TJX Data Breach -- 45 Million Cardholder Accounts -- Thieves Had Encryption Key

In the past few days, newspapers, TV and the internet have all been saturated with news about the TJX data breach. Most reports state that information about 45.7 million credit and debit cards was stolen. According to the Washington Post, approximately 75% of the cards had expired by the time of the theft or the data stolen did not include security information. In September 2003, TJX started "masking" much of the sensitive data, meaning that it was partially or completely overwritten with asterisks. In other words, card account numbers would have been stored as "**** **** **** 1234."

This information follows on reports earlier this week of the arrest of a number of people in Florida who were caught buying gift cards at Wal-Mart using stolen TJX card data and then using those gift cards at Sam's Club stores (an affiliate of Wal-Mart) to purchase electronics and jewelry. Police estimate the scam netted $8 million. These bad guys are not suspected of the TJX data theft but rather are thought to have obtained the stolen card numbers from the data thieves. They created new credit cards reflecting the stolen account numbers which they then used to buy gift cards at a number of Wal-Marts across Florida.

The information for most of the news reports comes from a 10-K report which TJX filed with the Securities and Exchange Commission on March 28, 2007. The most ominous, and to my knowledge, so far unreported factoid in the filing is this:

Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.

The 10-K also states that one reason TJX has had difficulty determining what data was stolen because many of the files in question have been deleted in the normal course of business.

TJX's filing lays out the time line for the discovery and reporting of the intrusion.

On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems. With the assistance of our investigation team, we immediately began to design and implement a plan to monitor and contain the ongoing Computer Intrusion, protect customer data and strengthen the security of our computer systems against the ongoing Computer Intrusion and possible future attacks.

On December 22, 2006, we notified law enforcement officials of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them. At that meeting, the U.S. Secret Service advised us that disclosure of the suspected Computer Intrusion might impede their criminal investigation and requested that we maintain the confidentiality of the suspected Computer Intrusion until law enforcement determined that disclosure would no longer compromise the investigation.

With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen from our computer systems in the Computer Intrusion. On January 3, 2007, we, together with the U.S. Secret Service, met with our contracting banks and payment card and check processing companies to discuss the Computer Intrusion.

Prior to the public release of information with respect to the Computer Intrusion, we provided information on the Computer Intrusion to the U.S. Federal Trade Commission, U.S. Securities & Exchange Commission, Royal Canadian Mounted Police and Canadian Federal Privacy Commissioner. Upon the public release, we also provided information to the Massachusetts and other state Attorneys General, California Office of Privacy Protection, various Canadian Provincial Privacy Commissioners, the U.K. Information Commissioner, and the Metropolitan Police in London, England.

In an (un)related matter, the TJX Board recently approved a $1 Billion stock buy-back. program.