bank. CompUSA's credit card program is administered by HSBC, etc...

Example

[Renraku (518261)]

Lets say that you're sitting at home one day. You get your credit card statement. Apparently your card is maxed out at $10,000. Your interest rate has tripled and the company is calling you wondering why you spent $10,000 in Bumfuck, India.

Ok, so you're not responsible.

How do you know how they got your info? It could have been from a call center, when you called about double billing you over and over. It could have been when you called your bank, which also has call centers in India. It could have been when you lost your card, someone found it.

Point is, you probably will never know how they got your info. Only that they did. Even if you did find out, could you prove it in a court of law enough to sue TJX?

Re:

[stratjakt (596332)]

You dispute all charges, say you didn't make 'em, and you do this as soon as you find out, before anything can go to collections, and end up on a credit report. You have to be pretty negligent of your own finances to let it go that far.

I have no pity for someone who doesn't at least look at their monthly statements.

The risk to your credit is absolutely minimal if you pay attention, and call the 1-800 number on the back of the card to dispute the claims immediately.

As for suing TJX, you wouldnt. You just g

Re:

[Thuktun (221615)]

In my case he didn't get a chance to spend more than a grand before I phoned the card in, so it was just petty theft.

One wonders if there's a downside to waiting a skosh to see if the loser was going to rack up sufficient theft to make it a felony. If a loser cow-orker stole from me, I'd prefer to see him end up in PMITA prison, myself.

Re:

[955301 (209856)]

yes, you can find out. Almost all companies who do lookups against card information have trace information. A court will be able to get that information.

how they got your info ..

[rs232 (849320)]

'How do you know how they got your info?'

Well according to the article how they got the information by hacking TJX and using it to purchase large quantities of gift cards from Wal-Mart and Sam's Club. So in this case we don't have to wonder.

'in filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems [computerworld.com] over a period of more than 18 months by an unknown number of intruders'

'in partnership with

Re:

[FuryG3 (113706)]

This EXACT situation happened to me.

I was traveling internationally, lost my wallet, reported cards as stolen. Ended up finding the wallet (with money, yay!) but had to wait for my new cards to get to my house in the US, and then to me in Europe.

Fast forward 2 weeks. I receive my cards in Europe and 2 days later I notice that there's a charge on one of my cards for something I didn't buy. And it was made BETWEEN the times that I reported my card "stolen" and when I activated my new card. The charges a

Re:

[Pharmboy (216950)]

30% credit cards? I'm pretty sure that I have never seen that. Interest rates over 24% are illegal in most states (Usery laws) and the "average" rate is probably closer to 12-15%. If you are paying 30%, then obviously your credit is majorly fucked.

interesting is the way that..

[dotpavan (829804)]

.. stolen data was used for purchases at Walmart in Florida [computerworld.com] by making fake credit cards.. it surely is a big organised crime

what OS was it running on ..

[rs232 (849320)]

OS, Web Server and Hosting History [netcraft.com]

Re:

[roman_mir (125474)]

Wow, netcraft usefull for something unrelated to death sentences? Who would have thunk?

Re:

[rs232 (849320)]

What does the OS of their web server have to do with what OS thier internal billing systems are using?

, Anonymous Coward

It was the ecommerce server that was compromised, unless you know different.

'Just because their webserver is running IIS doesn't necessarely mean that everything else is .. I doubt that it is an OS issue and more an inside job'

What does their internal billing systems run on. How is it connected to the front end. How was the breach achieved. Did they break in through the front end.

Re:

[rs232 (849320)]

'I don't know for sure, but since I work for TJX I can tell everyone that MicroSoft probably isn't to blame on this one. But the Apple fanboys and the Linux geeks aren't to blame either. TJX is an AS/400 shop'

I totally believe that you work for TJX as it wouldn't be that you are intoducing a tiny fib to corroborate the rest of your story.

It was the AS/400 that got hacked was it? Like they have a mixed NT AS/400 shop and it wasn't the NT as you say so. So you can tell us exactly how the hack was done.

For Canadians, Winners and HomeSense affected

[kbahey (102895)]

This affects some purchasers from the Canadian retailers Winners, and HomeSense, as per this CBC article [www.cbc.ca].

More importantly, there has been recent arrests in Florida [www.cbc.ca] relating to this case.

Re:

[Dr Caleb (121505)]

It's my understanding from previous articles that Winners and Homesense store Interac card #s and PINs (but Canadian Interac cards were not breached). What possible business reason is there to store PINs, and why are they storing card information at all?

Re:

[kbahey (102895)]

My understanding is that Interac (debit cards for USians) are not affected, but credit card may have been stolen.

A message [tjx.com] on TJX's corporate web site advise customers to take certain steps [tjx.com] (Canadian version), which include getting a credit report.

I did that, since we shop at Winners occasionally, and did not find anything unusual, and our credit cards have not shown any unusual transactions.

Because they were aware since at least December...

[DragonPup (302885)]

..but decided not to tell anyone until late March, can we file a class action lawsuit for negligence if any of our card numbers were compromised, or illegally used?

Systematic Credibility Gap

[ehaggis (879721)]

Credit scores, reports and identity are in trouble in the US. It is a large pink elephant in the living room, but no one with any influence wants to admit it. Your credit record can be inaccurate due to:
1. Credit Agency mistake
2. Creditor error
3. Criminal activity
4. Poor security measures by xyz company
5. ???

With each of these is these problems, the onus for repair is on the customer / victim. There is no standard or easy resolution.

Meanwhile...

[jeevesbond (1066726)]

In other news a story on Microsoft's Get The FUD [microsoft.com] campaign mysteriously disappears, the title was: 'TJX Chooses Windows Over Linux for Reliability and Security'.

I'm joking, but you never know. On a more serious note: what mystifies me is why these companies need to store customers credit card details at all?! Having had experience with POS (Point of Sale) I know that the system should keep these details long enough to complete a transaction, then it should delete it.

Security starts with only keeping the information you need. Courts should be questioning why these companies retained this data in the first place!

I never save credit card info after a sale

[vinn01 (178295)]

Yes, chargebacks can be a problem. But your other points are not unversial. For me, there is little need to keep the credit card information once the transaction has been completed. The only piece of info that I store is the Transaction ID. I never store the Authorization number. Once the transaction is auth'ed, there is no point.

Refunds don't have to be made the the same credit card. But if I wanted to enforce that as a policy, I could go back to my processor (VeriSign) and lookup the the credit ca

Re:

[Kalriath (849904)]

Actually, you're only violating regs if you keep the CVV2 number (three digit number on the back) - PCI DSS says you dump that as soon as you verify it, but you do not have to with the credit card number (otherwise how do you expect PayPal et. al. to work?)

Re:

[mrcaseyj (902945)]

>The solution to allow tracking, but keep hackers at bay is to cryptographically hash the card number...

That's what I was going to say. As I was writing a post to tell people to mod you up I realized why it might not do much good. The credit card number is only 16 digits and isn't completely random. This means it would probably be practical to make a rainbow table with the hash of every likely card number. A salt unique to the merchant might help especially if it could be kept from the hackers. A salt

Finally, a Solution

[STrinity (723872)]

1) Get job with TJX 2) Steal customer credit card information 3) PROFIT!

Re:

[Mister Whirly (964219)]

That's right, because this is Slashdot and Microsoft is responsible for 100% of the world's problems. Amazing how some folks have less than 1 degree of separation between a problem of ANY sort and Microsoft...

Re:

[Rimbo (139781)]

Gah! AS/400s? EVEN WORSE! Akers' incompetence and focus on this hunk o' junk is how Microsoft was able to become the Evil Empire...