boston.com Business your connection to The Boston Globe

Details emerge on TJX breach

Firm violated rules on handling credit cards, filing says

Hackers who struck TJX Cos.' computer system into last year exploited many security problems and violations of credit card handling rules within the Framingham retailer's data network, according to a recent court filing by a former MasterCard official.

The details are among the most specific yet to emerge about the breach, which another court filing said affected more than 94 million accounts. That's more than twice the at least 45.7 million compromised cards previously stated by TJX, the parent of discount stores such as TJ Maxx and Marshalls.

Together, the documents provide a more detailed look at what happened at TJX, which in January first disclosed the breach security specialists say is the biggest on record. The filings also raise security questions for the two largest credit card networks, Visa and MasterCard, who should do more to explain why their estimates are so different from TJX's, said Avivah Litan, a Gartner Inc. information technology specialist.

"The credit card networks should come clean and give the public the details behind their investigations - and how they arrived at those numbers," Litan said in an e-mail. "But it's fair to say that Visa and MasterCard must have some solid forensic evidence to support their claims. They have a total view of the card networks that others don't have access to."

Spokespeople for Visa and MasterCard said they wouldn't comment on the matter, or on a Visa official's estimate of losses to banks that issued cards to be between $68 million to $83 million.

The documents are part of a legal action brought by a group of banks and financial institutions seeking to recover an unspecified amount of losses from TJX.

One filing likely to be central to the litigation is the declaration of a past MasterCard security executive, Joel Lisker, a Washington area lawyer who is now a specialist for the banking plaintiffs. Lisker was able to review a report by a vendor hired by TJX at the request of the card networks and Fifth Third Bank of Ohio, which processed credit card transactions.

According to Lisker, the vendor, now called Trustwave, found TJX had met just three of 12 requirements that credit card companies impose on merchants to protect consumer data. Lisker also stated TJX hadn't properly configured its wireless network at the time of the attack, which earlier reviews have found likely occurred through wireless systems at two Miami-area stores.

After breaching TJX's wireless network, the attacker gained access to servers at the company's headquarters in Framingham, Lisker wrote. TJX also lacked the right firewalls to protect its servers. That "allowed the unauthorized party or parties quickly to access multiple systems and quickly export data," Lisker wrote. In all, Lisker estimated the breach affected about 100 million unique account numbers.

The details suggest serious lapses, said several outside security specialists. "If his opinions are true, then TJX was an open bank vault with the money exposed," said Jon Oltsik, a senior analyst at Enterprise Strategy Group in Milford. "It really seems like TJX disregarded these and either knowingly or ignorantly was willing to live with a tremendous amount of risk," he said.

TJX said in response it "believes our security was comparable to many other major retailers," and said it has brought in security firms in the wake of the breach. In a statement yesterday TJX said it couldn't comment on court filings because of the pending litigation.

TJX did address another issue in the case, however - what it suggested was an overreaction by many smaller banks who reissued all their cards in response to the breach. In yesterday's statement, TJX said it "cannot account for the actions of banks and continues to stand behind the information it has previously disclosed regarding the data from 45.7 million card accounts specifically identified . . . as having been stolen in the criminal attack on TJX's computer systems."

TJX has said in the past that 75 percent of the 45.7 million compromised card accounts were expired or had their data masked, which could make them more difficult to abuse. In the statement yesterday, TJX said that by the time it discovered the breach in late 2006, more than 95 percent of those cards had expired, "which we believe should have made unnecessary any cancellation of these customers' cards by the banks that had issued them."

Many of the cards had expired between when the breach began, in mid-2005, and when it was discovered, in late 2006, according to a TJX spokeswoman.

Ross Kerber can be reached at kerber@globe.com.

More from Boston.com

'Related'

IDENTITY CRISIS For more on the security breach at TJX point your browser to boston.com/business.

SEARCH THE ARCHIVES