TJX: Anatomy of a Massive Breach

The record-breaking breach suffered by the TJX Companies didn?t just happen?it was the result of conscious choices made by the retailer?s IT executives to risk not adopting security best practices, and regulators? decisions to treat the retailer with kid gloves.

In 2004, Visa, MasterCard, American Express and other major credit card processors established the Payment Card Industry Data Security Standard (PCI). The standard set minimum security expectations for merchants and others that accept credit and bank cards as payment for goods and services. Initially, TJX failed nine of the dozen PCI requirements, and it continued to shirk compliance over the course of the next two years.

Rather than taking rigorous enforcement action, Visa gave TJX a pass, on the condition that it would aggressively move to improve its security. There?s no telling if MasterCard or American Express tried taking action, since Visa is the only credit card processor to publicly report its compliance enforcement.

Unbeknownst to everyone, at that point TJX had been compromised for nearly a year and was already hemorrhaging credit card data to hackers. The result was an enormous data breach that wasn?t discovered until December 2006. When the damage was fully assessed in January 2007, more than 94 million credit card transactions were found to have been compromised?the largest data breach in Internet history to date.

A year would go by before Visa would come at TJX again, but it still took a sidestepping approach to the security problems by contacting one of TJX?s supporting banks, Fifth Third Bancorp, in Cincinnati. In a Dec. 29, 2005, letter to the bank, Visa vice president for fraud control Joseph Majka warned Fifth Third that TJX needed to get on top of its security program.

?Visa will suspend fines until Dec. 31, 2008, provided your merchant continues to diligently pursue remediation efforts,? Majka?s letter stated. ?This suspension hinges upon Visa?s receipt of an update by June 30, 2006, confirming completion of stated milestones.?

This second chance fell on deaf ears, though, because at TJX?s Framingham, Mass., headquarters, the main security focus had been finding ways to skirt auditing requirements and save money.

Just a month prior to Majka?s letter, TJX CIO Paul Butka had sent an e-mail to his troops illustrating this attitude of check-box compliance. In the message, Butka suggested delaying conversion of in-store wireless encryption standards from the easily cracked Wired Equivalent Privacy (WEP) to Wi-Fi Protected Access (WPA). Butka clearly understood that WEP was less than ideal, but at the time PCI did not explicitly mandate WPA. Butka believed TJX should take advantage of the leniency to save cash, in spite of the security risks.

?My understanding [is that] we can be PCI-compliant without the planned FY07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes,? Butka wrote. ?WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future. I think we have an opportunity to defer some spending from FY07?s budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible.?

Not all of the TJX IT staff agreed. That day, IT staffer Lou Julian replied: ?Saving money and being PCI-compliant is important to us, but equally important is protecting ourselves against intruders. Even though we have some breathing room with PCI, we are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money and hoping we do not get compromised.?

Several weeks later, Richard Ferraioli, another senior-level IT staffer, expressed his concerns in a follow-up message that sticking with WEP was counter to the spirit of the PCI mandate: ?The absence of rotating keys in WEP means that we truly are not in compliance with the requirements of PCI. This becomes an issue if this fact becomes known and potentially exacerbates any findings should a breach be revealed.?

Ferraioli?s prophecy proved truer than he might have imagined. While TJX dawdled, the hackers were busily milking the insecure systems for valuable credit card data. Investigators believe that the most targeted attacks began in May 2006, when criminals used special antennas outside a Marshall?s store in St. Paul, Minn., to capture WEP-encrypted wireless transmissions between in-store bar code scan guns and data receivers connected into corporate networks. From there, the crooks cracked the WEP protection and used the opening to gain access to vulnerable company databases storing Track 2 data from the magnetic strips found on payment cards.

Track 2 data?the most sensitive on a credit card?can give criminals the means to easily manufacture counterfeit cards. PCI expressly prohibits retention of Track 2 data. The hackers transferred this data and other credit card information, more than 80 gigabytes? worth, to a server in California. In addition, they installed a traffic-sniffing program on TJX?s network to collect unencrypted credit card transactions.

TJX won?t comment on its security measures?or describe precisely what it did to resolve the PCI compliance problems and repair the deficiencies that led to the breach?but the company has stated that its security issues have been resolved.