The massive data breach at $16 billion retailer TJX involved someone apparently armed with the chain’s encryption key, but it might not have been needed as the cyber-thief was accessing data during the card-approval process before it was encrypted.
These are among the latest details in what is almost certainly the worst retail data breach ever.
In a 10-K filing to the federal SEC (Securities & Exchange Commission), TJX said it didn’t know who the intruders were, but it did provide more details about what they say happened that led to the card information of some 46 million consumers to get into unauthorized hands.
The intruder or intruders here apparently planted software in TJX systems to capture data throughout the day and they also engaged in an increasingly popular tactic: post-event cleanup.
That’s where intruders spend extra effort cleaning up their tracks—deleting and otherwise tampering with log files, changing clock settings and moving data to hide their movements.
“Due to the technology utilized by the intruder, we are unable to determine the nature or extent of information included in these files. Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the computer intrusion during 2006 could have enabled the intruder to steal payment-card data the payment card issuer’s approval process, in which data (including the track 2 data) is transmitted to payment-card issuer’s without encryption,” the filing stated. “Further, we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX.”
Read more here about the data breach.
Veteran retail technology analyst Paula Rosenblum, a vice president with Retail Systems Alert Group, said the fact that the software went undiscovered for so long is most troubling.
