News
TJX Thieves Had Time To Steal, Trip Up
For at least 17 months, someone had free rein inside TJX Cos.' computers.
Without anyone noticing, one or more intruders installed code on the discount
retailer's systems to methodically unearth, collect and transmit account data
from at least
45.7
million credit and debit cards.
It's believed to be the biggest such breach of customer records ever in the
United States -- a theft that owes its size in part to the time the electronic
heist went undetected, information security experts say.
The 17-month duration appears to be unprecedented among recent large U.S. data
thefts involving hackers, according to an Associated Press review of a dozen
of the biggest cases over the past four years.
Experts say the nearly year-and-a-half of undetected access could be a mixed
blessing as investigators look for any incriminating evidence left behind.
"The length of time they were in TJX's systems increases the possibility
that they made a mistake and did something that points back to them," said
Mark Rasch, former head of the U.S. Department of Justice's computer crime unit
and now an information security adviser at FTI Consulting.
On the other hand, the 17 months offered plenty of time to cover tracks.
"People who have very little time to get in and out don't have as much
time to perfect their attacks, and there's a bigger risk of getting caught if
they have to make a hasty exit," said Mike Weider, founder and chief technology
officer of Watchfire, a maker of data security software.
If any incriminating evidence has turned up in the 4-month-old TJX probe, investigators
aren't talking about it. Spokeswoman Kim Bruce of the U.S. Secret Service declined
to comment because the probe her agency is leading is ongoing. IBM Corp. and
General Dynamics Corp. -- companies TJX hired to investigate after the breach
was discovered Dec. 18 -- also wouldn't talk.
Some experts believe the long period of unobstructed access and the hacker's
apparent use of electronic encryption keys to unlock some data suggest involvement
inside the 125,000-employee company.
"Whoever did this knew what to look for, knew where to look, and even
may have had knowledge of how files were encrypted," said Deepak Taneja,
chief executive of Aveksa, a security software company. "It's hard to fathom
how an outside hacker could know how the data was encrypted."
Even after TJX finally detected the breach, the intruders apparently had the
upper hand.
The company waited nearly a month to announce the theft -- a strategic feint
taken on advice of the Secret Service to prevent intruders from learning investigators
were watching. But even without such public disclosure, the theft of card numbers
stopped when the access was detected.
TJX spokeswoman Sherry Lang said possible insider involvement is "certainly
part of the investigation" by the Framingham, Mass.-based owner of nearly
2,500 discount stores, including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright
in the U.S., Winners and HomeSense in Canada and T.K. Maxx in Britain.
But the more than 50 experts TJX put on the case have reached no conclusions.
Besides not knowing how many thieves were involved, TJX isn't sure whether there
was one continuing intrusion or multiple separate break-ins, according to a
March 28 regulatory filing.
Initially, TJX said the break-in started seven months before it was discovered.
Then, on Feb. 18, it discovered it had been 17 months, and apparently began
in July 2005.
The length of time is unprecedented among recent U.S. hacking cases in which
the number of stolen records exceeded 300,000, an AP examination of publicly
available information found.
The closest comparable incident is a breach at the University of California,
Los Angeles. In that still-unsolved case, unauthorized access apparently began
13 months before it was detected on Nov. 21. UCLA believes the Social Security
numbers of about 28,600 people were stolen out of a database with records of
800,000 individuals.
The second-largest U.S. hack ever -- a breach at now-defunct credit card payment
processor CardSystems Solutions -- went on for less than a year before it was
discovered two years ago.
Until TJX, the CardSystems case was the largest breach in the U.S., measured
by the 40 million card accounts exposed, according to the Privacy Rights Clearinghouse,
a consumer advocacy group.
TJX says about three-quarters of the 45.7 million cards had either expired
by the time of the theft, or the stolen information didn't include security
code data from the cards' magnetic stripes, since TJX masked those codes by
storing them as asterisks rather than numbers.
TJX said the intruders also may have been able to tap the unencrypted flow
of information to card issuers as customers checked out with their credit cards.
The case has become a global investigation, with incidents of fraud believed
tied to the TJX breach as far away as Sweden and Hong Kong.
The only arrests so far have come in Florida, where 10 people who aren't believed
to be the TJX hackers are accused of using stolen TJX customer data to buy Wal-Mart
gift cards.
An affidavit that Florida police filed in their investigation says TJX notified
the Secret Service in March 2006 about a breach involving customer card data
-- six months before TJX says it detected the intrusion. TJX spokeswoman Lang
called the Florida filing "incorrect" as to the date, and said the
company stands behind its timeline. The Secret Service's Bruce agreed, and Gainesville
police did not return phone messages.
TJX warned in its recent regulatory filing against expecting too much from
its investigation. "We believe that we may never be able to identify much
of the information believed stolen" aside from the 45.7 million cards it
knows about so far, the filing said.
The way TJX detected the breach -- by finding what the company calls "suspicious
software" on its computer systems -- is an indication not only of the hackers'
skill in avoiding detection for so long but also holes in TJX's security, experts
say.
"They didn't know what their sensitive information assets were, and who
had access to them, and they didn't have adequate security controls in place,"
Taneja said. "Unfortunately for TJX, I suspect they are going to become
the poster child for poor data security."