Attorney: TJX Knew Of Data Breach Much Earlier Than It Claims

TJX learned of its massive data breach on Oct 3, 2006, more than two months earlier than TJX has told the government it first learned of the breach, according to one of the attorneys representing one of the banks suing the retail chain.

Getting to the bottom of these he said/she said exchanges—which is necessary to put these pieces of information into meaningful context—is made difficult because so much of the supporting material being referenced is still classified as confidential in the lawsuits surrounding the worst data breach in credit card history.

This allows representatives of both sides to make cryptic (and very carefully worded) comments that sometimes suggest more than the facts support.

Here's the latest parsing of words. Plaintiff attorney Joe Whatley this week told U.S. District Court Judge William Young in open court that TJX knew of the incident much earlier than it had disclosed.

"TJX first became aware of this breach as early as October the 3rd of 2006 when it learned of problems with Discover Cards. It took them over two weeks, roughly the same time it took us to file our amended complaint, for them to even contact a consultant to investigate the matter," Whatley said. "And it took them another two weeks after that to retain the consultant and work out a nondisclosure agreement. And, of course, there were problems. TJX then allowed them to have access to it for a period of time and then terminated them when they found there was a (data breach) problem."

Whatley later confirmed the terminated firm was Cybertrust, which he said was replaced because TJX preferred to use General Dynamics, which was suggested to them through their attorneys. The suggestion was that General Dynamics would be more friendly toward TJX and might be more protective of the chain.

The official TJX position is somewhat different. Or is it? TJX Vice Chairman Donald Campbell issued a statement to The Boston Globe that said, "TJX stands behind the facts that we have previously stated: It was not until on December 18, 2006, that TJX first learned that there was suspicious software on TJX's computer system, not until December 21, 2006, that we learned there was strong reason to believe our computer system had been intruded upon, and not until December 27, 2006, that we first learned that customer information had apparently been stolen."

Technically, that doesn't quite contradict Whatley's comments. Whatley didn't say anything about when the Trojan Horse was discovered on the network or when "there was strong reason to believe" the system had "been intruded upon."

That said, Whatley's comments are also not crystal clear and the inability to discuss sealed documents made it difficult to clarify. Many large retailers routinely learn of small credit card frauds. What did the initial Discover communication say? How many cards had been reported as having been breached at that point?

Without those details, it's impossible to assess whether the Oct. 3 incident established that TJX hadn't been honest.

But the details also reinforce the appearance that TJX—throughout this incident—has shown more concern about keeping this incident quiet than protecting customer data.

If your house was viciously broken into and ransacked, would you not only hold off calling police and instead bring in your investigators, but would you also insist that the probe not begin until you have negotiated an extensive non-disclosure agreement? Or you would you say, "Find out what the heck happened right away and we'll worry about the paperwork later"?

TJX's attorneys have made the argument that details of the initial detection and what TJX did that allowed the intruders to have such extensive network access for so many years need to remain secret because it could provide tips to future attackers.

The only problem with that argument is that TJX has also said that it's made extensive improvements to its security since the breach was discovered—in TJX's version—in December 2006. As we're now approaching 2008, it's difficult to imagine how discussing the state of the network from two and three years earlier—before the extensive changes were made—could undermine security efforts today.

Unless, of course, what's really being protected is corporate pride. In that case, it makes perfect sense.