TJX (T.J. Maxx and Marshall’s) Largest Breach of Customer Data in U.S. History

Use Netsparker


This case has been going on for a while but obviously hush hush, being that it is the largest breach of customer data in U.S. History. The details of the case have only started emerging in the last couple of months.

Information Week published a good article covering what has been going on recently.

Amazing the amount of data we are talking about here, 45 million customer records!

TJX will be glad when this year is over. The $17 billion-a-year parent company of T.J. Maxx, Marshall’s, and several other discount retail chains has spent the past eight months dealing with the largest breach of customer data in U.S. history, the details of which are starting to come to light.

Last December, TJX says it alerted law enforcement that data thieves had made off with more than 45 million customer records. Since that time, at least one business, Wal-Mart, has lost millions of dollars as a result of the theft, while TJX has spent more than $20 million investigating the breach, notifying customers, and hiring lawyers to handle dozens of lawsuits from customers and financial institutions. Should TJX lose in the courts, it could be on the hook for millions more in damages.

But there’s an even broader TJX Effect: The data breach, which actually took place over a period of years, has put the entire retail industry on the defensive and stirred up demands for all businesses that handle payment card information to do a better job of protecting it. Legislators are invoking TJX’s name to fast-track data-security bills.

Years? That’s scary, how can something like this happen? I can’t blame the retail industry for being shaken up. Credit card information does need to be safeguarded.

I hope legislation is approved to hold companies that leak data like water in a sieve, they should be fined some big cash and made to compensate every consumer that was negatively effected by fraudulent use of their credit cards.

Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company’s IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX’s retail stores, let people apply for jobs electronically but also allowed direct access to the company’s network, as they weren’t protected by firewalls. “The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,” says the source. In a March filing with the Securities and Exchange Commission,TJX acknowledged finding “suspicious software” on its computer systems.

The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX’s networks, according to the source. The firewalls on TJX’s main network weren’t set to defend against malicious traffic coming from the kiosks, the source says. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. The kiosks “shouldn’t have been on the corporate LAN, and the USB ports should have been disabled,” the source says.

A pretty basic attack eh? Can you believe they were so negligent in setting up the kiosks? They virtually allowed full access to their corporate network!

Public resources should never have access to the same segments critical data are stored on…this is basic stuff!

They also owned via open Wifi networks in Marshall’s stores…sad eh?

Source: Information Week

Posted in: Hacking News, Legal Issues

, , , , ,


Latest Posts:


Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.


One Response to TJX (T.J. Maxx and Marshall’s) Largest Breach of Customer Data in U.S. History

  1. Sir Henry December 14, 2007 at 7:41 pm #

    What I find to be equally frustrating is that, so far, there does not seem to be any idea correlation between the hashing of passwords and the hashing of cc numbers. Perhaps I am wrong, but it just seems like it would be logical to do that.