, SecurityFocus 2007-10-26
Significant security shortcomings led to the data breach at retail giant TJX -- a breach which credit-card companies now say compromised more than 94 million accounts, according to court documents made public on Thursday.
The documents -- part of the paperwork filed in a lawsuit brought by more than 300 New England banks against the retailer -- cite Visa USA and Mastercard International executives as well as a security consultant to paint a grim picture of the lack of security that allowed intruders into the retailer's computer systems. The consultant retained by TJX to investigate the breach found that the company had not complied with nine of the twelve security measures mandated by credit-card companies under the Payment Card Industry (PCI) Data Security Standard (DSS), the court documents stated.
"There were ... many deficiencies and PCI DSS violations which the attacker was able to exploit in order to compromise data from the TJX network," the unnamed consultant stated, according to court documents.
The documents -- filed on Thursday on behalf of more than 300 banks in Massachusetts, Maine and Connecticut -- reveal the most detail to date about the security vulnerabilities that allowed data thieves to access TJX Companies' computers, plant a traffic sniffer and transfer more than 80 gigabytes of data to an Internet site in California. The breach, originally disclosed by TJX in January, has led to widespread credit- and debit-card fraud in at least 13 countries, surpassing $68 million for Visa cards alone, according to one executive's deposition. Stores in Canada and the United States have reported fraud, and a ring of fraudsters in Florida had used credit-cards stolen from TJX to purchase more than $8 million in gift cards.
The retail giant recently proposed a settlement to consumers affected by the breach, but the deal still needs to be signed off by the judge in the case. The settlement would not affect the lawsuit brought by financial institutions, which typically have to bear the financial burden of replacing compromised cards.
The court documents made public in the case include depositions of key executives and a request that the banks be able to amend their complaint against TJX with information gained through the depositions and discovery.
According to the court documents, in July 2005, the data thieves compromised TJX's network by breaking into the wireless network of a store in Florida that had only been secured using Wired Equivalent Privacy (WEP), an encryption scheme that -- even at the time -- was known to have significant security issues. In May 2006, the intruders placed a traffic sniffer on the company's internal network, capturing sensitive cardholder information that had been transmitted without encryption. The information included large amounts of sensitive card-specific data known as Track 2 Data.
"Track 2 Data is extremely sensitive because, if it is compromised, it is simple to create a counterfeit payment card from the compromised data," the banks maintained in their court filing.