TJX, parent corporation of TJ Maxx and notorious for the recent colossal credit card breach of 2006 (we weren’t told until 2007, but I digress), is a U.S. public company. As such, they are required to file a quarterly report to the SEC called a 10-K.
TJX’s 10-K provides a chilling account of the breach, from discovery through disclosure to law enforcement, and finally the public. It details what they know and don’t know.
Here is how the long narrative begins…
We suffered an unauthorized intrusion into portions of our computer systems that process and store information related to customer transactions that we believe resulted in the theft of customer data. We do not know who took this action and whether there were one or more intruders involved (we refer to the intruder or intruders collectively as the “Intruder”), or whether there was one continuing intrusion or multiple, separate intrusions (we refer to the intrusion or intrusions collectively as the “Computer Intrusion”). We are engaged in an ongoing investigation of the Computer Intrusion, and the information provided in this Form 10-K is based on the information we have learned in our investigation to the date of this Form 10-K. We do not know what, if any, additional information we will learn in our investigation, but that information could materially add to or change the information provided in this Form 10-K.
…the above contains some of the legalese (the terms “Intruder” and “Computer Intrusion” used throughout the report). The report continues with a description of the discovery…
Discovery of Computer Intrusion. On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems. With the assistance of our investigation team, we immediately began to design and implement a plan to monitor and contain the ongoing Computer Intrusion, protect customer data and strengthen the security of our computer systems against the ongoing Computer Intrusion and possible future attacks.
On December 22, 2006, we notified law enforcement officials of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them. At that meeting, the U.S. Secret Service advised us that disclosure of the suspected Computer Intrusion might impede their criminal investigation and requested that we maintain the confidentiality of the suspected Computer Intrusion until law enforcement determined that disclosure would no longer compromise the investigation.
With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen from our computer systems in the Computer Intrusion. On January 3, 2007, we, together with the U.S. Secret Service, met with our contracting banks and payment card and check processing companies to discuss the Computer Intrusion.
Prior to the public release of information with respect to the Computer Intrusion, we provided information on the Computer Intrusion to the U.S. Federal Trade Commission, U.S. Securities & Exchange Commission, Royal Canadian Mounted Police and Canadian Federal Privacy Commissioner. Upon the public release, we also provided information to the Massachusetts and other state Attorneys General, California Office of Privacy Protection, various Canadian Provincial Privacy Commissioners, the U.K. Information Commissioner, and the Metropolitan Police in London, England.
On January 13, 2007, we determined that additional customer information had apparently been stolen from our computer systems.
On January 17, 2007, we publicly announced the Computer Intrusion and thereafter we expanded our forensic investigation of the Computer Intrusion.
On February 18, 2007, in the course of our ongoing investigation, we found evidence that the Computer Intrusion may have been initiated earlier than previously reported and that additional customer information potentially had been stolen. On February 21, 2007, we publicly announced additional findings on the timing and scope of the Computer Intrusion.
…so that’s the timeline on the discovery. Their actions in terms of quickly involving law enforcement and banking at all levels is laudable and appropriate. Then again, they knew that this was a serious situation, and they’d be criticized for slow response later if they didn’t act quickly.
The report continues by describing the timeline of the intrusions:
Timing of Computer Intrusion. Based on our investigation to date, we believe that our computer systems were first accessed by an unauthorized Intruder in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after December 18, 2006.
…short and to the point.
Next, TJX talks about the systems affected. This is where it gets interesting, because we get the impression that they aren’t really sure which systems were compromised, or from which systems data was stolen:
Systems Affected in the Computer Intrusion. We believe that information was stolen in the Computer Intrusion from a portion of our computer systems in Framingham, MA that processes and stores information related to payment card, check and unreceipted merchandise return transactions for customers of our T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and our Winners and HomeSense stores in Canada (“Framingham system”) and from a portion of our computer systems in Watford, U.K. that processes and stores information related to payment card transactions at T.K. Maxx in the United Kingdom and Ireland (“Watford system”). We do not believe that the Computer Intrusion affected the portions of our computer systems handling transactions for customers of Bob’s Stores, or check and merchandise return transactions at T.K. Maxx. We do not believe that customer personal identification numbers (PINs) were compromised, because, before storage on the Framingham system, they are separately encrypted in U.S., Puerto Rican and Canadian stores at the PIN pad, and because we do not store PINs on the Watford system. We do not believe that information from transactions using debit cards issued by Canadian banks at Winners and HomeSense that were transacted through the Interac network was compromised. Although we believe that information from transactions at our U.S. stores (other than Bob’s Stores) using Canadian debit cards that were transacted through the NYCE network were processed and stored on the Framingham system, we do not believe the PINs required to use these Canadian debit cards were compromised in the Computer Intrusion. We do not process or store names or addresses on the Framingham system in connection with payment card or check transactions.
…we can speculate on the reasons why TJX doesn’t know which systems were affected. Could it be that the intruder(s) washed the audit logs, or accessed the data in a way that didn’t show up on audit logs?
There are also some hints appearing that suggest that TJX was not following PCI requirements in terms of what information may be stored and which may not. Note there they say “We do not believe that customer personal identification numbers (PINs) were compromised, because, before storage on the Framingham system…” !! It sounds like they were storing PINs on the “Framingham system” which is clearly a violation of PCI requirements. PIN must never be stored on a merchant system.
Next, the report describes the data that was stolen.
Customer Information Believed Stolen. We have sought to identify customer information stolen in the Computer Intrusion. To date, we have been able to identify only some of the information that we believe was stolen. Prior to discovery of the Computer Intrusion, we deleted in the ordinary course of business the contents of many files that we now believe were stolen. In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006. Given the scale and geographic scope of our business and computer systems and the time frames involved in the Computer Intrusion, our investigation has required a substantial period of time to date and is not completed. We are continuing to try to identify information stolen in the Computer Intrusion through our investigation, but, other than the information provided below, we believe that we may never be able to identify much of the information believed stolen.
Based on our investigation, we have been able to determine some details about information processed and stored on the Framingham system and the Watford system. Customer names and addresses were not included with the payment card data believed stolen for any period, because we do not process or store that information on the Framingham system or Watford system in connection with payment card transactions. In addition, for transactions after September 2, 2003, we generally no longer stored on our Framingham system the security data included in the magnetic stripe on payment cards required for card present transactions (“track 2” data), because those data generally were masked (meaning permanently deleted and replaced with asterisks). Also, by April 3, 2006, our Framingham system generally also masked payment card PINs, some other portions of payment card transaction information, and some portions of check transaction information. For transactions after April 7, 2004 our Framingham system also generally began encrypting (meaning substituted characters for the actual characters using an encryption algorithm provided by our software vendor) all payment card and check transaction information. With respect to the Watford system, masking and encryption practices were generally implemented at various points in time for various portions of the payment card data.
Until discovery of the Computer Intrusion, we stored certain customer personal information on our Framingham system that we received in connection with returns of merchandise without receipts and in some check transactions in our U.S., Puerto Rican and Canadian stores (other than Bob’s Stores). In some cases, this personal information included drivers’ license, military and state identification numbers (referred to as “personal ID numbers”), together with related names and addresses, and in some of those cases, we believe those personal ID numbers were the same as the customers’ social security numbers. After April 7, 2004, we generally encrypted this personal information when stored on our Framingham system. We do not process or store information relating to check or merchandise return transactions or customer personal information on the Watford system.
…it is clear that much more than just credit card data was stolen. There were apparently many incidents of other information, including drivers’ license, military and state identification numbers, names and addresses, social security numbers, and perhaps more.
The report continues:
Information Believed Stolen in 2005. As we previously publicly reported, we believe customer data were stolen in September and November 2005 relating to a portion of the payment card transactions made at our stores in the U.S., Puerto Rico and Canada (excluding transactions at Bob’s Stores and transactions made at Winners and HomeSense through the Interac network with debit cards issued by Canadian banks) during the period from December 31, 2002 through June 28, 2004. We suspect the data believed stolen in 2005 related to somewhere between approximately half to substantially all of the transactions at U.S., Puerto Rican and Canadian stores during the period from December 31, 2002 through June 28, 2004 (excluding transactions at Bob’s Stores and transactions made at Winners and HomeSense through the Interac network with debit cards issued by Canadian banks). The data were included in files routinely created on our Framingham system to store customer data, but the contents of many of the files were deleted in the ordinary course of business prior to discovery of the Computer Intrusion.
…the report than shows a chart that indicates the number of cards compromised. I’ll summarize here:
Payment Card Status at Time of Believed Theft
Transactions from 12/31/02 – 11/23/03
Expired Cards: Track 2 data masked: 5,600,000 cards; All card data in the clear: 25,000,000 cards
Unexpired Cards: Track 2 data masked: 3,800,000 cards; All card data in the clear: 11,200,000 cards
Transactions from 11/24/03 – 6/28/04
Expired Cards: Track 2 data masked: unknown quantity; All card data in the clear: 0 cards
Unexpired Cards: Track 2 data masked: unknown quantity; All card data in the clear: 10 cards
The narrative continues:
Customer names and addresses and, for transactions after September 2, 2003, track 2 data were not included in the payment card information believed stolen in 2005. We do not believe that customer PINs were compromised.
In addition, we believe that personal information provided in connection with a portion of the unreceipted merchandise return transactions at T.J. Maxx, Marshalls, and HomeGoods stores in the U.S. and Puerto Rico, primarily during the last four months of 2003 and May and June 2004, was also stolen in 2005. The information we are able to specifically identify was from 2003 and included personal ID numbers, together with the related names and/or addresses, of approximately 451,000 individuals. We are in the process of notifying these individuals directly by letter.
TJX does not know how many records were stolen from 11/24/03 – 6/28/04 because they regularly purge data, and because they don’t know when the specific thefts took place, they do not know how many were taken.
They began encrypting card data on 4/7/04. Prior to that, according to the report, they either masked card data, or stored it all in the clear.
The report continues by describing data stolen in 2006:
Information Believed Stolen in 2006. As previously publicly reported, we identified a limited number of payment cards as to which transaction information was included in the customer data that we believe were stolen in 2006. This information was contained in two files apparently created in connection with computer systems problems in 2004 and 2006. Through our investigation to date, we have identified the following information with respect to the approximate number of payment cards for which unencrypted information was included in these files:
The report shows another table, a simpler one this time. In 2006, the numbers of cards that could have been stolen numbers in the tens of thousands, rather than in the millions. This suggests to me that TJM was more aggressively purging transaction data and keeping far less card data online than before.
Much more narrative follows:
Customer names and addresses were not included with the payment card information in these files. We do not believe that customer PINs were compromised. Some of the payment card data contained in these files were encrypted; we have not sought to decrypt these data.
In addition, the two files contained the personal ID numbers, together with the related names and/or addresses, of approximately 3,600 individuals, and we sent notice directly to these individuals.
We also have located a third file created in the ordinary course that we believe was stolen by the Intruder in 2006 and that we believe contained customer data. All of the data in this file are encrypted, and we have not sought to decrypt them.
As previously publicly reported, we believe that in 2006 the Intruder may also have stolen from our Framingham system additional payment card, check and unreceipted merchandise return information for transactions made in our stores in the U.S., Canada, and Puerto Rico (excluding transactions at Bob’s Stores and transactions made at Winners and HomeSense through the Interac network with debit cards issued by Canadian banks) during portions of mid-May through December 18, 2006. Through our investigation, we have identified approximately 100 files that we believe the Intruder, during this period, stole from our Framingham system (the vast majority of which we believe the Intruder created) and that we suspect included customer data. However, due to the technology utilized by the Intruder, we are unable to determine the nature or extent of information included in these files. Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the Computer Intrusion during 2006 could have enabled the Intruder to steal payment card data from our Framingham system during the payment card issuer’s approval process, in which data (including the track 2 data) is transmitted to payment card issuer’s without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX. The approximately 100 files stolen in 2006 could have included the data that we believe were stolen in 2005, as well as other data relative to some customer transactions from December 31, 2002 through mid-May 2006, although, with respect to transactions after September 2, 2003 generally without track 2 data, and, with respect to transactions after April 7, 2004, generally with all data encrypted.
In addition, as previously publicly reported, we suspect that customer data for payment card transactions at T.K. Maxx stores in the U.K. and Ireland has been stolen. In that regard, we now believe that at least two files of the approximately 100 files identified above that the Intruder stole from the Framingham system in 2006 were created by the Intruder and moved from the Watford system to the Framingham system. We suspect that these files contained payment card transaction data, some or all of which could have been unencrypted and unmasked. However, due to the technology utilized by the Intruder in the Computer Intrusion, we are unable to determine the nature or extent of information included in these files. Further, the technology utilized by the Intruder in the Computer Intrusion during 2006 on the Watford system could also have enabled the Intruder to steal payment card data from the Watford system during the payment card issuer’s approval process, in which data (including the track 2 data) are transmitted to payment card issuer’s without encryption.
We have provided extensive payment card transaction information to the banks and payment card companies with which we contract as requested by them. While we have been advised by law enforcement authorities that they are investigating fraudulent use of payment card information believed stolen from TJX, we do not know the extent of any fraudulent use of such information. Some banks and payment card companies have advised us that they have found what they consider to be preliminary evidence of possible fraudulent use of payment card information that may have been stolen from us, but they have not shared with us the details of their preliminary findings. We also do not know the extent of any fraudulent use of any of the personal information believed stolen. Certain banks have sought, and other banks and payment card companies may seek, either directly against us or through claims against our acquiring banks as to which we may have an indemnity obligation, payment of or reimbursement for fraudulent card charges and operating expenses (such as costs of replacing and/or monitoring payment cards thought by them to have been placed at risk by the Computer Intrusion) that they believe they have incurred by reason of the Computer Intrusion. In addition, payment card companies and associations may seek to impose fines by reason of the Computer Intrusion.
The report, above, mentions several times “the technology utilized by the Intruder” without being more specific. In a 10-K, this terminology is appropriate. For the report to describe what SQL, ODBC, .NET, or command line interface was used to get the data would be far too much detail. Still, my professional curiosity is piqued. What technology *did* the intruder(s) use?
The portion of the 10-K report on the intrusion continues and concludes:
Financial Costs. In the fourth quarter of fiscal 2007, we recorded a pre-tax charge of approximately $5 million, or $.01 per share, for costs incurred through the fourth quarter in connection with the Computer Intrusion, which includes costs incurred to investigate and contain the Computer Intrusion, strengthen computer security and systems, and communicate with customers, as well as technical, legal, and other fees. Beyond this charge, we do not have enough information to reasonably estimate losses we may incur arising from the Computer Intrusion. Various litigation has been or may be filed, and various claims have been or may be otherwise asserted, against us and/or our acquiring banks, on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the Computer Intrusion and other related relief. We intend to defend such litigation and claims vigorously, although we cannot predict the outcome of such litigation and claims. Various governmental entities are investigating the Computer Intrusion, and although we are cooperating in such investigations, we may be subject to fines or other obligations. (See Item 3 with respect to litigation and investigations.) Losses that we may incur as a result of the Computer Intrusion include losses arising out of claims by payment card associations and banks, customers, shareholders, governmental entities and others; technical, legal, computer systems and other expenses; and other potential liabilities, costs and expenses. Such losses could be material to our results of operation and financial condition.
Above, the report mentions costs associated with strengthening computer security and systems. Are these costs associated with bringing systems up to PCI standards, or beyond them? The report is not clear on this point.
Future Actions. We are continuing our forensic investigation of the Computer Intrusion and our ongoing program to strengthen and protect our computer systems. We are continuing to communicate with our customers about the Computer Intrusion. We are continuing to cooperate with law enforcement in its investigation of these crimes and with the payment card companies and associations and our acquiring banks. We are also continuing to cooperate with governmental agencies in their investigations of the Computer Intrusion. We are vigorously defending the litigation and claims asserted against us with respect to the Computer Intrusion.
TJX may suffer more losses over the years and they may be material. Well, that’s a reasonable supposition. The TJX intrusion is a watershed event to be sure, and could result in lawsuits the likes of which we haven’t seen in the past, as well as new legislation related to protection of financial information and remedies for failures.
Update: intruders probably broke in through WiFi by breaking WEP. More here.
Good analysis. Thanks for posting this. Identity theft is a huge and growing problem. A consumer can do everything right to protect his/herself from ID theft, and still become a victim when a prior employer has a data breach. And we all have prior employers.
I hope that IBM does something similar in their annual report about their breach; since IBM is a consultant to TJX. I am one of the former employees affected by IBM’s breach. My blog chronicles my experiences dealing with ID theft, the mess IBM created for me, and breach issues about prior employers:
Pingback: TJX breach twice the size of earlier estimates « Securitas Operandi
Pingback: TJX intrusion was a WEP (WiFi) hack « Securitas Operandi
As a Newbie, I am always searching online for articles that can help me. Thank you