TJX CREDIT CARD COMPROMISE
In July 2005, systems that processed and stored data related to credit card payments at the TJX group of companies across the US (and TK Maxx stores in the UK) were accessed illegally. The intruders were apparently able to continue accessing these systems unnoticed until mid-December 2006. With 96 million customers affected by credit and debit card information stolen during this period, it was the biggest such compromise ever at the time and is thought to have cost TJX, banks and insurers a total of £150 million.
It has been reported that a “sniffer” was installed on the payment network, allowing the capture of at least 80GB of card data to be siphoned off. This was transferred to a remote server, again undetected, using TJX’s own high-speed network. Albert Gonzalez, a well-known hacker working as an informant for the US Secret Service at the time, was eventually convicted as the ringleader in this case and sentenced to 20 years.
The mitigation against such an attack is the same now as it was then: regular security audits to ensure best practice is followed. TJX was culpable for misconfigured wireless networks, inadequate intrusion detection, lax patching strategies and weak login systems. Multilayered protection and some measure of log analysis would have spotted the unusual data flow patterns and alerted TJX to the data exfiltration.