The TJX 11’s Retailers Oblivious To Repeated Breaches

Written by Evan Schuman
August 8th, 2008

Some 3 hours and 19 minutes before the U.S. Justice Department announced to the world that it was charging 11 men with having stolen 41 million payment card numbers from TJX and several other national retailers, a group of Secret Service agents started making phone calls.

These were calls to retailers—including TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW and Forever 21—to tell them that, after a multi-year-long federal probe, that indictments were being unsealed.

One of those retailers—Barnes & Noble—issued a vague statement suggesting that the chain might not have been aware of the incident before the Secret Service team started making those 11:30 AM calls. Saying that "we just learned today" about the indictments and that the book chain was listed as a victim. "Although the indictment states that several retailers were targeted, it does not provide specifics about Barnes & Noble and does not list customer names. Barnes & Noble takes the privacy and security of the personal information of our customers very seriously and we are reviewing this matter carefully."

Some of the other retailers made their own statements, usually stressing that the breaches were several years old (Boston Market and BJ’s said 2004, DSW said 2005), when their security was presumably weaker.

What the statements didn’t mention, though, is that none of the retailers mentioned in this case discovered the breaches themselves–neither during the incidents nor after. All learned in various ways, whether from the Secret Service or from a credit card company or a processing bank having detected that chain as a common point of purchase among several consumer victims.

Of all the retailers targeted, federal officials said, the security systems of only one detected and stopped the break-in attempts, and government officials decided to not reveal that retailer’s identity.

Officials in the class-action lawsuits of the star victim in this case—TJX—differed on exactly when TJX learned of the breach. But the breach was not discovered by TJX’s internal systems nor by any TJX employee, sources familiar with the case said.

It’s not clear if the defendants in this case are accused of being the sole group involved in attacking TJX, but there are numerical discrepancies, leaving that possibility open. Some testimony in the TJX lawsuits put the number of payment cards accessed in that case at more than 100 million, while the number involved in this week’s case is 41 million and that includes all of the retailers involved.

Michael Sullivan, the U.S. Attorney for Massachusetts, said some of the discrepancy might lie in the differences between a number accessed repeatedly and individual numbers.

"We’re talking about distinct numbers. And I don’t know whether or not TJX is referring to distinct numbers being 100 million, or in some instances, numbers taken on multiple occasions, but the same number," Sullivan said, adding that his office has "41 million distinct credit and debit card numbers that we’ve been able to identify, so far."

Part of the problem with wireless breaches is that it leaves fairly few fingerprints behind, as the data leaves when it is supposed to leave and arrives when it is supposed to arrive. (See David Taylor’s column this week: "How Can You Not Know You’ve Been Hacked?")

The members of the group named in the federal charges have been described as a sophisticated cyber thief alliance, akin to a 21st Century Fagin, assuming Fagin was a programmer and probably a onetime phonephreak.

But Sullivan properly draws a critical distinction: The group—from an organizational and structural perspective—was quite sophisticated. The cyber-thief tactics they used (primarily wardriving), however, were ordinary and anything but advanced.

"Obviously, it was a sophisticated network of people who were able to acquire and hide this information, to their own encryption methods and off-shore and aliases and that sort of thing. They were sophisticated as a criminal organization," Sullivan said, "but people suggest in terms of what they did, that it was not that sophisticated in terms of ease of access. They realized you can drive around and essentially get access to these wireless sites."

Acknowledging the cipher elephant in the room, Sullivan said the retail security systems today are much stronger than they were.

"I’m absolutely confident that the security systems are much more robust and we do a much better job in terms of detecting and preventing these types of breaches today, in 2008, versus where they were at back in 2003. They’ve now put additional bolts and locks on the doors that they realized people were using to get access to in the past," he said. "Having said that, I don’t think a lot of these people are simply giving up and going away. They’re going to continue to be cutting edge with regards to their ability to steal this type of proprietary information. Because it means money to them, I mean you’re talking about potentially huge sums of money with small transactions on each of these accounts."

One retail security expert, who asked to remain anonymous as he works for a large retailer not mentioned in the indictments, agreed that vast improvements in retail security have happened in the last few years—and that PCI deserves a lot of the credit for that. But it’s equally important to note, he said, how absolutely terrible retail security was just a few years ago.

"I think that stores started from a position of absolutely no security. Retailers just ran that wave for years and years," he said. "It wasn’t until PCI kicked in that they started taking security seriously."

And then, around 2000, cyber thieves realized the gold mine that was the retail landscape, especially with wireless access points. The thieves "matured their profession, they refined their tactics. When they found retailers sitting there wide open, they were the proverbial kid in a candy store," he said.

After quite a few bloody noses, retailers started sharply improving security. "The retailers hardened themselves by an order of magnitude," he said. "But 1,000 percent better wasn’t enough."


One Comment | Read The TJX 11’s Retailers Oblivious To Repeated Breaches

  1. Benjamin Wright Says:

    The numbers surrounding the TJX incident are hard to nail down. Nevertheless, the industry needs to think about the numbers in aggregate. I argue that the aggregate fraud suffered from TJX is small compared to the aggregate cost incurred by card issuers to cancel cards. Therefore, I argue, the industry — as a whole industry — over-reacted to TJX. Data breaches will happen; breaches are inevitable. The response to data breaches must change at an industry (systemic) level. The industry needs to reduce the cost of its response so that the cost of the response is closer to the value of the actual risk. I develop more of my argument at What do you think? –Ben


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.