TJX Breach Affects 94 Million+ Cardholders, More Than Double Originally Reported

Implications: TJX announced in January 2007, it had suffered an unauthorized intrusion into its wireless LANs (these networks use radio waves-RFID tech to collect and transmit data such as credit card numbers) at Marshalls in FL and later hacked into TJX's mainframe, which hosts its POS data and then led to a data breach of 94 million+ credit and debit card accounts issued under the Visa and MasterCard networks. Also in January 2007, banks, credit card companies and customers began to report fraudulent use of credit and debit card numbers stored in TJX's system. In July 2007, Walmart and Sam's Club reported suspicious gift card purchases to the FL Police and numerous suspects were arrested for using stolen credit card data to purchase $8 million in gift cards and electronics. As of August 2007, TJX estimated the total cost of the data breach at $256 million. TJX purports that 75% of the breached cards were expired or data was masked which means the data was stored as asterisks rather than numbers.

Analysis: As of October 2007, banks and financial institutions went to court to hold TJX accountable for the mismanagement of its security arrangements and they want TJX to pay for unspecified losses and costs such as reissuing compromised credit and debit cards. The plaintiff's also want to determine if they qualify for class action status against TJX or whether they will have to file individual suits against TJX, as a result of the data breach that affected more than 94 million+ accounts.

1.  TJX is also working on a settlement with customers affected by the breach and offered store vouchers to claimants. The settlement was later amended after attorney's for the claimants requested an option to the voucher and TJX has offered customers a choice of a voucher or cash and credit monitoring services and a three day customer appreciation sale

2.  TJX may have avoided the data breach if they had followed all of the requirements by the PCI (Payments Card Industry) DSS (Data Security Standards) which include: install and maintain a firewall configuration to protect cardholder data 2. do not use vendor supplied defaults for system passwords and other security parameters 3. protect stored cardholder data 4. encrypt transmission of cardholder data across open, public networks 5. use and regularly update anti-virus software 6. develop and maintain secure systems and applications 7. restrict access to cardholder data by business need to know 8. assign a unique ID to each person with computer access 9. restrict physical access to cardholder data 10. track and monitor all access to network resources and cardholder 11. regularly test security systems and processes and 12. maintain a policy that addresses information security. apparently, TJX only followed three of the 12 requirements

TJX is also facing other investigations by the FTC (Federal Trade Commission) and a multi-state probe being led by MA Attorney General. Canada is also investigating TJX to determine how widespread the breach has affected cardholders in Canada and the total cost of the TJX data breach could surpass $1 billion.