TJX Revises Consumer Settlement, Agrees To Pay Cash

Written by Evan Schuman
October 9th, 2007

The Wall Street Journal is reporting that the TJX break-in started in July 2005 with a wireless hack of a Marshalls in St. Paul, Minn, where the thieves “pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers [POS presumably]and the store’s computers. That helped them hack into the central database of Marshalls’ parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.”

The news that the attack was wireless is not unexpected, as wireless attacks have become very popular means of attacking retail chains and because hints that the TJX attacks were wirelessly based have been frequent. But the level of specifics in the Journal story are surprising.

The story also said that an auditor found that TJX “failed to install firewalls and data encryption on many of its computers using the wireless network, and didn’t properly install another layer of security software it had bought.”

That software could very well have been encryption software from Ingrian Networks. We have reported that Ingrian had sold software to TJX, which hadn’t installed it at the time the data breach was discovered.

One PCI auditor who has been involved in the TJX probe couldn’t confirm all of the details in the Journal but said that a wireless hack is not surprising, as it’s the most common attack method with retail chains today.

“By focusing on those little handheld (pricecheck) guns and their interactions with the database controller, you can capture IP addresses. That’s your gateway,” the auditor told StorefrontBacktalk. [Note to readers: We typically resist referring to ourselves in text, but it’s necessary here to differentiate what our sources told us from what the Journal is quoting sources as telling them.] Even if a store IT manager is watching the traffic, the source said, it often won’t even look suspicious. “They won’t see any difference between you and one of their handheld devices.”

The Journal also reported that the attackers performed “most of their break-ins during peak sales periods to capture lots of data” and then “used that data to crack the encryption code” and then they “digitally eavesdropped on employees logging into TJX’s central database in Framingham and stole one or more user names and passwords. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet,” according to sources who spoke with the Journal. “They were so confident of being undetected that they left encrypted messages to each other on the company’s network, to tell one another which files had already been copied and avoid duplicating work.”

The Journal also referenced a Sept. 29 audit report that it wasn’t PCI compliance. ” The auditor’s report cited the outmoded WEP encryption and missing software patches and firewalls. Then on Dec. 18, another auditor found anomalies in the company’s card data. At that point, TJX hired forensics experts from International Business Machines Corp. and General Dynamics Corp. and notified the U.S. Secret Service, which spent a month trying to catch the hackers in the act. But the data thefts stopped and the hackers had obscured their whereabouts by using the Internet addresses of private individuals and public places such as coffee houses. Investigators did find traces of the hackers: altered computer files, suspicious software and some mixed-up data such as time stamps in the wrong order.”


2 Comments | Read TJX Revises Consumer Settlement, Agrees To Pay Cash

  1. RabidWolf Says:

    Oh, this is a total crock. $30 vouchers for merchandise that already didn’t sell at ‘suggested retail’? They won’t have my size, or anything I like anyway!
    And now, perhaps, the time money I had to spend to get a new credit card and number, repair anything that may have automatically used the old number, etcetera, is worth $15? What is that per hour? 37 cents?

    I am totally disgusted. At least the lawyers are happy.


  2. Evan Schuman Says:

    Editor’s Note: Actually, TJX’s proposed settlement has its own area for whatever time a consumer can prove was spent chasing down things to fix the credit problem. But it had a low cap ( and it assumed that consumers’ time was worth only $10/hour.
    One lawyer involved defended the hourly, saying that it was presumably time spent at home that would not have otherwise been billed at a corporate rate. Maybe.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.