At least 45.7 million credit card numbers were stolen by criminal hackers from TJX, a major global retailer, making the attack the largest recorded such data theft to date.
The cost to its customers is unknown. The cost to the company is so far $5m to investigate the incident, a penny off fourth-quarter earnings per share, indeterminate brand damage and the potential for customer lawsuits, and public and private fines and penalties.
The retailer, which has about 2,500 stores under brands including TJ Maxx in the US and TK Maxx in the UK, disclosed the breach in January, but just released a fairly comprehensive executive summary of the attack in a regulatory filing this week.
In testament to the complexity of its systems, the sophistication of the attacker and/or the lack of adequate defenses, it took the company 17 months to figure out it had been hacked, and outside consultants another week to figure out that vast amounts of data had been stolen.
Based on our investigation to date, we believe that our computer systems were first accessed by an unauthorized Intruder in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007, the company’s filing said.
TJX found suspicious software on some of its systems on December 18 last year. It hired IBM and General Dynamics to investigate. These investigators determined, three days later, that TJX’s systems had been compromised and that the attacker still had access.
What eventually emerged was wholesale data theft on a baffling scale.
We suspect the data believed stolen in 2005 related to somewhere between approximately half to substantially all of the transactions at US, Puerto Rican and Canadian stores during the period from December 31, 2002 through June 28, 2004, the company said.
The data stolen included drivers’ license, military and state identification numbers, which are often the same set of digits as the individual’s social security number, together with names and addresses.
And TJX is actually under-stating the issue. It hasn’t finished its investigation. There are encrypted customer files that the company thinks were stolen but which it has not yet decrypted. The attacker had access to the decryption key, according to the filing.
The attacker apparently was not able to access data at rest in 2006, because it was encrypted, but he managed to intercept credit card number as they were transmitted – in clear text – to card issuers. He logged all that data to about 100 files, which he then took.
At least two of those files are believed to relate to transactions at stores in UK and Ireland branches.
At 45.7 million records, the theft dwarfs the previous largest such attack. In June 2005, payments processor CardSystems disclosed the theft of 40 million card records.