TJX thieves had time to steal, trip up

But the more than 50 experts TJX put on the case have reached no conclusions. Besides not knowing how many thieves were involved, TJX isn't sure whether there was one continuing intrusion or multiple separate break-ins, according to a March 28 regulatory filing.

Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, it discovered it had been 17 months, and apparently began in July 2005.

The length of time is unprecedented among recent U.S. hacking cases in which the number of stolen records exceeded 300,000, an AP examination of publicly available information found.

The closest comparable incident is a breach at the University of California, Los Angeles. In that still-unsolved case, unauthorized access apparently began 13 months before it was detected on Nov. 21. UCLA believes the Social Security numbers of about 28,600 people were stolen out of a database with records of 800,000 individuals.

The second-largest U.S. hack ever — a breach at now-defunct credit card payment processor CardSystems Solutions — went on for less than a year before it was discovered two years ago.

Until TJX, the CardSystems case was the largest breach in the U.S., measured by the 40 million card accounts exposed, according to the Privacy Rights Clearinghouse, a consumer advocacy group.

TJX says about three-quarters of the 45.7 million cards had either expired by the time of the theft, or the stolen information didn't include security code data from the cards' magnetic stripes, since TJX masked those codes by storing them as asterisks rather than numbers.

TJX said the intruders also may have been able to tap the unencrypted flow of information to card issuers as customers checked out with their credit cards.

The case has become a global investigation, with incidents of fraud believed tied to the TJX breach as far away as Sweden and Hong Kong.

The only arrests so far have come in Florida, where 10 people who aren't believed to be the TJX hackers are accused of using stolen TJX customer data to buy Wal-Mart gift cards.

An affidavit that Florida police filed in their investigation says TJX notified the Secret Service in March 2006 about a breach involving customer card data — six months before TJX says it detected the intrusion. TJX spokeswoman Lang called the Florida filing "incorrect" as to the date, and said the company stands behind its timeline. The Secret Service's Bruce agreed, and Gainesville police did not return phone messages.

TJX warned in its recent regulatory filing against expecting too much from its investigation. "We believe that we may never be able to identify much of the information believed stolen" aside from the 45.7 million cards it knows about so far, the filing said.

The way TJX detected the breach — by finding what the company calls "suspicious software" on its computer systems — is an indication not only of the hackers' skill in avoiding detection for so long but also holes in TJX's security, experts say.

"They didn't know what their sensitive information assets were, and who had access to them, and they didn't have adequate security controls in place," Taneja said. "Unfortunately for TJX, I suspect they are going to become the poster child for poor data security."

MORE FROM SECURITY

Security Section Front

T-Mobile sued over 'mandatory' text fees Web site design flaws make banking riskier Facebook redesign to weed out toxic spam The end of human customer service? EU warns against buying ring tones online Engineer accused of network tampering Man gets prison time for spamming AOL FCC chief says Comcast violated Internet rules Lawmakers to probe 'adware' practices Red Tape: Thwarting thieves with ... magic? Security Section Front   Add Security headlines to your news reader: