TJX Companies — 94M card breach

What happened

In January 2007, TJX Companies — the parent company of TJ Maxx, Marshalls, HomeGoods and several other retail chains — disclosed that an attacker had penetrated its information systems and stolen payment-card transaction data. The initial disclosure was partial; the company described the breach as covering transactions processed between approximately May 2006 and December 2006, and estimated tens of millions of affected cards.

As the investigation and subsequent criminal proceedings developed, the full picture emerged as substantially larger. The attacker had first gained access in approximately July 2005, and the total number of unique payment-card records exfiltrated was assessed at approximately 94 million — a figure that held the record as the largest retail card breach in US history for over a year, before the Heartland Payment Systems breach of 2008 overtook it.

The entry point was a wireless network at a Marshalls store in St Paul, Minnesota. Albert Gonzalez and his associates drove near the store with a laptop and wireless network sniffing software, identified the store’s wireless network, and cracked its WEP (Wired Equivalent Privacy) encryption. WEP had been demonstrated to be cryptographically broken in published academic research as early as 2001; by 2005, tools for cracking WEP keys in minutes were freely available on the internet. TJX had not upgraded the affected stores’ wireless infrastructure to the WPA standard that had replaced WEP as the industry baseline.

From the compromised store wireless network, the attackers found that the connection extended back to TJX’s central systems. Those systems held payment-card data for transactions processed across TJX’s retail brands. The attackers installed custom malware that allowed them to return repeatedly, harvest card data, and exfiltrate it to external servers over a period of roughly eighteen months.

TJX settled the breach with Visa-issuing banks for $40.9 million, with MasterCard issuers for $24 million, and with state attorneys general for approximately $9.75 million, among other regulatory actions.

How it worked

Gonzalez and his crew operated a structured criminal enterprise that specialised in retail-network intrusion and card-data resale. The technical approach at TJX was wardriving — the practice of driving through commercial areas with wireless network scanning software to identify accessible networks. WEP, the security standard TJX was using, had been known to be broken since academic work published by Fluhrer, Mantin and Shamir in 2001 demonstrated that its key-scheduling algorithm leaked information about the encryption key in every packet transmitted. By 2004, open-source tools implementing this attack could recover a WEP key from a moderately busy network in under a minute.

Once the WEP key was recovered, the attackers joined the store’s internal wireless network. The network architecture at the affected stores connected wireless points of sale directly to TJX’s corporate wide-area network without meaningful segmentation. A connection to the store wireless was effectively a connection to TJX’s internal backbone. The attackers traversed this connection to reach the central systems that stored transaction data.

TJX’s systems retained payment-card data beyond the period required for transaction processing. The stored data included full card-track data — the magnetic-stripe contents of the cards — rather than only the partial information needed to complete a chargeback or dispute resolution. This retention practice was the reason the breach produced 94 million cards’ worth of usable fraud data rather than a set of records that would be useless outside the original transaction context.

The malware the crew installed used encrypted communication to exfiltrate data to intermediate servers and ultimately to servers in Eastern Europe and the Ukraine. Gonzalez coordinated the operation using encrypted instant messaging and divided the recovered card data into lots that were sold to networks of fraudulent card-manufacturers across North America and Europe, who encoded the track data onto blank cards for use in ATM withdrawals and in-store fraudulent purchases.

Gonzalez had a distinctive personal history: he had previously been arrested for card fraud in 2003, turned informant for the Secret Service, and cooperated with investigations into an online card-fraud forum — while simultaneously continuing to operate card-fraud operations, including the TJX intrusion, using the knowledge and connections his law-enforcement access provided. He was eventually arrested in 2008 when the Secret Service developed evidence of his ongoing criminal activity.

Timeline

• July 2005 — Albert Gonzalez and accomplices crack the WEP wireless network at a Marshalls store in St Paul, Minnesota. Initial access to TJX’s corporate network established.
• 2005–2006 — Ongoing access to TJX systems. Exfiltration of payment-card data covering millions of transactions across TJ Maxx, Marshalls and associated brands.
• December 2006 — TJX’s internal security team notices anomalous activity in its systems. Investigation begins.
• 17 January 2007 — TJX publicly discloses the breach. Initial estimate covers transactions from May–December 2006.
• 2007 — Investigation expands the scope to cover transactions back to December 2002 in some cases and establishes access from July 2005. Final card count assessed at approximately 94 million.
• 2007–2009 — Settlement negotiations with card networks, banks, and state regulators. TJX settles with Visa issuers ($40.9M), MasterCard issuers ($24M), state AGs (~$9.75M).
• May 2008 — Albert Gonzalez and accomplices indicted for the TJX, Dave & Buster’s and other related breaches. Separate indictment follows for Heartland and Hannaford.
• March 2010 — Gonzalez sentenced to 20 years in federal prison — the longest sentence ever imposed in the United States for computer hacking at that time. Two co-conspirators receive sentences of approximately 7–8 years.
• 2010–2012 — PCI DSS standards updated and clarified to address wireless network security requirements explicitly, with the TJX breach cited as a motivating case.

What defenders should learn

The core lesson of TJX is network architecture: the wireless network of a retail store should not have a routed path to corporate card-data infrastructure. The breach required no novel exploit, no sophisticated tooling, and no insider knowledge. It required a laptop, freely available software, and a fifteen-minute drive to a car park. The WEP key cracked in minutes. The reason 94 million cards were in scope for that fifteen-minute effort is that TJX’s network design gave a store-wireless foothold unrestricted access to its most valuable data.

Segmentation is the countermeasure. A point-of-sale terminal needs to reach the payment-processing gateway to complete a transaction. It does not need to reach a corporate data warehouse. The store network needs to reach the payment gateway. It does not need to reach corporate IT systems. Flat or minimally segmented networks make every foothold — a wireless intrusion, a compromised terminal, a phished store employee — a potential path to the crown jewels. The technical investment required to segment a retail store network from corporate infrastructure is modest in comparison to the $94 million settlement cost TJX ultimately bore.

The WEP problem illustrates a generalised principle about known-broken cryptography. WEP’s weaknesses were published in 2001, and practical exploitation tools were freely available from 2004. TJX was still running WEP in 2005. The question organisations should ask is not “is this cryptographic primitive theoretically weak?” but “is this the thing we are actually running in our stores and factories?” Inventorying cryptographic standards in use across the enterprise — including in operational technology, point-of-sale, building systems, and branch office infrastructure — is not glamorous work, but it closes the category of breach TJX represents entirely.

Data minimisation is the third lesson. The 94 million cards at risk were only at risk because TJX had retained full card-track data long after the transactions were complete. The payment networks’ rules required only partial data retention for chargeback purposes; the full track data conferred no operational benefit that warranted its retention. Any data that is not stored cannot be stolen. Data retention policies for payment-card data, health records, or any other regulated category should be grounded in minimum retention for operational necessity — not in whatever the default database configuration happened to preserve.

The Gonzalez informant history is also a reminder that insider threat and law-enforcement cooperation are not mutually exclusive. An individual cooperating with an investigation may simultaneously be conducting their own criminal activity using knowledge the cooperation has provided. This is an edge case, but it informs how law enforcement and private-sector investigators should validate the boundaries of any cooperation relationship.