- The Washington Times - Friday, April 13, 2007

BOSTON (AP) — For at least 17 months, someone had free rein inside TJX Cos.’ computers. Without anyone noticing, one or more intruders installed code on the discount retailer’s systems to methodically unearth, collect and transmit account data from at least 45.7 million credit and debit cards.

It’s thought to be the biggest such breach of customer records ever in the United States — a theft that owes its size in part to the time the electronic heist went undetected, information security specialists say.

The 17-month duration appears to be unprecedented among recent large U.S. data thefts involving hackers, according to an Associated Press review of a dozen of the biggest cases over the past four years.

Analysts say the year-and-a-half of undetected access could be a mixed blessing as investigators look for any incriminating evidence left behind.

“The length of time they were in TJX’s systems increases the possibility that they made a mistake and did something that points back to them,” said Mark Rasch, former head of the U.S. Department of Justice’s computer crime unit and now an information security adviser at FTI Consulting.

On the other hand, the 17 months offered plenty of time to cover tracks.

“People who have very little time to get in and out don’t have as much time to perfect their attacks, and there’s a bigger risk of getting caught if they have to make a hasty exit,” said Mike Weider, founder and chief technology officer of Watchfire, a maker of data security software.

If any incriminating evidence has turned up in the 4-month-old TJX probe, investigators aren’t talking about it. Spokeswoman Kim Bruce of the U.S. Secret Service declined to comment because the probe her agency is leading is ongoing. IBM Corp. and General Dynamics Corp. — companies TJX hired to investigate after the breach was discovered Dec. 18 — also wouldn’t talk.

Some analysts think the long period of unobstructed access and the hacker’s apparent use of electronic encryption keys to unlock some data suggest involvement inside the 125,000-employee company.

“Whoever did this knew what to look for, knew where to look and even may have had knowledge of how files were encrypted,” said Deepak Taneja, chief executive of Aveksa, a security software company. “It’s hard to fathom how an outside hacker could know how the data was encrypted.”

Even after TJX finally detected the breach, the intruders apparently had the upper hand.

The company waited nearly a month to announce the theft — a strategic feint taken on advice of the Secret Service to prevent intruders from learning investigators were watching. But even without such public disclosure, the theft of card numbers stopped when the access was detected.

TJX spokeswoman Sherry Lang said possible insider involvement is “certainly part of the investigation” by the Framingham, Mass.-based owner of nearly 2,500 discount stores, including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright in the U.S., Winners and HomeSense in Canada and T.K. Maxx in Britain.

But the more than 50 specialists TJX put on the case have reached no conclusions. Besides not knowing how many thieves were involved, TJX isn’t sure whether there was one continuing intrusion or multiple separate break-ins, according to a March 28 regulatory filing.

Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, it discovered it had been 17 months, and apparently began in July 2005.

The length of time is unprecedented among recent U.S. hacking cases in which the number of stolen records exceeded 300,000, an AP examination of publicly available information found.

The closest comparable incident is a breach at the University of California at Los Angeles.

In that still-unsolved case, unauthorized access apparently began 13 months before it was detected on Nov. 21. UCLA thinks the Social Security numbers of about 28,600 people were stolen out of a database with records of 800,000 people.

The case has become a global investigation, with incidents of fraud thought tied to the TJX breach as far away as Sweden and Hong Kong.

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide