Feeds

TJX lost up to 45.6m card numbers

King of breaches

Next gen security for virtualised datacentres

TJX has taken the crown for presiding over the largest credit card heist ever, with a tally of 45.6m numbers lost to unknown thieves who intruded on the US-based retailing giant's networks over a span of 17 months. Personal information, often including social security numbers, for at least 451,000 was also lifted.

There's no reason to believe the theft stopped there. The intruders were able to conceal much of the contents they looted and in the regular course of business TJX administrators deleted many of the files believed stolen. Investigators may never know the true extent of the pilfering, TJX warned.

"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said in a filing (PDF) with the Securities and Exchange Commission.

Since January, when TJX first said it discovered a breach of sensitive customer data, the company's disclosures have been wanting for details. An update a month later did little to satisfy our need to know. The latest report is slightly improved, offering the following time line:

On December 18, the company initiated an investigation after discovering suspicious software on its network. In short order, IBM and General Dynamics were called in to assist in the probe, and on December 21 they determined there was good reason to believe there was indeed an intruder who remained on the computer network. The investigators devised a plan to contain and monitor the intrusion.

On December 22, TJX met with law enforcement officials to brief them on the intrusion. The law enforcement agencies included the US Secret Service, which asked TJX to withhold disclosure of the breach so its cover wouldn't be blown.

On December 27, the company for the first time determined that customer information was among the data stolen. TJX updated officials of banks and law enforcement of that finding on January 3. Investigators discovered yet more burgled customer details 10 days later.

On January 17, TJX first notified the public, and a day later it learned the intrusion began much earlier than previously believed. The company now says its network was probably breached from July, 2005 to December, 2006. The servers were located in the US and the UK.

At risk are credit and debit card numbers for customers of TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US and Puerto Rico, customers of Winners and HomeSense stores in Canada and customers of TK Maxx stores in the UK.

To the credit of TJX, the company said customer names and addresses were not included with payment card data lifted from the US network. TJX's US operation often didn't store "Track 2" data from the a card's magnetic stripe for transactions after September 2003. And by April 3 of last year, the company had started masking payment card PINs and other portions of payment card transactions. This was a great first step but begs the question why the retailer didn't do more to protect its customers.

Individuals suspected of using payment card information stolen from TJX were arrested last week in Florida.

Following yesterday's disclosure, the TJX debacle became the largest known theft of credit card data, topping the previous record held by CardSystems Solutions of 40 million records compromised in 2005, ComputerWorld reported. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.