Stolen TJX Data Was Used One Month Before Retailer Learned Of The Breach

Written by Evan Schuman
March 20th, 2007

Information stolen from the systems of massive retailer TJX was being used fraudulently in November 2006 in an $8 million giftcard scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials.

The significance of this new TJX detail?discovered as Florida authorities issued arrest warrants for 10 suspects and took six of them into custody–is not clear, but it might yield clues as to how TJX learned of the breach.

The $16 billion retail chain has officially said that a huge amount of information was accessed as early as 2005 (with some of the captured data dating back to 2003), but that TJX officials didn’t learn of the breach until December 2006. The company didn’t announce the breach until mid-January 2007, because?according to one credit-card source–of a request from the Secret Service that it was actively pursuing a suspect.

The Florida information raises the possibility that whoever took the data had decided to start using it late last year. Law enforcement pursuing those cases would have found TJX as the common link among all, potentially prompting TJX to more closely examine its systems.

In the Florida case, a group used TJX credit- and debit-card information to do a low-tech clone scam to the tune of about $8 million. The group is accused of taking credit cards and applying new magstripes containing the stolen data. It was not clear if the credit cards displayed the same numbers in plastic embossing that were in the magstripe, said Dominick Pape, the special agent in charge for the Florida Department of Law Enforcement.

Florida officials released the names of the six suspects who were arrested: Irving Escobar, 18; Reinier Camaraza Alvarez, 27; Julio Oscar Alberti, 33; Dianelly Hernandez, 19; Nair Zuleima Alvarez, 40; and Zenia Mercedes Llorente, 23. Four others are still at large, Pape said.

The group has been charged with an organized scheme to defraud and they are also being investigated by the U.S. Secret Service, which participated in the arrests.

Florida officials said the group used the increasingly common tactic of using the bogus credit cards to purchase giftcards and then cashing them at Wal-Mart and Sam’s Club stores. The group usually purchased $400 giftcards because when the giftcards were valued at $500 or more, they were required to go to customer service and show identification, Pape said.

The gift card float technique is attractive to thieves because it buys them more time. When a credit card is stolen and detected by the victim, today’s thief knows that it’s only a matter of hours before the card will be invalidated.

But if the thief immediately uses the card to purchase giftcards, it significantly buys time. Once the credit card is deactivated, it may take days or weeks before authorities learn what was purchased down to the exact identification number of those giftcards and then start invalidating those giftcards.

Florida authorities have video of their suspects from both inside the store and outside, where videotape captured the license plate of a rented vehicle one of the suspects was driving. Items purchased included computers, gaming devices and big screen televisions, police said.

At this stage, authorities are hoping to press the group to identify where they got the card data, on the theory that it will ultimately lead them to the cyber thieves who struck TJX. Pape said it was unlikely that the 10 suspects were the ones who had attacked TJX. “We do not have information today that they were at the high end of the compromise,” he said.

In other TJX news this week, a TJX shareholder?the Arkansas Carpenters Pension Fund?is suing TJX to access records showing how TJX handled data security.


One Comment | Read Stolen TJX Data Was Used One Month Before Retailer Learned Of The Breach

  1. Prat Moghe Says:

    Evan – Good coverage as the clues emerge bit by bit. Data breaches reveal the culture in an organization. I just analyzed 318 publicly known data breaches to see where data gets lost. Surprisingly we found that largest data loss came from databases holding a large volume of critical data, not from laptops/email/tapes. Wonder where the TJX clues eventually take us to..


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.