Portal Home | IS News Menu | Portal Menu | ISB Menu | Main Content
The TK Maxx Case
18 May 03:13

When this case was originally revealed ISB chose not to comment because very few actual facts were available at the time and speculation abounded in all kinds of media. Now, however, more facts have emerged and a short article may be in place.

As readers will recall this case started in December 2006 when TJX in accordance with US legislation reported that they had lost the personal details, including credit card information, of around 46 million customers (the fact was made public in January 2007). TJX owns stores in USA, Canada and the UK (TK Maxx, HomeGoods, A.J. Wright, Marchall's and others).

The entry point of the thieves seems to have been an insecure WiFi system, allowing the criminals to stand behind a particular shop and collect data travelling between hand-held devices, cash registers and the shop's computer.

Based on the data thus gathered the thieves were subsequently able to open employee accounts, access TJX' central database and download customer information. These breaches began around July 2005 and initially involved transaction data from 2003 and the first half of 2004 - hence around two thirds of the credit card details actually pertain to cards which have expired. According to TJX most of the card data from 2004 ware incomplete, having been destroyed automatically after completion of the corresponding transactions. The intrusions continued until January 2007. TJX first discovered that unauthorised software were running on their computers on December 18th 2006 (!).

How exactly the thieves escalated their attack to be able to access the computers containing central databases has not been made public but an interesting fact is that TJX believes the thieves have access to the software used to encrypt and decrypt the database information. This bears all the hallmarks of a well planned operation by highly qualified people.

This is the technical information currently available. However, the scope of the economic consequences of this breach is beginning to get clearer. Whereas the banks have so far taken the brunt of financial losses caused by identity theft there are signs that their patience with companies that fail to adequately protect their data is wearing thin. Around 300 banks are currently suing TJX for the cost of replacing $300 million worth of credit cards. In the meantime police in Florida has arrested a gang using the stolen card data to purchase $1 million worth of goods, using e.g. Wall-Mart gift vouchers.

The company is also facing an investigation by the Federal Trade Commission.

On May 15th TJX announced sales and earnings results for the first quarter ending 28 April. In this there is a reference to a $12 million charge as a result of the data breach. TJX also refers to a similar charge expected next quarter in its press release:

"On January 17, 2007, TJX announced that it had suffered an unauthorized intrusion(s) into portions of its computer systems that process and store information related to customer transactions. In the first quarter of fiscal 2008, the Company recorded an after-tax charge of approximately $12 million, or .03 per share, for costs incurred during the first quarter, which includes costs incurred to investigate and contain the intrusion, enhance computer security and systems, and communicate with customers, as well as technical, legal, and other fees.

In the second quarter, the Company expects to continue to incur these types of costs related to the intrusion(s), which the Company estimates will total .02 - .03 per share. Beyond these costs, TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses. The Company will record known losses when they become both probable and reasonably estimable."

The small amounts set aside by TJX do not even begin to cover the actual costs of this security breach which could run into billions, the question being of course who will eventually be left with the bill. One can only hope that this incident will lead to a huge amount of customers using their feet and taking their shopping elsewhere - I would! There is no excuse for this breach. The technology to block access to confidential data is ready available and working. That the company's management failed to take the issue of information security seriously and employ competent IT staff could indicate that other issues of similar importance are not taken seriously, a very worrying prospect in case you are a TJX shareholder...

--Ed

Related links: (Open in a new window.)
External link home.businesswire.com/portal/site/tjx/index.jsp?epi-content=GENERIC&newsId=20070515005807&ndmHsc=v2*A938775600000*B1179518750000*C4102491599000*DgroupByDate*J2*N1001148&newsLang=en&beanID=1809476786&viewID=news_view

View Printable View printable version (opens in new window)
Back Back