SlideShare a Scribd company logo

TJX Attack

J
joevest

The document summarizes the largest known credit card theft that occurred from 2005-2007 involving retailer TJX Companies. Attackers gained access to TJX's internal network via an unsecured wireless network in a Miami store and spent over a year extracting over 80GB of unencrypted customer payment data. This led to over 94 million credit cards being stolen and $1 billion in estimated damages from fraudulent purchases, credit monitoring, and card reissuance costs. Multiple individuals were later arrested for trafficking some of the stolen data and making millions in fraudulent purchases.

Technology
Related topics:
Information Security
1 of 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
11-13-2007
Largest Known Credit Card Theft TJX Companies Marshall’s T.J. Maxx Home Goods A.J. Goods
What Happened? July 2005 Attackers gained access to the wireless network in a Marshall’s discount clothing store in Miami, FL. Over the next year, the internal network was systematically searched for valuable information. May 2006 Sniffer was installed on the network and over 80 GB of unencrypted data was sent to a site in California. December 2006 The incident was discovered by TJX and reported to law enforcement.
How was it done? The store was protected with WEP (Wired Equivalent Privacy) Weakness of WEP has been known since 2002 and replacements available in 2003. The ‘cracking’ of WEP is trivial. The key can be gained in a matter of minutes. Once inside, the attackers created backdoor accounts and could work from anywhere in the world.
What was stolen? Recent Estimates find more than 94 million credit cards exposed. 451,000 customers had a breach of personal records. Drivers license numbers Military ID numbers Social Security Numbers Much of the information contained Track 2 data. Track 2 data includes personal identification numbers and card verification codes and can be used to counterfeit payment cards.
Related Damages May 19, 2007 Six suspects were arrested for credit card fraud in Florida. The six were accused of purchasing gift cards with credit card numbers from the TJX incident. In total, over $8 million in credit card charges were made.
Related Damages August 21, 2007 Maksym Yastremskiy, 24, was arrested in the Turkish resort town of Kemer. He was tracked by U.S. Postal Inspection Service’s global investigations unit. He was trafficking more than 1 million credit card numbers. Numbers sold for $20 to $100.
Latest News Friday September 9, 2007 TJX announces settlement of numerous class-action lawsuits Settlement Terms: Each impacted customer would receive 2 $30 vouchers for TJX stores. Customers who returned merchandise (leaving behind their drivers license number) would have credit monitoring for 3 years with $20,000 in ID theft coverage Settlement pending ruling by judge
Latest News September 14, 2007 Irving Escobar sentenced to five years in prison and ordered to pay $600,000 restitution for his role in the gift card fraud in Florida. The Co-defendants all pled guilty and were sentenced to probation.
Latest News October 22, 2007 New lawsuit against TJX Filed on behalf of 300 banks in Massachusetts, Maine and Connecticut to reclaim damages due to credit card replacement Pending decision from judge to bring to class-action status.
Total Damages $68 million in Visa cards alone TJX lost $118 million in profits the 1 st quarter after the incident. Current estimates for TJX dealing with the incident are $256 million. It is estimated the total damages could exceed $1 Billion due to: Fraudulent credit card purchases Banks reissuing credit card Damage to personal credit.
What went wrong? No Defense in Depth WEP was used Attackers were able to get to the corporate databases through remote stores network. Customer data was stored for too long (Some credit cards were from transactions in 2003) Customer data was stored that should not have been PCI DSS standards not followed
What can be learned? Security must be incorporated in all aspects of business and risks must understood. Security is not a product you can buy. Security is a process that must constantly evolve. Do not store unnecessary information Don’t use WEP (thanks Josh)
Joe Vest, (CISSP, CISA, CEH)   [email_address]
References http://www.privcom.gc.ca/cf-dc/2007/TJX_rep_070925_e.asp http://www.securityfocus.com/brief/465 http://www.securityfocus.com/brief/594 http://online.wsj.com/article/SB117824446226991797.html http://www.securityfocus.com/news/11493/2 http://blog.washingtonpost.com/securityfix/2007/10/tjx_breach_was_twice_as_bad_as_1.html

More Related Content

PPTX
E commerce case study
Amlan Datta
 
ODP
Airbnb - Presentation
Nicola Valentini
 
PPTX
Cyber security and Cyber Crime
Deepak Kumar
 
PPTX
[Exposicion] Computer and Internet Crime
German Teran
 
PPTX
Redakt CMS Pitch Deck
Jasper van der Sterren
 
PDF
AI Restart 2024: Petra Stupková - A(I)utorské právo pro všechny
Taste
 
PPTX
OLX.in - case study presentation
Harshil Darji
 
PPTX
Multi National Corporations by Neeraj Bhandari ( Surkhet.Nepal )
Neeraj Bhandari
 
E commerce case study
Amlan Datta
 
Airbnb - Presentation
Nicola Valentini
 
Cyber security and Cyber Crime
Deepak Kumar
 
[Exposicion] Computer and Internet Crime
German Teran
 
Redakt CMS Pitch Deck
Jasper van der Sterren
 
AI Restart 2024: Petra Stupková - A(I)utorské právo pro všechny
Taste
 
OLX.in - case study presentation
Harshil Darji
 
Multi National Corporations by Neeraj Bhandari ( Surkhet.Nepal )
Neeraj Bhandari
 

What's hot (20)

PPTX
Cyber fraud a threat to E commerce
Sudeshna07
 
PPTX
Crypto currency - a digital asset
mayil vealan
 
PPTX
Sahara scam power point
Monika Deswal
 
PPTX
Zomato OOH Campaign
Ankit Chakraborty
 
PPTX
Cyber Crime
Krishnav Ray Baruah
 
PPTX
CyberSecurity.pptx
PranavRaj96
 
PPTX
Restaurant data
EbereneloOyekwe
 
PPTX
AIR BNB
OmkarKodak
 
PPT
Amazon case study
Abdalkareem Ahmed Al-Dailami
 
PDF
Fintechs in india
Milounee Purohit
 
PDF
Airbnb presentation - Paul Hayat (team3)
Paul Hayat
 
PPT
Ebay presentation
International Communication Center
 
PPTX
Cyber crime ✔
hubbysoni
 
PPTX
Shopify Presentation
Burak Eraslan
 
PPTX
Airbnb ppt - Strategic Management
PallaviMishra92
 
PDF
Airbnb presentation
Rui Wang
 
PPTX
Airbnb : An Entreprenuerial Growth Journey
Mayun Kaluthantri
 
PPTX
Airbnb presentation
Melissa Alexiou
 
PPTX
Presentation amazon, daraz, aliexpress
Md. Sohag Miah
 
PPTX
Financial Crimes
Animesh Shaw
 
Cyber fraud a threat to E commerce
Sudeshna07
 
Crypto currency - a digital asset
mayil vealan
 
Sahara scam power point
Monika Deswal
 
Zomato OOH Campaign
Ankit Chakraborty
 
Cyber Crime
Krishnav Ray Baruah
 
CyberSecurity.pptx
PranavRaj96
 
Restaurant data
EbereneloOyekwe
 
AIR BNB
OmkarKodak
 
Amazon case study
Abdalkareem Ahmed Al-Dailami
 
Fintechs in india
Milounee Purohit
 
Airbnb presentation - Paul Hayat (team3)
Paul Hayat
 
Ebay presentation
International Communication Center
 
Cyber crime ✔
hubbysoni
 
Shopify Presentation
Burak Eraslan
 
Airbnb ppt - Strategic Management
PallaviMishra92
 
Airbnb presentation
Rui Wang
 
Airbnb : An Entreprenuerial Growth Journey
Mayun Kaluthantri
 
Airbnb presentation
Melissa Alexiou
 
Presentation amazon, daraz, aliexpress
Md. Sohag Miah
 
Financial Crimes
Animesh Shaw
 
Ad

Viewers also liked (9)

PPTX
Tjx Conpanies Incorporated .ppt
JITHURAM
 
PPTX
SWOT analysis of TJX LTD
Sushant Maniyar
 
PDF
The literature and write report on information system security part 1 of 5 p...
raufik tajuddin
 
PPTX
Digital Signatures solution by ComsignTrust
Zeev Shetach
 
PDF
Proyecto integrador de seguridad informatica
Maestros Online
 
PPTX
Organizing for Effective Management: TJX
Aglazer1
 
PPTX
Cold in the Earth
Shan Ambrose
 
PPTX
Elegy for-my-father s-father
Charter College
 
PPTX
The Trees are Down
Shan Ambrose
 
Tjx Conpanies Incorporated .ppt
JITHURAM
 
SWOT analysis of TJX LTD
Sushant Maniyar
 
The literature and write report on information system security part 1 of 5 p...
raufik tajuddin
 
Digital Signatures solution by ComsignTrust
Zeev Shetach
 
Proyecto integrador de seguridad informatica
Maestros Online
 
Organizing for Effective Management: TJX
Aglazer1
 
Cold in the Earth
Shan Ambrose
 
Elegy for-my-father s-father
Charter College
 
The Trees are Down
Shan Ambrose
 
Ad

Similar to TJX Attack (20)

DOCX
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
cowinhelen
 
DOCX
TEACHING CASETargeting Target with a 100 million dollar da.docx
deanmtaylor1545
 
DOCX
TEACHING CASETargeting Target with a 100 million dollar da.docx
erlindaw
 
DOCX
TEACHING CASETargeting Target with a 100 million dollar da.docx
bradburgess22840
 
DOCX
NT2580 Week 1 Understanding IT Infrastructure Security An.docx
henrymartin15260
 
PPT
Idt Jc 02 09
jwnollet
 
PDF
IDT Red Flags White Paper By Wrf
Bucacci Business Solutions
 
DOCX
Target@ Data Breach2edit
Kehinde Adelusi
 
DOCX
Cybersecurity Research Paper instructionsSelect a research topic.docx
theodorelove43763
 
PDF
Digital footprints (preview)
Neeraj Mahajan
 
PDF
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
- Mark - Fullbright
 
PPT
Risk Managers Presentation
pat7777
 
PDF
A Contextual Framework For Combating Identity Theft
Martha Brown
 
PPT
Identity Theft Red Flags Rule for Business
Herring Consulting & Financial Group
 
PPTX
ID Theft and Computer Security 2008
Donald E. Hester
 
DOCX
Interested in learning moreabout cyber security training.docx
vrickens
 
PPT
Hr Idt Presentation Employee Version
danc752
 
PPTX
Privacy Presentation for SOCAP-3
Gary Kazmer
 
PPT
Recent PCI Hacks
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
New Kmart Data Breach lawsuit spotlights PCI DSS
David Sweigert
 
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
cowinhelen
 
TEACHING CASETargeting Target with a 100 million dollar da.docx
deanmtaylor1545
 
TEACHING CASETargeting Target with a 100 million dollar da.docx
erlindaw
 
TEACHING CASETargeting Target with a 100 million dollar da.docx
bradburgess22840
 
NT2580 Week 1 Understanding IT Infrastructure Security An.docx
henrymartin15260
 
Idt Jc 02 09
jwnollet
 
IDT Red Flags White Paper By Wrf
Bucacci Business Solutions
 
Target@ Data Breach2edit
Kehinde Adelusi
 
Cybersecurity Research Paper instructionsSelect a research topic.docx
theodorelove43763
 
Digital footprints (preview)
Neeraj Mahajan
 
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
- Mark - Fullbright
 
Risk Managers Presentation
pat7777
 
A Contextual Framework For Combating Identity Theft
Martha Brown
 
Identity Theft Red Flags Rule for Business
Herring Consulting & Financial Group
 
ID Theft and Computer Security 2008
Donald E. Hester
 
Interested in learning moreabout cyber security training.docx
vrickens
 
Hr Idt Presentation Employee Version
danc752
 
Privacy Presentation for SOCAP-3
Gary Kazmer
 
Recent PCI Hacks
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
New Kmart Data Breach lawsuit spotlights PCI DSS
David Sweigert
 

Recently uploaded (20)

PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
A Presentation on Touch Screen Technology
memembruh336
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Encapsulation theory and applications.pdf
gurumoop
 

TJX Attack

  • 2. Largest Known Credit Card Theft TJX Companies Marshall’s T.J. Maxx Home Goods A.J. Goods
  • 3. What Happened? July 2005 Attackers gained access to the wireless network in a Marshall’s discount clothing store in Miami, FL. Over the next year, the internal network was systematically searched for valuable information. May 2006 Sniffer was installed on the network and over 80 GB of unencrypted data was sent to a site in California. December 2006 The incident was discovered by TJX and reported to law enforcement.
  • 4. How was it done? The store was protected with WEP (Wired Equivalent Privacy) Weakness of WEP has been known since 2002 and replacements available in 2003. The ‘cracking’ of WEP is trivial. The key can be gained in a matter of minutes. Once inside, the attackers created backdoor accounts and could work from anywhere in the world.
  • 5. What was stolen? Recent Estimates find more than 94 million credit cards exposed. 451,000 customers had a breach of personal records. Drivers license numbers Military ID numbers Social Security Numbers Much of the information contained Track 2 data. Track 2 data includes personal identification numbers and card verification codes and can be used to counterfeit payment cards.
  • 6. Related Damages May 19, 2007 Six suspects were arrested for credit card fraud in Florida. The six were accused of purchasing gift cards with credit card numbers from the TJX incident. In total, over $8 million in credit card charges were made.
  • 7. Related Damages August 21, 2007 Maksym Yastremskiy, 24, was arrested in the Turkish resort town of Kemer. He was tracked by U.S. Postal Inspection Service’s global investigations unit. He was trafficking more than 1 million credit card numbers. Numbers sold for $20 to $100.
  • 8. Latest News Friday September 9, 2007 TJX announces settlement of numerous class-action lawsuits Settlement Terms: Each impacted customer would receive 2 $30 vouchers for TJX stores. Customers who returned merchandise (leaving behind their drivers license number) would have credit monitoring for 3 years with $20,000 in ID theft coverage Settlement pending ruling by judge
  • 9. Latest News September 14, 2007 Irving Escobar sentenced to five years in prison and ordered to pay $600,000 restitution for his role in the gift card fraud in Florida. The Co-defendants all pled guilty and were sentenced to probation.
  • 10. Latest News October 22, 2007 New lawsuit against TJX Filed on behalf of 300 banks in Massachusetts, Maine and Connecticut to reclaim damages due to credit card replacement Pending decision from judge to bring to class-action status.
  • 11. Total Damages $68 million in Visa cards alone TJX lost $118 million in profits the 1 st quarter after the incident. Current estimates for TJX dealing with the incident are $256 million. It is estimated the total damages could exceed $1 Billion due to: Fraudulent credit card purchases Banks reissuing credit card Damage to personal credit.
  • 12. What went wrong? No Defense in Depth WEP was used Attackers were able to get to the corporate databases through remote stores network. Customer data was stored for too long (Some credit cards were from transactions in 2003) Customer data was stored that should not have been PCI DSS standards not followed
  • 13. What can be learned? Security must be incorporated in all aspects of business and risks must understood. Security is not a product you can buy. Security is a process that must constantly evolve. Do not store unnecessary information Don’t use WEP (thanks Josh)
  • 14. Joe Vest, (CISSP, CISA, CEH)   [email_address]
  • 15. References http://www.privcom.gc.ca/cf-dc/2007/TJX_rep_070925_e.asp http://www.securityfocus.com/brief/465 http://www.securityfocus.com/brief/594 http://online.wsj.com/article/SB117824446226991797.html http://www.securityfocus.com/news/11493/2 http://blog.washingtonpost.com/securityfix/2007/10/tjx_breach_was_twice_as_bad_as_1.html