[ISN] TJX. Un-answered questions.

From: InfoSec News (alerts@private)
Date: Mon Sep 10 2007 - 22:16:40 PDT


Posted by Richard Stiennon
September 9th, 2007

Repercussions from the biggest reported data breach incident in history 
are still being felt. Last months arrest of a dealer in stolen credit 
cards in Istanbul is just one example of how information stolen from TJX 
Companies is still being used by criminals. As I prepare for a talk I am 
giving at tomorrows Security Standard event in Chicago I realize that 
TJX, the holding company that owns TJ Maxx, Marshalls, and a bunch of 
other retail operations is being less than transparent about the breach 
they first announced last January 17.

According to TJXs official communications through their press releases 
and an SEC filing they first become aware of the presence of 
unauthorized software on their computer systems on December 18 and they 
reported it for the first time to Federal authorities on December 22nd.

There have been several speculative articles about how the breach 
occurred but never explicit descriptions from TJX. One article in the 
Wall Street Journal claims that the thieves broke in via a poorly setup 
wireless access point in a Marhsalls store tein St. Paul, Minnesota. 
Another less circulated story is that thieves broke into multiple TJ 
Maxx stores via kiosks that were kept in the back of the store for 
accepting job applications. I believe that there were multiple incidents 
over a period of at least four years and that TJX had such bad security 
procedures that it was open season on their data by many hackers.

Question number one that I would love to hear the answer to: Exactly how 
and when did these breaches occur?

Now lets get back to the date that TJX reports they first learned of any 
incident, December 18th, 2006. Remember the arrests in Florida of the 
criminal gang that were using stolen TJX credit card information to 
manufacture fake credit cards and puchase fresh gift cards? Well, 
Florida prosecutors filed documents in court regarding their 
investigation in November 2006! They new where the stolen credit cards 
had come from , TJX, and they cited documents provided by TJX that 
indicated they were stolen in May of 2006. Pretty strange that TJX now 
denies that. From an article at the Boston Globe.:

    However, a document filed by Florida police officials says that TJX 
    reported a breach involving thousands of card numbers to the Secret 
    Service in March of 2006, nine months earlier. Florida officials 
    filed the document in connection with the arrests of six people 
    charged with using information taken from TJX to sal millions of 
    dollars with worth of goods.

Question number 2: When did the first breach occur and when did TJX 
discover it?

Reporting of these details is important for one reason: to help other 
companies prepare for similar incidents. You would not want some other 
retailer to get caught with no defenses and succumb to similar attacks. 
Of course, the Lowes case from 2003 was excellent early warning. If TJX 
had any sort of security capability at all that incident alone should 
have woken them up. They could have easily avoided this mess if only 
they had been listening to the early warnings.

Visit the InfoSec News Bookstore

This archive was generated by hypermail 2.1.3 : Mon Sep 10 2007 - 22:26:57 PDT