TJ Maxx Data Breach
In the late 2006 the online retail store TJ Maxx which is a leading apparel and off-price retail store, reported that it had problems processing credit cards. The company brought in an external security advisor to investigate the incident. It was soon discovered that TJ Maxx was subject to multiple security and data breaches. The company finally hired General Dynamics and IBM to further investigate the matter.
Both the hired companies investigated the matter and brought to the attention of TJ Maxx that suspicious software had been detected installed within their systems. It was undetermined if it was one hacker or hackers who had gained access. TJ Maxx declared that its wireless service had been breached and the attackers had gained access to the corporate network. It was unclear who was responsible for the breach. TJ Maxx conducted an internal inquiry and revealed that none of its employees were involved in the security breach. However, it was also found that none of its employees were alert enough to prevent unauthorized access. It was also found that hackers had replaced the store’s PIN-pad terminal with a similar device, that had been altered to capture the account numbers and PINs of people using the device. The hackers returned to the store a few days later and replaced the original and made off with the other device, that had recorded customer’s account information. This went unnoticed by the staff.
After processing the and analyzing the evidence, TJ Maxx notified various law enforcement agencies of the intrusion and data breach. The initial press release by TJ Maxx stated that 45 Million payment cards were affected by the breach, however at the time of the disclosure over three quarters of these cards were said to have expired. However, when a class action suit was later filed, there were about 94 Million card holders who had joined the suit. The large discrepancy between the numbers provided by TJ Maxx and those from the banks suggests that TJ Maxx did not have proper logs for proper forensic analysis.
The entire corporate network TJ Maxx had been breached. The stolen data included not just data for the TJ Maxx store, but also for the other stores of the group including Marshalls, Home Goods, and A. J. Wright stores in the United States and Puerto Rico, also data for the stores Winners and Home Sense in Canada was compromised.
The corporate data stolen included merchandise return transactions of the customers of the above affected stores. Though no Personal Identification Numbers (PINs) were stolen, customer’s Drivers License Numbers, Military, and State Identification numbers were compromised. The company later identified that data for at least 455,000 customers had been compromised.
Data life cycle and Security Recommendations
Looking at the number of card holders (94 Million) joining the class action law suit, it is apparent that TJ Maxx companies had stored historical information for transactions. There was no proper data life cycle for data collected from the customers as well as the data generated within the business for the customers.
If TJ Maxx had a proper data life cycle policy which deleted data as soon as it matured, it wouldn’t have suffered from such a severe breach. The more data you store, the more your business risk to a data breach. Defining when data is destroyed right when it is created, helps in limiting your Data Security Risk. TJ Maxx should have defined a data destruction policy which defines when data is destroyed and should have accordingly deleted all the sensitive data after a pre-determined interval. This decision would have helped TJ Maxx.
A typical Data life cycle of six months would have reduced the business risk by at least two-thirds of the breached data. Limiting the historical data lost to only last 6 months, would bring down the data breach from 94 Million Card Holders to only shoppers in last 6 months.