Investigators told The Wall Street Journal they believe the thieves aimed a telescope-shaped antenna at the store and used a laptop to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of Framingham-based TJX, where they would repeatedly rob the system of sensitive customer data.
This latest revelation comes two weeks after three New England banking associations and some individual banks announced a lawsuit against TJX. Banks have suffered a heavy financial toll over the breach, having to shell out a significant sum of money to replace compromised cards and cover fraudulent charges traced back to the TJX incident. The Massachusetts Bankers Association, Connecticut Bankers Association, Maine Association of Community Banks and some individual banks argue that TJX failed to protect customer data with adequate security measures, and that the retail giant was less than honest about how it handled data.
TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The company gave a tally of the damage in a regulatory filing with the Securities and Exchange Commission (SEC) in March, and also acknowledged that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.
Avivah Litan, vice president of research with Stamford, Conn.-based Gartner Inc., has called the TJX breach the largest online burglary ever.
By comparison, 26.5 million veterans and active duty personnel were affected by the theft of a Department of Veterans Affairs (VA) laptop and external hard drive last year. And in 2005, credit card transaction processor CardSystems Solutions Inc. acknowledged that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more to fraud.
TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions.
The TJX breach was worse than first thought. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, TJX recently admitted that thieves were inside the network several other times, beginning in July 2005. In last month's SEC filing, the company said the stolen data covers transactions dating back even further, to December 2002. The Federal Trade Commission (FTC) is investigating the breach.
TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS), several PCI auditors told SearchSecurity.com recently, and the company will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.
The Massachusetts Bankers Association has reported that several of its member banks have been affected by fraudulent transactions associated with the TJX data breach. The stolen data has reportedly been used to make purchases in Florida, Georgia and Louisiana as well as Hong Kong and Sweden, for example. In addition, credit card issuers have contacted at least 60 banks about compromised cards.
Law enforcement officials in Florida, meanwhile, claim thieves were using customer data from TJX last November for a gift card scheme -- a month before TJX learned of the breach. Police charged six people with using the credit card numbers to purchase about $1 million in merchandise with gift cards.
TJX also faces litigation from other groups. The Arkansas Carpenters Pension Fund -- which owns 4,500 shares of TJX stock -- filed a suit against the company under a law permitting shareholders to sue for access to corporate documents in certain cases. The pension fund wants the records to see whether TJX's board has been doing its job in overseeing the company's handling of customer data.
In late January, a West Virginia woman filed a class action lawsuit against the company accusing it of negligence for not doing enough to secure customer data and for keeping quiet about the breach for a month.