On March 28, 2007 TJX Companies Inc. stated in its Securities and Exchange Commission (SEC) filings that an unknown intruder or intruders stole at least 45.6 million credit and debit card numbers from various TJX properties. These properties include T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico; Winners and HomeSense stores in Canda; as well as T.K. Maxx stores in the United Kingdom and Ireland. Additionally, the intruder(s) stole personal information including names, addresses, and personal identification numbers from approximately 451,000 TJX customers.
Targeting the Weak Link in the Chain
While the specific details of the intrusion are unclear at this point, Avivah Litan, a security analyst with Gartner, stated that investigators believe the intruder(s) gained access to TJX’s computer network through an in-store wireless network that managed both cash registers and computer terminals (source). The intruder(s) were able to exploit this opening to gain access to TJX payment processing systems in the United States, Britain, Canada, and Puerto Rico (source).
TJX also stated that despite their efforts to protect customer data via encryption, the intruder(s) accessed the sensitive data from its Framingham system “during the payment card issuer’s approval process, in which data (including the track 2 data) is transmitted to payment card issuer’s without encryption (source).” Additionally, TJX believes that the intruder used decryption tools that allowed it to decipher encrypted TJX data (source).
The attack on TJX Companies Inc. illustrates the fundamental point that information systems are only as secure as their weakest link. As demonstrated above, the attackers allegedly gained access to TJX’s network via wireless access points in TJX retail outlets. Wireless networks are notoriously insecure. Even those networks ‘secured’ with the Wireless Encryption Protocol (WEP) can be cracked with tools found available online.
Additionally, although TJX apparently used some form of encryption to protect customer data at rest, i.e. stored in a TJX database, TJX did not encrypt the same customer data when it was transmitted to the customer’s payment card issuer. Moreover, it has been speculated that TJX was using an antiquated encryption scheme, such as DES, to encrypt sensitive customer data. There are tools available that can crack DES encryption in less than 24 hours. As a result, it was likely trivial for the intruder(s) to intercept and/or decrypt the stolen customer data.
Other High Profile Data Breaches
Unfortunately for consumers, the attack on TJX is not unique. In the past two years there have been at least two high profile and large-scale breaches. In mid-2005, intruder(s) stole approximately 40 million customer record from CardSystems Solutions Inc. Likewise, in early 2006 a laptop containing the personal information of more than 26 million veterans was stolen from the Department of Veterans Affairs.
It is also very likely that there have been additional large-scale breaches that the public does not yet know about. A study of 649 businesses and government agencies by the Ponemon Institute, a privacy research organization, found that 61 percent of those surveyed were not organized to respond to ‘hacker threats’ (source).
Looking Forward
We believe that criminal organizations will continue to target companies and government agencies with lax security policies using digital ‘smash and grab’ operations. The financial rewards are currently too great and the risks minimal. Therefore, there is ample reason to believe that attacks, such as the attack on TJX Companies Inc., will continue in the future.
