TJX thieves had time to steal, trip up

By Mark Jewell

updated 5:19 p.m. ET April 13, 2007

BOSTON - For at least 17 months, someone had free rein inside TJX Cos.' computers. Without anyone noticing, one or more intruders installed code on the discount retailer's systems to methodically unearth, collect and transmit account data from at least 45.7 million credit and debit cards.

It's believed to be the biggest such breach of customer records ever in the United States — a theft that owes its size in part to the time the electronic heist went undetected, information security experts say.

The 17-month duration appears to be unprecedented among recent large U.S. data thefts involving hackers, according to an Associated Press review of a dozen of the biggest cases over the past four years.

Experts say the nearly year-and-a-half of undetected access could be a mixed blessing as investigators look for any incriminating evidence left behind.

"The length of time they were in TJX's systems increases the possibility that they made a mistake and did something that points back to them," said Mark Rasch, former head of the U.S. Department of Justice's computer crime unit and now an information security adviser at FTI Consulting.

On the other hand, the 17 months offered plenty of time to cover tracks.

"People who have very little time to get in and out don't have as much time to perfect their attacks, and there's a bigger risk of getting caught if they have to make a hasty exit," said Mike Weider, founder and chief technology officer of Watchfire, a maker of data security software.

If any incriminating evidence has turned up in the 4-month-old TJX probe, investigators aren't talking about it. Spokeswoman Kim Bruce of the U.S. Secret Service declined to comment because the probe her agency is leading is ongoing. IBM Corp. and General Dynamics Corp. — companies TJX hired to investigate after the breach was discovered Dec. 18 — also wouldn't talk.

Some experts believe the long period of unobstructed access and the hacker's apparent use of electronic encryption keys to unlock some data suggest involvement inside the 125,000-employee company.

"Whoever did this knew what to look for, knew where to look, and even may have had knowledge of how files were encrypted," said Deepak Taneja, chief executive of Aveksa, a security software company. "It's hard to fathom how an outside hacker could know how the data was encrypted."

Even after TJX finally detected the breach, the intruders apparently had the upper hand.

The company waited nearly a month to announce the theft — a strategic feint taken on advice of the Secret Service to prevent intruders from learning investigators were watching. But even without such public disclosure, the theft of card numbers stopped when the access was detected.

TJX spokeswoman Sherry Lang said possible insider involvement is "certainly part of the investigation" by the Framingham, Mass.-based owner of nearly 2,500 discount stores, including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright in the U.S., Winners and HomeSense in Canada and T.K. Maxx in Britain.

Print this Email this Blog this  IM this

MORE FROM SECURITY

Security Section Front

Perils of the pocket call Hackers try to spur epileptic seizures Panel chair offers network neutrality bill Facebook, states set predator safeguards Yahoo search to alert users to bad Web sites Bad idea? Posting all Italians' incomes on Web Government Web site posts Italian incomes Criminals try to 'copyright' malware A faster, cheaper way to catch criminals Israeli military enlists robotic soldier Security Section Front   Add Security headlines to your news reader: