TJX Companies, Inc – Security Breach and Data Theft
January 2007, Paul Butka, CIO of TJX Companies Inc sat alongside the executive board, listening to the international press release this time personally given by the Chairman and CEO of the group. “We are deeply concerned about this event and the difficulties it may cause our customers. Since discovering this crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems and we believe customers should feel safe while shopping in our stores. We want to assure our customers that this issue has the highest priority at TJX.”
Paul knew that the next few months were going to be an absolute nightmare. TJX, one of the largest and most profitable retail chains in the US had just become the victim of the largest known thefts of credit card numbers in history. The hackers, who have not yet been found, downloaded at least 45.7 million credit and debit card numbers from about a year’s worth of records. As a person familiar with the firm’s internal investigation, Paul knew that number could potentially go up to 200 million compromised card numbers.
‘What went wrong? Did TJX do everything that they were supposed to do? Will customer’s data ever be safe again?’ These were some of the questions Paul knew TJX would face, when the board goes in for hearing one of 21 U.S. and Canadian class action lawsuits for seeking damages against the retailer (TJX, Press Release, 2007).
The TJX Companies, Incorporated (NYSE: TJX), is the largest international apparel and home fashions off-price departmental store chain in the United States. Based in Framingham, Massachusetts, the company originally evolved from the Zayre discount departmental store chain, founded in 1956, which opened its first branch of T.J. Maxx in 1976 and its first BJ’s Wholesale Club in 1984.
By 2004, the company moved up to the 141st position in the Fortune 500 rankings and at the time of intrusion TJX was a $17 billion behemoth, with numerous stores and brands in the US, United Kingdom, and Canada. Brand stores stocked items ranging from clothing, footwear, bedding to furniture, jewelry, beauty products, and house wares. Goods were purchased across more than 10,000 vendors spread across 60 countries.
TJX’s core target customer groups were middle to upper middle class women. The high end department and specialty stores were marketed as the ones providing a ‘Fashion and value conscious choice’, with a wide and rapidly changing collection of items. Amongst the key success factors for its rapid growth was their flexible business model which helped TJX survive through several dips in the retail chain market. TJX had very powerful vendor relationships which it effectively leveraged to build a successful track record across several new geographies and merchandising categories. By 2007, TJX owned several successful brands such as HomeGoods, Marshalls, A. J. Wright, The Maxx and several more across Canada and Europe.
The Security Breach and Data Theft
The biggest known theft of credit-card numbers in history began in 2005 outside a Marshalls discount clothing store near St. Paul, Minn. Hackers used a telescope-shaped antenna and a laptop to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. Once in, they were further able to penetrate into the central database of Marshalls’ parent, TJX Cos. in Framingham, Mass.
Along with the credit and debit card numbers, the hackers also got personal information such as driver’s license numbers, military identification and Social Security numbers of at least 451,000 customers. TJX also has been unable to crack the encryption on files that the hackers left in its system. While stealing the data, the hackers were simultaneously selling it on the Internet, on password-protected sites used by gangs who then printed those on fake cards.
The problems first surfaced at credit-card issuers such as Fidelity Homestead and the Louisiana savings bank. While its customers were dealing with the aftermath of Hurricane Katrina, their accounts started showing strange shopping transactions from Mexico, and Southern California. Since then a spate of card thefts have occurred in Italy, Australia, Mexico and Japan. So far, the TJX-related fraud has been traced in six other states and at least eight countries from Mexico to China.
The thieves gradually became bolder, with one of them eventually making $35,000 in fraudulent purchases in a single day. In one instance police say a band of 10 thieves traveled in rented cars purchasing gift cards from Wal-Mart and Sam’s Club stores, using bogus credit cards stolen from hundreds of TJX customers. Within four months, the gang bought $8 million worth of gift cards and used them to buy flat-screen TVs, computers and other electronics across 50 of the state’s 67 counties.
TJX data was largely shielded by a flawed encoding system called Wired Equivalent Privacy, or WEP, that was relatively weak and quickly pierced. As early as 2001, security experts issued warnings that they were able to crack the encryption systems of several major retailers. By 2003, a more secure system called Wi-Fi Protected Access or WPA, with more complex encryption was introduced. TJX however, like many other merchants was slow in making the changes. An auditor later found that the company also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn’t properly install another layer of security software it had bought.
The electronic footprints left by the TJX hackers showed that most of their break-ins were done during peak sales periods to capture lots of data. They first tapped into data transmitted by hand-held equipment that stores used to communicate price markdowns and to manage inventory. These devices communicate with computers in the stores, cash registers as well as routers that transmit certain housekeeping data.
The hackers used that data to crack the encryption code, eavesdropping on employees logging into TJX’s central database in Framingham. After stealing a few more user names and passwords, investigators believe that they set up their own accounts in the TJX system and collected transaction data including credit-card numbers, into about 100 large files for their own access. They were able to access the TJX system remotely from any computer on the Internet, and even left encrypted messages to each other on the company’s network, to tell one another which files had already been copied and avoid duplicating work. A TJX report says that the hackers may even have lifted bank-card information as customers making purchases waited for their transactions to be approved. Retailers are forbidden from storing such information under the Payment Card Industry (PCI) Data Security Standard pushed by Visa, MasterCard International Inc. and other credit card companies. TJX transmitted that data to banks “without encryption,” which violated the credit-card company guidelines.
As the stolen TJX numbers were being used in Florida, the company was getting a stern warning about its poor security from a routine audit. The auditor told the company on Sept. 29, 2006 that it wasn’t complying with many of the requirements imposed by Visa and MasterCard. The auditor’s report also cited the outmoded WEP encryption and missing software patches and firewalls. Records later showed no substantial action was taken, subjecting TJX to sharp criticism for its lack attitude when the event was made public.
The breach has been costly for TJX’s reputation and balance sheet. The estimated costs for the settlement and other expenses stemming from the crime are already starting to reflect in TJX’s second quarter filing. The ease and scale of the fraud has exposed how poorly companies like TJX are protecting their customers’ data on wireless networks. On Jan. 17, the company announced its systems had been hacked, affecting “a limited number of credit and debit card holders.” It began sending lists of compromised numbers to credit-card issuers (nicknamed the ‘hot list’). Fraudulent activities however have continued to pop up throughout the year. Chuck Bower, the chief technical officer of Middlesex Savings Bank, Natick, Mass., says about 18,000 of its Visa debit cards were stolen by TJX thieves. Robert Mitchell, chief financial officer of the retail division of Eagle Bank Corp., in Lowell, Mass., says 1,300 of its Master Cards were compromised. So far the banks have replaced all of them. The incident also has renewed debate about who should be financially responsible. Banks that issue credit and debit cards so far have borne the brunt of the TJX losses, as opposed to the retailer or the credit-card networks such as Visa or MasterCard.
Since the disclosure of the TJX breach, banking associations have begun lobbying for a new legislation which would impose full financial responsibility for any fraud-related losses, including costs of reissuing of cards, on companies whose security systems are breached. Another bill, in Minnesota, would bar any company from storing any consumer data after a transaction is authorized and completed. Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said in March that he believes Congress will move to require a company responsible for allowing a breach to bear the costs of notifying customers and reissuing cards (Pereira, 2007) (Vijayan, 2007)
Paul knew it was time to make some drastic changes to the information architecture at TJX. The current breach-related bill alone could surpass $1 billion over five years — including the costs for consultants, security upgrades, attorney fees, and the added marketing to reassure customers. This did not even include the possible lawsuit liabilities.
Along with network specialists, a team of Information management and security consultants has been brought on board to advice on the next steps. The CIO has given an initial budget of $100 million for the possible security upgrades, but is willing to raise the budget if the solution warrants the investment. Paul wants to know what happened, and more importantly what needs to be done to limit the damage. With TJX being subject to a string of non-compliance allegations, one of your key mandates is to guide the executive team through this maze. The executive board is not just concerned about preventing a recurrence of this event, but also wants to ensure that going ahead customers and investors would trust TJX and its ability to safely conduct business in today’s interconnected market place.
- Moghe, P (2008) – TJX Breach
- Pereira, J (2007) – How Credit-Card Data Went Out Wireless Door, The Wall Street Journal
- TJX (2008) – Background Information
- TJX Companies (2008) – Annual Report
- TJX (2007) – Press Release
- Vijayan, J (2007), IT security in the retail industry – Computer World
Appendix – I
TJX Company Information
Exhibit 1: TJX Financial Information
* (TJX Companies, 2008)
Exhibit 2: TJX Business Portfolio
Exhibit 3: Sales Information
* (TJX, Background Information, 2008)
Appendix – II
About the Intrusion
Exhibit 4: Facts uncovered by Forensic Analysis
Through its investigation, TJX has learned the following with respect to the intrusion:
- An unauthorized intruder accessed TJX’s computer systems that process and store information related to customer transactions for its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and its Winners and HomeSense stores in Canada.
- The Company is concerned that the intrusion may extend to the computer systems that process and store information related to customer transactions for T.K. Maxx in the U.K. and Ireland, although TJX’s investigation has not yet been able to confirm any such intrusion. It is possible that the intrusion may extend to Bob’s Stores.
- Portions of the information stored in the affected part of TJX’s network regarding credit and debit card sales transactions in TJX’s stores (excluding Bob’s Stores) in the U.S., Canada, and Puerto Rico during 2003, as well as such information for these stores for the period from mid-May through December, 2006 may have been accessed in the intrusion. TJX has provided the credit card companies and issuing banks with information on these and other transactions.
- To date, TJX has been able to specifically identify a limited number of credit-card and debit card holders whose information was removed from its system and is providing this information to the credit card companies. In addition, TJX has been able to specifically identify a relatively small number of customer names with related drivers’ license numbers that were also removed from its system, and TJX is contacting these individuals directly.
- TJX is continuing its investigation seeking to determine whether additional customer information may have been compromised. TJX does not know if it will be able to identify additional information of specific customers that may have been taken.
* (TJX, Press Release, 2007)
Exhibit 5: Attack Phase I
- Initial breach of the TJX system likely happened as a result of deficiencies in the wireless network used by TJX. At the time of the attack, TJX employed WEP wireless encryption at the store location, with some known deficiencies. Part of the problem was that the network broadcast SSIDs – the service set identifier name assigned to the wireless network by the administrator.
- After breaching the TJX wireless system, the attacker was able to gain administrative privileges to the RTS servers located at the TJX corporate headquarters in Framingham, MA. The RTS servers hold all cardholder data that is processed centrally for most TJX stores.
- Once the attacker was able to gain administrative privileges to the RTS servers, he was able to find historic Track 2 data improperly stored by TJX on these servers.
- The attacker then used FTP to copy this Track 2 data to another machine on the Internet, utilizing TJX’s high-speed internet connection.
Exhibit 6: Attack Phase II
- Until this point, the attacker could only get at historical stored Track 2 data. To get at new data, the attacker actually installed custom written traffic capture software on the servers.
- The attacker used the software to record live TJX transaction data. The software tool was configured to extract the payment card track data from the transactions. This track data was then stored in tool’s log file, unpretentiously called just “log”.
- The attacker used this tool to copy and extract Track 2 data from payment card transactions from May 2006 to December 2006. (Moghe, 2008)
By Archana Subramanian, Siva Rajendran, Pragati Bedare