It wasn’t a long time ago that the TJ Maxx company experienced one of the worst security breach cases in history leading to the most complex identity theft case ever prosecuted. Hackers gained access to the company systems and stole personal information of over 45 million credit card and debit cards in July 2005. These cards belonged to the company's customers who purchased items from January 2003 to November 23, 2003, however the company did not discover the theft until much later in 2007. It is believed that the number of stolen cards can not be fully substantiated because most of the transactions were deleted in the course of normal business operations for the period between November 24, 2003 and June 28, 2004, making it absolutely impossible to know the true extent of the data stolen. One of the mysteries of the case is why the company did not routinely delete the transactions and related information for the period in which personal information were collected, stored and subsequently stolen. Although the full extent of the damage was never assessed and I doubt it can ever be determined, the company reported that 75 % of the cards were either expired at the time of the data theft or the personal information residing on the cards were masked and not visible to the naked eyes.
The stolen card information were later used to buy gift cards from Walmart which were then used to buy electronics and jewelry from Walmart's Sam's club. The investigation led to the arrest of eleven people who were charged for this international identity theft case. The individuals arrested included 3 in the US, 3 in Ukraine, 2 in china, 1 in Belarus, 1 in Estonia and another who remained to be apprehended. In addition to TJ Maxx, the defendants were also suspected of data theft from other businesses such as DSW, OfficeMax, and Barnes & Noble.
Many questions were initially raised by the company, federal investigators and security professionals about the case related to:
1) true number of stolen cards and related information,
2) fraud impact of the case,
3) number of intruders involved and whether it was a one man job or a group of professionals,
4) the relevancy of this case to any other identity theft case being investigated,
5) was there only one system intrusion or multiple attempted and successful intrusions,
6) why the transactions were not deleted in the course of business to prevent such massive theft,
7) who could have had access to the decryption software that was used to access the information scrambled with the encryption software used by TJX,
8) how and when was unknown software placed on the company’s computer which was only discovered in December 2006,
9) why wasn’t the illegal software detected, and
10) were the people using the stolen information to commit fraud the actual hackers or had they purchased the information from the thieves.
Many of the questions are answered while others remain a mystery to date. For example, we now know that the stolen information were sold to those who committed the fraud and the thieves were also responsible for other high profile identity theft cases. On the other hand, we probably will never know the full extent of the damage to TJ Maxx and its customers.
From an internal controls standpoint, companies must question their business practices and consider the following:
1) collect only the minimum personal customer information needed to complete a business transaction,
2) retain the collected personal information for only as long as needed per business and legal requirements,
3) monitor systems to detect unauthorized software and suspicious network traffic such as unusual data download in terms of size and time.
Businesses must constantly consider their risks and assess their internal controls to prevent costly incidents and their unintended consequences. As far as TJ Maxx, the company spent over $130 millions to deal with the consequences of this international identity theft case.