TJX Is Biggest Data Breach Ever

jcatcw writes "Jaikumar Vijayan reports for Computerworld that TJX is finally offering more details about the extent of the compromise which, at 45.6M cards, is the biggest ever. He has been following the story since it started. The systems that were broken into processed payment card, checks, and returns for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico, and customers of Winners and HomeSense stores in Canada and T.K. Maxx in the U.K. Customer names and addresses were not included in the stolen data. So far the company has spent about $5 million in connection with the breach. Several lawsuits that have been filed against the company, including a suit by the Arkansas Carpenters Pension Fund, one of its shareholders, for failure to divulge more details about the breach."

Suggested

[Stanistani]

Suggested new tag for stories like this - pwnshop

Sounds like damage control doublespeak

[Critical+Facilities]

From TFA:
Customer names and addresses were not included with any of the payment card data believed stolen from the Framingham systems, TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for transactions

Also from TFA:
It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said.

Sounds like they're just desparately trying to control the obviously egregious oversights that happened here. It also sounds like they're still trying to figure out what has happened. To say that heads are rolling is probably the biggest understatement ever.

The Answer is...

[WED+Fan]

The simple answer for users, and it exists now: Revokeable Credit Cards.

The long term is separation of credit and banking from the Social Security system.

Example

[Renraku]

Lets say that you're sitting at home one day. You get your credit card statement. Apparently your card is maxed out at $10,000. Your interest rate has tripled and the company is calling you wondering why you spent $10,000 in Bumfuck, India.

Ok, so you're not responsible.

How do you know how they got your info? It could have been from a call center, when you called about double billing you over and over. It could have been when you called your bank, which also has call centers in India. It could have been when you lost your card, someone found it.

Point is, you probably will never know how they got your info. Only that they did. Even if you did find out, could you prove it in a court of law enough to sue TJX?

New PINs too

[PIPBoy3000]

The worst part was getting a new PIN that didn't have the easy-to-remember "69" in the digits. Now I'm stuck with one that has no sexual connotations at all. Sniff.

Meanwhile...

[jeevesbond]

In other news a story on Microsoft's Get The FUD campaign mysteriously disappears, the title was: 'TJX Chooses Windows Over Linux for Reliability and Security'.

I'm joking, but you never know. On a more serious note: what mystifies me is why these companies need to store customers credit card details at all?! Having had experience with POS (Point of Sale) I know that the system should keep these details long enough to complete a transaction, then it should delete it.

Security starts with only keeping the information you need. Courts should be questioning why these companies retained this data in the first place!

Re:All encompassing

[monkeydo]

Wal-Mart giftcards over $500 require ID to redeem. So they were buying only $400 giftcards. Cashiers were suspicous of people using multiple $400 giftcards to make large purchases.

deep insight? the odds are against it.

[Gary+W.+Longsine]

Of course, the attacker might have a team of experts, moles planted in the corporation, and their own Tom Cruise who slapped magnetic signs on a white van, posed as a janitor, rappelled into the hermetically sealed server room, looked under keyboards for the post-it with the root password, modified the corporation's custom software on the fly and installed the resulting trojaned version (all without touching the floor) and then cleaned the urinals on his way out so that nobody would suspect a thing for years in a mission-impossible-style coordinated assault requiring deep insight to the code, but given that most such incidents of data theft are quite a bit less sophisticated, I doubt deep insight was required.

Deep insight is mainly useful to attackers who seek a very specific set of data from a particular target. People after credit card data typically just cast a wide net and exploit the low hanging fruit. Let a worm loose, it gets in somewhere. See what it finds. Exploit it. Much, much simpler. Of course since we lack the technical details you mentioned (and others) we have no idea what really happened, and the technical details would probably be interesting. I suspect that the weeks long delay in releasing the information that came out today was due to the fact that the investigators suspected, or merely feared, an inside job.

This is a common and largely emotional response to an attack like this. "Somebody broke into our highly secure system and stole 45 million customer records complete with credit card numbers? Inconceivable!" ("You keep using that word. I do not think it means what you think it means.")

It's certainly *not* a requirement to have "deep insight" into the code or even the specific computing infrastructure of the typical corporation in order to steal data. In fact, ordinary insight is sufficient once you have access, given the attacker has basic technical skills. Rather than deep insight, what is usually seen is a plodding industrial spam-like approach.

• bots are built and released to the wild internet (network worms, email worms, web trojans, etc.)
• a single system behind a company firewall is infected with the bot (e.g. through a web browser, or a laptop hit by a worm at a coffee shop)
• the bot spreads behind the company firewall, infecting many machines, attracting much attention
• company managers crack the whip over IT to clean up the mess without re-installing the infected systems, often against the advice of people who understand the problem who say things like, "we have no way to know what damage has been done, the only secure fix is to re-image the infected systems," which sounds are like one hand clapping to managers who have been told to contain IT costs
• some of the infected systems are "noisy", probing around the network trying to spread itself
• some of the infected systems are "stealthy", the bot does not attempt to spread further from them, it seeks data on the local system including what processes are running on the system
• some of the infected systems appear to have data of interest to the attacker
• the bot is instructed to install a root kit and possibly remove itself from the system
• the attacker explores the systems of interest, looking for files, looking at database contents, stealing what they want, etc.

From the article:
"In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it was referring to.

This sounds like a smokescreen. The "technology" might be quite simple and common. Any of these could apply, for example:

• the intruders used scp to upload files to a remote host so our IDS logged the connection, but we can't tell what was in the files
• the intruders used ftp, but our IDS system was configured to log only meta-data