TJX SECURITY BREACH

The TJX data heist scandal is perhaps the most visible example o the ris!s o data
interception rom a "ireless net"or!# Accordin$ to %ereira &'(()*+ an or$ani,ed $ro-p o
hac!ers penetrated the .('#// "ireless point o sale net"or! s0stem in a St# %a-l+ 1innesota+
1arshal2s department store in '((3# 4ver the next t"o 0ears thieves stole bet"een 5( and
'(( million credit card n-mbers 6 the exact scale o the disaster has not 0et been established
&%ereira+ '(()*# In addition to credit card records+ the hac!ers compromised an -n!no"n
n-mber o personal identiication records incl-din$ driver2s licenses and social sec-rit0
n-mbers &%ereira+ '(()*# A '(() Canadian report b0 the 4ice o the %rivac0 Commissioner
o Canada and the 4ice o the Inormation and %rivac0 Commissioner o Alberta placed the
blame or the data breach s7-arel0 on TJX2s -se o the 8ired E7-ivalent %rivac0 &8E%*
protocol encr0ption standard &9Report o an Investi$ation into the Sec-rit0+ Collection and
Retention o %ersonal Inormation+ TJX Companies Inc# :8inners 1erchant International
;#%#<+ '(()*# Ater compromisin$ the 8E% encr0ption al$orithm &disc-ssed in Appendix =*
-sed b0 the 1arshall2s store+ the attac!ers $ained access to a bac! room server that stored
-nencr0pted c-stomer data &Sic!er+ '(()*# The attac!ers "ere able to delete lo$ iles+
optimi,e the net"or! to better s-pport their ra-d-lent activities+ and leave encr0pted
messa$es or one another that served as to>do lists or -t-re thet &Sic!er+ '(()*# Ultimatel0+
the attac!ers -sed the compromised St# %a-l local area net"or! as a ?-mpin$>o point or
attac!s across the TJX corporate net"or! &Sic!er+ '(()*#
Altho-$h there has been little to no academic anal0sis o the TJX attac! &the Canadian report
reerenced above seems to be the onl0 oicial doc-mentation released to date*+ there has
been a sta$$erin$ amo-nt o press and p-blicit0 oc-sed on the incident# The 8all Street
Jo-rnal+ @e" Yor! Times+ The Boston =lobe+ and man0 other print and online ne"s
or$ani,ations have reported on this stor0# In act+ Abelson &'(()* reported that TJX itsel+ in
response to the stories+ ran 9ABC -ll>pa$e advertisements in several @e" En$land
ne"spapers< explainin$ the breach to cons-mers and shareholders# A =oo$le search o the
terms 9TJX sec-rit0 breach< ret-rned over 3(+((( hits# A Debr-ar0 '((. visit to the
"""#t?x#com "ebsite revealed an 9Important C-stomer Alert< lin! prominentl0 displa0ed in
the middle o the "ebpa$e that provides a letter rom TJX %resident and CE4 Carol
1e0ro"it, and other cons-mer saet0 inormation+ a 0ear ater irst reportin$ the incident#
Estimates placed the total cost res-ltin$ rom the disaster at bet"een E3(( million and E/
billion &Fi?a0an+ '(()G 4-+ '((3*# The Canadian privac0 report revealed that+ at the time o
the net"or! penetration+ TJX !ne" that 8E% "as v-lnerable and "as act-all0 in the process
o -p$radin$ to the more rob-st 8i>i %rotected Access &8%A* encr0ption protocol &9Report
o an Investi$ation into the Sec-rit0+ Collection and Retention o %ersonal Inormation+ TJX
Companies Inc# :8inners 1erchant International ;#%#<+ '(()*# Unort-natel0+ it did not
happen in time# 8hat is partic-larl0 dist-rbin$ abo-t the TJX incident is that it occ-rred
several 0ears ater a similar incident too! place involvin$ the electronics retailer Best B-0
aro-nd 1a0 '((' &Bre"in H Ferton+ '(('*# Accordin$ to a 1a0 I+ '(('+ Comp-ter"orld
article+ Best B-0 -sed an -nsec-re "ireless point o sale s0stem to s-pplement its permanent
cash re$ister leet d-rin$ pea! c-stomer traic &Bre"in H Ferton+ '(('*# An anon0mo-s
hac!er discovered the v-lnerabilit0 and posted his indin$s to an internet mailin$ list &Bre"in
H Ferton+ '(('*# Shortl0 thereater+ accordin$ to the article+ a Best B-0 spo!esman
commented that 9Spo!es"oman Jennier Boh-slavs!0 ABC< conirmed that 9ABC Best B-0
on 1a0 / deactivated its J"ireless temporar0 cash re$isters+J "hich transmit inormation via
a "ireless ;A@ connection< &Bre"in H Ferton+ '(('*#