The documents -- part of the paperwork filed in a lawsuit brought by more than 300 New England banks against the retailer -- cite Visa USA and Mastercard International executives as well as a security consultant to paint a grim picture of the lack of security that allowed intruders into the retailer's computer systems. The consultant retained by TJX to investigate the breach found that the company had not complied with nine of the twelve security measures mandated by credit-card companies under the Payment Card Industry (PCI) Data Security Standard (DSS), the court documents stated.

"There were ... many deficiencies and PCI DSS violations which the attacker was able to exploit in order to compromise data from the TJX network," the unnamed consultant stated, according to court documents.

The documents -- filed on Thursday on behalf of more than 300 banks in Massachusetts, Maine and Connecticut -- reveal the most detail to date about the security vulnerabilities that allowed data thieves to access TJX Companies' computers, plant a traffic sniffer and transfer more than 80 gigabytes of data to an Internet site in California. The breach, originally disclosed by TJX in January, has led to widespread credit- and debit-card fraud in at least 13 countries, surpassing $68 million for Visa cards alone, according to one executive's deposition. Stores in Canada and the United States have reported fraud, and a ring of fraudsters in Florida had used credit-cards stolen from TJX to purchase more than $8 million in gift cards.

The retail giant recently proposed a settlement to consumers affected by the breach, but the deal still needs to be signed off by the judge in the case. The settlement would not affect the lawsuit brought by financial institutions, which typically have to bear the financial burden of replacing compromised cards.

The court documents made public in the case include depositions of key executives and a request that the banks be able to amend their complaint against TJX with information gained through the depositions and discovery.

According to the court documents, in July 2005, the data thieves compromised TJX's network by breaking into the wireless network of a store in Florida that had only been secured using Wired Equivalent Privacy (WEP), an encryption scheme that -- even at the time -- was known to have significant security issues. In May 2006, the intruders placed a traffic sniffer on the company's internal network, capturing sensitive cardholder information that had been transmitted without encryption. The information included large amounts of sensitive card-specific data known as Track 2 Data.

"Track 2 Data is extremely sensitive because, if it is compromised, it is simple to create a counterfeit payment card from the compromised data," the banks maintained in their court filing.

The thieves managed to continue accessing the company's servers for the next 18 months until December 2006, when TJX became aware of the issues. In total, more than 80 gigabytes of data were transferred from the company's network, forensic analysis revealed.

The thieves sold off the card numbers, kicking off an epidemic of fraud. Between $68 million and $83 million in fraud in 13 countries can be attributed to the TJX breach, according to an excerpt of an August 31 deposition of Joseph Majka, vice president of investigations and fraud management at Visa USA. Visa's estimate of the damage caused by the breach will only increase, Majka stated.

"Due to the sheer number of accounts that are believed to be exposed and compromised," the damages will likely rise, the executive stated during his deposition. "You know, these are going to be sold off for a period of time in the future, so it's going to continue for some time out there."

As of June 2007, Visa established that 65 million unique accounts had been compromised because of the breach, Majka stated. Mastercard International estimated that at least 29 million cards of its cards had been compromised, the card company's Director of Fraud Management Neil Maguire stated in an excerpt from his September 27 deposition.

The 94 million cards is more than twice TJX's original estimate of the extent of the breach: 46.5 million.

If you have tips or insights on this topic, please contact SecurityFocus.