News

TJX Thieves Had Time To Steal, Trip Up

• By The Associated Press
• April 13, 2007

It's believed to be the biggest such breach of customer records ever in the United States -- a theft that owes its size in part to the time the electronic heist went undetected, information security experts say.

The 17-month duration appears to be unprecedented among recent large U.S. data thefts involving hackers, according to an Associated Press review of a dozen of the biggest cases over the past four years.

Experts say the nearly year-and-a-half of undetected access could be a mixed blessing as investigators look for any incriminating evidence left behind.

"The length of time they were in TJX's systems increases the possibility that they made a mistake and did something that points back to them," said Mark Rasch, former head of the U.S. Department of Justice's computer crime unit and now an information security adviser at FTI Consulting.

On the other hand, the 17 months offered plenty of time to cover tracks.

"People who have very little time to get in and out don't have as much time to perfect their attacks, and there's a bigger risk of getting caught if they have to make a hasty exit," said Mike Weider, founder and chief technology officer of Watchfire, a maker of data security software.

If any incriminating evidence has turned up in the 4-month-old TJX probe, investigators aren't talking about it. Spokeswoman Kim Bruce of the U.S. Secret Service declined to comment because the probe her agency is leading is ongoing. IBM Corp. and General Dynamics Corp. -- companies TJX hired to investigate after the breach was discovered Dec. 18 -- also wouldn't talk.

Some experts believe the long period of unobstructed access and the hacker's apparent use of electronic encryption keys to unlock some data suggest involvement inside the 125,000-employee company.

"Whoever did this knew what to look for, knew where to look, and even may have had knowledge of how files were encrypted," said Deepak Taneja, chief executive of Aveksa, a security software company. "It's hard to fathom how an outside hacker could know how the data was encrypted."

Even after TJX finally detected the breach, the intruders apparently had the upper hand.

The company waited nearly a month to announce the theft -- a strategic feint taken on advice of the Secret Service to prevent intruders from learning investigators were watching. But even without such public disclosure, the theft of card numbers stopped when the access was detected.

TJX spokeswoman Sherry Lang said possible insider involvement is "certainly part of the investigation" by the Framingham, Mass.-based owner of nearly 2,500 discount stores, including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright in the U.S., Winners and HomeSense in Canada and T.K. Maxx in Britain.

But the more than 50 experts TJX put on the case have reached no conclusions. Besides not knowing how many thieves were involved, TJX isn't sure whether there was one continuing intrusion or multiple separate break-ins, according to a March 28 regulatory filing.

Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, it discovered it had been 17 months, and apparently began in July 2005.

The length of time is unprecedented among recent U.S. hacking cases in which the number of stolen records exceeded 300,000, an AP examination of publicly available information found.

The closest comparable incident is a breach at the University of California, Los Angeles. In that still-unsolved case, unauthorized access apparently began 13 months before it was detected on Nov. 21. UCLA believes the Social Security numbers of about 28,600 people were stolen out of a database with records of 800,000 individuals.

The second-largest U.S. hack ever -- a breach at now-defunct credit card payment processor CardSystems Solutions -- went on for less than a year before it was discovered two years ago.

Until TJX, the CardSystems case was the largest breach in the U.S., measured by the 40 million card accounts exposed, according to the Privacy Rights Clearinghouse, a consumer advocacy group.

TJX says about three-quarters of the 45.7 million cards had either expired by the time of the theft, or the stolen information didn't include security code data from the cards' magnetic stripes, since TJX masked those codes by storing them as asterisks rather than numbers.

TJX said the intruders also may have been able to tap the unencrypted flow of information to card issuers as customers checked out with their credit cards.

The case has become a global investigation, with incidents of fraud believed tied to the TJX breach as far away as Sweden and Hong Kong.

The only arrests so far have come in Florida, where 10 people who aren't believed to be the TJX hackers are accused of using stolen TJX customer data to buy Wal-Mart gift cards.

An affidavit that Florida police filed in their investigation says TJX notified the Secret Service in March 2006 about a breach involving customer card data -- six months before TJX says it detected the intrusion. TJX spokeswoman Lang called the Florida filing "incorrect" as to the date, and said the company stands behind its timeline. The Secret Service's Bruce agreed, and Gainesville police did not return phone messages.

TJX warned in its recent regulatory filing against expecting too much from its investigation. "We believe that we may never be able to identify much of the information believed stolen" aside from the 45.7 million cards it knows about so far, the filing said.

The way TJX detected the breach -- by finding what the company calls "suspicious software" on its computer systems -- is an indication not only of the hackers' skill in avoiding detection for so long but also holes in TJX's security, experts say.

"They didn't know what their sensitive information assets were, and who had access to them, and they didn't have adequate security controls in place," Taneja said. "Unfortunately for TJX, I suspect they are going to become the poster child for poor data security."