Feeds

TJX lost up to 45.6m card numbers

King of breaches

SANS - Survey on application security programs

TJX has taken the crown for presiding over the largest credit card heist ever, with a tally of 45.6m numbers lost to unknown thieves who intruded on the US-based retailing giant's networks over a span of 17 months. Personal information, often including social security numbers, for at least 451,000 was also lifted.

There's no reason to believe the theft stopped there. The intruders were able to conceal much of the contents they looted and in the regular course of business TJX administrators deleted many of the files believed stolen. Investigators may never know the true extent of the pilfering, TJX warned.

"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said in a filing (PDF) with the Securities and Exchange Commission.

Since January, when TJX first said it discovered a breach of sensitive customer data, the company's disclosures have been wanting for details. An update a month later did little to satisfy our need to know. The latest report is slightly improved, offering the following time line:

On December 18, the company initiated an investigation after discovering suspicious software on its network. In short order, IBM and General Dynamics were called in to assist in the probe, and on December 21 they determined there was good reason to believe there was indeed an intruder who remained on the computer network. The investigators devised a plan to contain and monitor the intrusion.

On December 22, TJX met with law enforcement officials to brief them on the intrusion. The law enforcement agencies included the US Secret Service, which asked TJX to withhold disclosure of the breach so its cover wouldn't be blown.

On December 27, the company for the first time determined that customer information was among the data stolen. TJX updated officials of banks and law enforcement of that finding on January 3. Investigators discovered yet more burgled customer details 10 days later.

On January 17, TJX first notified the public, and a day later it learned the intrusion began much earlier than previously believed. The company now says its network was probably breached from July, 2005 to December, 2006. The servers were located in the US and the UK.

At risk are credit and debit card numbers for customers of TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US and Puerto Rico, customers of Winners and HomeSense stores in Canada and customers of TK Maxx stores in the UK.

To the credit of TJX, the company said customer names and addresses were not included with payment card data lifted from the US network. TJX's US operation often didn't store "Track 2" data from the a card's magnetic stripe for transactions after September 2003. And by April 3 of last year, the company had started masking payment card PINs and other portions of payment card transactions. This was a great first step but begs the question why the retailer didn't do more to protect its customers.

Individuals suspected of using payment card information stolen from TJX were arrested last week in Florida.

Following yesterday's disclosure, the TJX debacle became the largest known theft of credit card data, topping the previous record held by CardSystems Solutions of 40 million records compromised in 2005, ComputerWorld reported. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.