Attorney: TJX Knew Of Data Breach Much Earlier Than It Claims

Written by Evan Schuman
December 14th, 2007

TJX learned of its massive data breach on Oct 3, 2006, more than two months earlier than TJX has told the government it first learned of the breach, according to one of the attorneys representing one of the banks suing the retail chain.

Getting to the bottom of these he said/she said exchanges—which is necessary to put these pieces of information into meaningful context—is made difficult because so much of the supporting material being referenced is still classified as confidential in the lawsuits surrounding the worst data breach in credit card history.

This allows representatives of both sides to make cryptic (and very carefully worded) comments that sometimes suggest more than the facts support.

Here’s the latest parsing of words. Plaintiff attorney Joe Whatley this week told U.S. District Court Judge William Young in open court that TJX knew of the incident much earlier than it had disclosed.

"TJX first became aware of this breach as early as October the 3rd of 2006 when it learned of problems with Discover Cards. It took them over two weeks, roughly the same time it took us to file our amended complaint, for them to even contact a consultant to investigate the matter," Whatley said. "And it took them another two weeks after that to retain the consultant and work out a nondisclosure agreement. And, of course, there were problems. TJX then allowed them to have access to it for a period of time and then terminated them when they found there was a (data breach) problem."

Whatley later confirmed the terminated firm was Cybertrust, which he said was replaced because TJX preferred to use General Dynamics, which was suggested to them through their attorneys. The suggestion was that General Dynamics would be more friendly toward TJX and might be more protective of the chain.

The official TJX position is somewhat different. Or is it? TJX Vice Chairman Donald Campbell issued a statement to The Boston Globe that said, "TJX stands behind the facts that we have previously stated: It was not until on December 18, 2006, that TJX first learned that there was suspicious software on TJX’s computer system, not until December 21, 2006, that we learned there was strong reason to believe our computer system had been intruded upon, and not until December 27, 2006, that we first learned that customer information had apparently been stolen."

Technically, that doesn’t quite contradict Whatley’s comments. Whatley didn’t say anything about when the Trojan Horse was discovered on the network or when "there was strong reason to believe" the system had "been intruded upon."

That said, Whatley’s comments are also not crystal clear and the inability to discuss sealed documents made it difficult to clarify. Many large retailers routinely learn of small credit card frauds. What did the initial Discover communication say? How many cards had been reported as having been breached at that point?

Without those details, it’s impossible to assess whether the Oct. 3 incident established that TJX hadn’t been honest.

But the details also reinforce the appearance that TJX—throughout this incident—has shown more concern about keeping this incident quiet than protecting customer data.

If your house was viciously broken into and ransacked, would you not only hold off calling police and instead bring in your investigators, but would you also insist that the probe not begin until you have negotiated an extensive non-disclosure agreement? Or you would you say, "Find out what the heck happened right away and we’ll worry about the paperwork later"?

TJX’s attorneys have made the argument that details of the initial detection and what TJX did that allowed the intruders to have such extensive network access for so many years need to remain secret because it could provide tips to future attackers.

The only problem with that argument is that TJX has also said that it’s made extensive improvements to its security since the breach was discovered—in TJX’s version—in December 2006. As we’re now approaching 2008, it’s difficult to imagine how discussing the state of the network from two and three years earlier—before the extensive changes were made—could undermine security efforts today.

Unless, of course, what’s really being protected is corporate pride. In that case, it makes perfect sense.


One Comment | Read Attorney: TJX Knew Of Data Breach Much Earlier Than It Claims

  1. john simmons Says:

    this store should be prosecuted criminally.what recourse is there for us little guys when they give our information away?


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.