The retailer TJX revealed that at least 45.7 million credit and debit card numbers were stolen from its computers by hackers who have yet to be caught.
According to Gartner security expert Avivah Litan, the volume of stolen data gives TJX the dubious distinction of being the biggest known victim of hacker-based card fraud in history.
"This is the biggest card heist we've heard of so far," said Litan.
TJX, which has 125,000 employees and operates hundreds of TJ Maxx and TK Maxx stores in the US and UK, did not immediately return a call for comment about the investigation. Earlier this year TJX said it had contacted law enforcement in December 2006 when it "learned of suspicious software" within its computer systems.
According to a new Securities and Exchange Commission filing from TJX, since last December the company has been working with the US Department of Justice, the Secret Service, and the US Attorney in Boston in a criminal investigation to nab the intruders. TJX also is supplying information to the California attorney general's office, the Canadian Provincial Privacy Commissioners, the UK Information Commissioner and the London metropolitan police.
Although Florida law enforcement has identified four suspects who may be part of the case, Litan said her "educated guess" is that the trail will lead to organised crime rings in Eastern Europe.
"Organised crime rings farm out a substantial part of the work, such as the counterfeiting, usually to crack addicts," she noted.
Litan said her sources view the TJX case as a targeted attack by hackers who broke in through unprotected wireless LANs, and made their way through the its network to the controllers to set up operations inside the TJX network and capture card data. "They basically used a program to just capture the data," Litan said, noting this was "educated conjecture."
In the SEC filing, TJX suggests hackers were tampering with customer data.
TJX said that before the computer intrusion was discovered, the company may have inadvertently deleted "in the ordinary course of business the contents of many files that we now believe were stolen. In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006."
TJX added, "We are continuing to try and identify information stolen in the Computer Intrusion through our investigation, but other than information provided below, we believe we may never be able to identify much of the information believed stolen."
While this suggests the hackers may have encrypted or otherwise changed TJX data, TJX did not immediately return calls to clarify this statement further.
In the UK and Ireland, TJX also said that "technology used by the Intruder in the Computer Intrusion during 2006 on the Watford system could also have enabled the Intruder to steal payment card data from the Watford system during the payment card issuer's approval process, in which data including the track2data, are transmitted to payment card issuers without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilised by TJX."
TJX said it expects to spend $5 million in connection with the attack. So far, customers don't seem to be scared off by the news. Net sales for the 2007 fiscal year at TJX were $17.4 billion, up 9 percent over fiscal 2006.
Litan said the TJX case not only points to how exposed networks that process card payments can be, but that "it's time for the US to bite the bullet on stronger card authentication." The banks have a lot at stake, Litan noted, saying the banks are the first entities that have to pay for card fraud, and they try to get that back from retailers.
"Banks will have to pay for this fraud, and then they'll try to get that money back from TJX," she said.
The magnitude of the theft - merely the most prominent in what seems to be a never-ending string - is sure to fan the flames for more investigations such as the one recently launched by the US Federal Trade Commission.
And it's also sure to have TJX executives sharpening their pencils to craft one of those increasingly common apology letters that have become standard fare in these situations.