TJX Data Breach of 2007

Thomas E. Green, Jr, CBCP

 The corporation TJ Stores (TJX) included stores such as TJMaxx, Marshalls, Winners,

HomeSense, AJWright, KMaxx, HomeGoods and Winners to name just a few. In December

2006 a data breach was detected in the computer systems that process and store transactions

including credit card, debit card, check and merchandise return transactions (PRC). This breach

was originally thought to have taken place in May of 2006 but was not discovered until

December of 2006. After hiring IBM and General Dynamics to investigate the breach, TJX

revised its dates saying it believed the breach went as far back as July 2005 (Comp).

Unfortunately with many data breaches and the way hackers infiltrate a system it is hard

to discern when exactly the attack originated. With many attacks, hackers will make their way

into the system only to harden it and take it over so that only they can get into the system. Thus

they actually will fix the system but leave enough backdoors so that they can still enter and exit

the system without anyone noticing what has happened. When leaving backdoors, hackers are

essentially installing root kits, and backdoor openings or software to allow them full access to the

system to enter and exit. Once in the system many hackers will escalate privileges to give

themselves full administrative rights which will them allow them not only access to that one

server but access to the entire network.

Like many corporations security was not necessarily an expenditure that was needed and

not to be fully funded or part of the everyday working environment. Security was just something

that you did just enough and it was more of a hindrance and a cost to the bottom line. This line

of thinking led to a great disaster that was about to happen.

This data breach was allowed to occur due to the outdated wireless security encryption

system, the lack of firewalls and data encryption software on computers using the wireless

2
network and lastly an additional layer of security software that was purchased but not installed.

The thieves were able to access the data that was streaming between hand-held price-checking

devices, cash registers, and the store’s computers. Through the use of SQL injections much of

the data was farmed out of the TJX systems and later sold to cyber criminals in Eastern Europe

and the United States (PRC).

This was the biggest loss of personal data to include credit card numbers in history. The

numbers totaled 45.6 Million card numbers (Comp) over a period of 18 months by an unknown

number of intruders. In addition data for about 451,000 individuals in 2003 who had

merchandise returned without receipts was also stolen. Many banks and credit unions around the

United States had to block and reissue thousands of payment cards as a result of the data breach

(Comp). Due to the nature of the data stolen, it is hard to know exactly the true extent of the

type of data stolen as TJX does not maintain a lot of the information that is processed during the

transactions (Comp). The use of the data has led to the millions of dollars in lost revenue by

stores such as Wal-Mart, JC Penny and other retailers.

Some of the information security laws that TJX broke or did not follow was the Safe

Harbor regulations which require the privacy of data. This was not accomplished as their

wireless system was not properly encrypted and hackers could just drive by and steal data of a

personal nature without any regard. By not meeting the European Commission’s standard for

privacy this again broke the law between this regulation and what TJX was doing while engaging

in business.

Another regulation that was broke during this breach was Graham-Leach-Bailey Act

(GLBA). TJX broke this regulation by not implementing the software that would have mitigated

3
the risk of this hack and data breach. Had the software been in place there is a good chance this

may have never occurred. Along with having the software installed, TJX would then be

following GLBA in having a robust Information Security Program that is aligned to the risks that

affect this company.

Two of the major regulations for corporations were broke or just not followed. Once

again ignorance of the regulations and rules to be followed allowed something bad to happen.

When corporations start enforcing and get senior management buy in to fund and properly put in

place a information security program then data breaches like the TJX breach will be minimized

through the mitigation efforts of a security division.

The resolution for this situation was at the cost of over $200 Million dollars to all parties

involved. Many retailers had to sue to get lost revenue back and still they were not able to

recoup all of the lost revenue. Many lending institutions had to block payment cards and reissue

them. People were prone to identify theft and having their credit ruined due to false purchases

and lack of payment for those purchases. TJX was forced to ensure that their security systems

were brought up to current standards and they were watched for some time to ensure that

standard was being maintained. In addition, TJX was forced to hire some of the best consultants

in the industry to ensure this type of breach never happened again.

In conclusion, TJX to this day is still settling lawsuits from this data breach that occurred

in 2005. As late as July 8, 2010 TJX settled its latest lawsuit with the Louisiana Municipal

Police Employees’ Retirement System, who is a shareholder of TJX stock. They settled for

$595,000 in legal fees and enhanced oversight of customer files (PRC). Totals for this data

breach alone are staggering, with upwards of 100 Million people affected and up to nearly $10

4
Million spent by TJX in payouts for lawsuits (Westervelt). This data breach has led to many

advancements in the consumer industry with credit card security, online payment and transaction

security, identity theft protection and also a general heightened awareness of how technology has

advanced but so has the ability to have information stolen in this day and age.

5
Bibliography
Kairab, S. (2005). A Practical Guide to Security Assessments. Washington DC: Auerbach.

Various. (2010, September). Privacy Rights Clearinghouse - TJX Data Breach. Retrieved
February 10, 2011, from Privacy Rights Clearinghouse:
http://www.privacyrights.org/ar/ChronDataBreaches.htm

Vijayan, J. (2007, March 29). TJX Data Breach: At 45.6M card numbers, it's the biggest ever.
Retrieved February 11, 2011, from ComputerWorld:
http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_
it_s_the_biggest_ever

Westervelt, R. (2009, June 24). TJX to pay $9.75 million for data breach investigations.
Retrieved February 11, 2011 from SearchSecurity.com:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1360065,00.html