Tjx Companies' Credit Card Data Theft: The Worst Data Theft Ever?

1. Introduction

This case study is about one of the biggest theft of credit and debit cards information made by a group of hackers from TJS Companies informatics data base.

The TJX Companies, Inc. is the leading off-price retailer of apparel and home fashions in the U.S. and worldwide, ranking 119 in the most recent Fortune 500 listings with nearly $22 billion in revenues in 2010, more than 2,800 stores in six countries and over 160,000 Associates. Their core target customer is a middle- to upper-middle-income shopper who is fashion and value conscious and fits the same profile as a department or specialty store shopper. TJX operates four major divisions with chains that include T.J. Maxx, Marshalls, and Home Goods in the U.S.; Winners, Home Sense, and Marshalls in Canada; and T.K. Maxx and Home Sense in Europe.

On December 18, 2006 the TXJ Companies management was informed that its computer system had been infiltrated with suspicious software, and the intruders had stolen records with at least 45,7 million credit and debit card numbers. The hackers obtained also information such as: social security numbers, military identification, driving licenses of more than 451.0000 customers. This is considered the biggest theft of cards in history also because the thefts took place over eighteen month period without anyone knowledge.

The theft starts in 2005 outside a Marshalls discount clothing store near St. Paul, Minnesota. Hackers used a telescope-shaped antenna and a laptop to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. Once in, they were further able to penetrate into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass.

First time the problem was discovered at credit-card issuers such as Fidelity Homestead and the Louisiana savings bank. While its customers were dealing with the consequences of Katrina Hurricane, their accounts started to show strange shopping transactions from Soth California and Mexico. Since then, a wave of thefts of cards took place in Italy, Australia, Mexico and Japan. So far, the TJX-related fraud has been traced in six other states and at least eight countries from Mexico to China.

The thieves gradually became daring and greedy (for example one of them spend $35,000 in purchases in a single day). Police caught a band of 10 thieves traveling in rented cars with purchasing gift cards from Wal-Mart and Sam's Club stores and using fake credit cards stolen from hundreds of TJX customers. During four months, the thefts bought more than $8 million gift cards and used them to buy computers flat-screen TVs, and other electronics across 50 of the state's 67 counties.

2. Security controls and weaknesses

TJX Companies security system had been penetrated through several vulnerable points as: encryption, wireless, USB drives, processing logs, compliance and auditing practice.

Encryption - the encryption system used by TJX was WEP (Wired Equivalent Privacy) which is considered an old encryption system, relatively easy to be crack by hackers. The hackers had accessed the card information during the approval process and had the decryption key for the encryption software used in TJX.

Wireless Attack - the hacker used mobile data access technology like access point monitoring, maintaining a list of allowed clients and monitoring the network traffic. Data streaming between IP enabled devices had been hacked using an antenna and laptop.

USB Drives - utility programs through USB drives was installed on computer kiosks located in many TJX's retails stores, which turned them into remote terminals for hacking data.

Processing Logs - due to the absence of processing logs, the option of tracking the information that will help true up the number of stolen cards was not possible.

Compliance Practice - Noncompliance with PCI (Payment Card Industry) od Data Security on Encryption, Access Controls and Firewall. Implementing of audits monthly and yearly will insure compliance with standards and it will help address this gap.

Auditing Practices - Absence of Network Monitoring and Logs, and presence of unencrypted data could be addressed by enabling network monitoring; processing logs and ensures all data are stored in an encrypted format.

3. What people, organization, and technology factors contribute to these weaknesses?

There are several factors that are contributing to the weakness. One of the factors is internal: the employee and this could represent also a security threats for the organization. If the employees don't know the security procedures this could be one of the explanation how the thefts success to access the shop kiosks USB terminals. Another way could be made by tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information. Also the non-respecting of PCI data security standard is another factor. TJX was storing data from Track 2 on the magnetic strip on Visa card and it was enough for thieves to fabricate false credit cards.

Another important factor that contributes to the weakness was the old Wired Equivalent Privacy (WEP) encryption system. WEP uses RC4, a stream cipher, in synchronous mode for encryption. This requires the key generators on each end to be kept synchronized by some external means; otherwise all remaining data is lost after the first bit of lost data that caused the de-synchronization. Data loss is expected

...