Feeds

TJX lost up to 45.6m card numbers

King of breaches

Seven Steps to Software Security

TJX has taken the crown for presiding over the largest credit card heist ever, with a tally of 45.6m numbers lost to unknown thieves who intruded on the US-based retailing giant's networks over a span of 17 months. Personal information, often including social security numbers, for at least 451,000 was also lifted.

There's no reason to believe the theft stopped there. The intruders were able to conceal much of the contents they looted and in the regular course of business TJX administrators deleted many of the files believed stolen. Investigators may never know the true extent of the pilfering, TJX warned.

"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said in a filing (PDF) with the Securities and Exchange Commission.

Since January, when TJX first said it discovered a breach of sensitive customer data, the company's disclosures have been wanting for details. An update a month later did little to satisfy our need to know. The latest report is slightly improved, offering the following time line:

On December 18, the company initiated an investigation after discovering suspicious software on its network. In short order, IBM and General Dynamics were called in to assist in the probe, and on December 21 they determined there was good reason to believe there was indeed an intruder who remained on the computer network. The investigators devised a plan to contain and monitor the intrusion.

On December 22, TJX met with law enforcement officials to brief them on the intrusion. The law enforcement agencies included the US Secret Service, which asked TJX to withhold disclosure of the breach so its cover wouldn't be blown.

On December 27, the company for the first time determined that customer information was among the data stolen. TJX updated officials of banks and law enforcement of that finding on January 3. Investigators discovered yet more burgled customer details 10 days later.

On January 17, TJX first notified the public, and a day later it learned the intrusion began much earlier than previously believed. The company now says its network was probably breached from July, 2005 to December, 2006. The servers were located in the US and the UK.

At risk are credit and debit card numbers for customers of TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US and Puerto Rico, customers of Winners and HomeSense stores in Canada and customers of TK Maxx stores in the UK.

To the credit of TJX, the company said customer names and addresses were not included with payment card data lifted from the US network. TJX's US operation often didn't store "Track 2" data from the a card's magnetic stripe for transactions after September 2003. And by April 3 of last year, the company had started masking payment card PINs and other portions of payment card transactions. This was a great first step but begs the question why the retailer didn't do more to protect its customers.

Individuals suspected of using payment card information stolen from TJX were arrested last week in Florida.

Following yesterday's disclosure, the TJX debacle became the largest known theft of credit card data, topping the previous record held by CardSystems Solutions of 40 million records compromised in 2005, ComputerWorld reported. ®

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.