StorefrontBacktalk

TJX Intruder Moved 80-GBytes Of Data And No One Noticed

Written by Evan Schuman

October 25th, 2007

Citing new information about the TJX data breach, attorneys suing the clothing retail chain amended their complaints on Thursday and wants a jury to evaluate TJX’s security professionalism.

New details that emerged from documents filed in federal court Thursday include:

A TJX consultant found that not only was TJX not PCI-compliant, but that it had failed to comply with nine of the 12 applicable PCI requirements. Many were "high-level deficiencies," the consultant said.

"After locating the stored data on the TJX servers, the intruder used the TJX high-speed connection in Massachusetts to transfer this data to another site on the Internet" in California. More than "80 GBytes of stored data improperly retained by TJX was transferred in this manner. TJX did not detect this transfer."

In May 2006, a traffic capture/sniffer program was installed on the TJX network by the cyber thieves, where it remained undetected for seven months, "capturing sensitive cardholder data as it was transmitted in the clear by TJX."

In 2004, before the attacks began, TJX was issued a report on its security compliance that "identified numerous serious deficiencies at TJX, including specific violations. TJX did not remedy many of these definciences.

At his deposition, the unnamed TJX consultant said that "he had never seen such a void of monitoring and capturing via logs activity at a Level One merchant as he saw at TJX."

"The data breach at TJX affected more than 100 million separate and distinct credit and debit card account numbers, more than twice the size of the next largest data breach in the history of the country."

The filings confirmed that both Visa and MasterCard have fined TJX. Visa issued "a substantial fine" in connection with the TJX databreach, dubbing it an "egregious violation" of security procedures. The sizes of the fines were not specified.

The filings for the first time also listed the key security problems that a TJX consultant found: improperly configuring its wireless network; not segmenting cardholder data devices from the rest of network traffic; "TJX did not have an IT department that was properly tasked to manage the environment used to store, process or transmit cardholder data,"; improperly storing prohibited cardholder data; using usernames and passwords "that were easy to penetrate"; improper patch procedures; logs not properly maintained; antivirus protection "improper"; and weak intrusion detection.

Thursday’s revised complaint linked the bad security practices with the computer breach, which forces banks to take expensive actions to defend themselves. One key issue in civil cases such as this is whether the defendant can be shown to be simply careless or deliberately reckless. That distinction relies on showing what was likely in the defendant’s mind at the time of the acts that lead to the data breach.

Attorneys for the banks indicated they would try and show that intent with internal TJX documents obtained during discovery. "TJX knew—and discussed internally prior to the breach—that its deficiencies in network and data security could lead to the exact losses incurred here in the many millions of dollars," said the filing, "and that had TJX properly disclosed information about the extent of its noncompliance with network security requirements prior to the breach, then actions to correct the deficiencies and prevent the breach could have been taken."

Posted in IT Strategy/Industry, Payment Systems, Security/Fraud

One Comment | Read TJX Intruder Moved 80-GBytes Of Data And No One Noticed

Ted Says:
October 26th, 2007 at 5:32 pm
These breaches need to be taken much more seriously.

The retailers and other businesses that accept our credit cards are not taking the necessary precautuions to protect our personal information.

The technology exists to prevent this type of fraud but is not being implemented.

I have recieved two notices by mail in the last six months notifying me that my information has been compromised.

These companies must be held liable for their lack of comliance.

I hope they get sued for millions!

Sincerely,

Ted

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.