The TJX 11's Retailers Oblivious To Repeated Breaches

Some 3 hours and 19 minutes before the U.S. Justice Department announced to the world that it was charging 11 men with having stolen 41 million payment card numbers from TJX and several other national retailers, a group of Secret Service agents started making phone calls.

These were calls to retailers—including TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW and Forever 21—to tell them that, after a multi-year-long federal probe, that indictments were being unsealed.

One of those retailers—Barnes & Noble—issued a vague statement suggesting that the chain might not have been aware of the incident before the Secret Service team started making those 11:30 AM calls. Saying that "we just learned today" about the indictments and that the book chain was listed as a victim. "Although the indictment states that several retailers were targeted, it does not provide specifics about Barnes & Noble and does not list customer names. Barnes & Noble takes the privacy and security of the personal information of our customers very seriously and we are reviewing this matter carefully."

Some of the other retailers made their own statements, usually stressing that the breaches were several years old (Boston Market and BJ's said 2004, DSW said 2005), when their security was presumably weaker.

What the statements didn't mention, though, is that none of the retailers mentioned in this case discovered the breaches themselves--neither during the incidents nor after. All learned in various ways, whether from the Secret Service or from a credit card company or a processing bank having detected that chain as a common point of purchase among several consumer victims.

Of all the retailers targeted, federal officials said, the security systems of only one detected and stopped the break-in attempts, and government officials decided to not reveal that retailer's identity.

Officials in the class-action lawsuits of the star victim in this case—TJX—differed on exactly when TJX learned of the breach. But the breach was not discovered by TJX's internal systems nor by any TJX employee, sources familiar with the case said.

It's not clear if the defendants in this case are accused of being the sole group involved in attacking TJX, but there are numerical discrepancies, leaving that possibility open. Some testimony in the TJX lawsuits put the number of payment cards accessed in that case at more than 100 million, while the number involved in this week's case is 41 million and that includes all of the retailers involved.

Michael Sullivan, the U.S. Attorney for Massachusetts, said some of the discrepancy might lie in the differences between a number accessed repeatedly and individual numbers.

"We're talking about distinct numbers. And I don't know whether or not TJX is referring to distinct numbers being 100 million, or in some instances, numbers taken on multiple occasions, but the same number," Sullivan said, adding that his office has "41 million distinct credit and debit card numbers that we've been able to identify, so far."

Part of the problem with wireless breaches is that it leaves fairly few fingerprints behind, as the data leaves when it is supposed to leave and arrives when it is supposed to arrive. (See David Taylor's column this week: "How Can You Not Know You've Been Hacked?")

The members of the group named in the federal charges have been described as a sophisticated cyber thief alliance, akin to a 21st Century Fagin, assuming Fagin was a programmer and probably a onetime phonephreak.

But Sullivan properly draws a critical distinction: The group—from an organizational and structural perspective—was quite sophisticated. The cyber-thief tactics they used (primarily wardriving), however, were ordinary and anything but advanced.

"Obviously, it was a sophisticated network of people who were able to acquire and hide this information, to their own encryption methods and off-shore and aliases and that sort of thing. They were sophisticated as a criminal organization," Sullivan said, "but people suggest in terms of what they did, that it was not that sophisticated in terms of ease of access. They realized you can drive around and essentially get access to these wireless sites."

Acknowledging the cipher elephant in the room, Sullivan said the retail security systems today are much stronger than they were.

"I'm absolutely confident that the security systems are much more robust and we do a much better job in terms of detecting and preventing these types of breaches today, in 2008, versus where they were at back in 2003. They've now put additional bolts and locks on the doors that they realized people were using to get access to in the past," he said. "Having said that, I don't think a lot of these people are simply giving up and going away. They're going to continue to be cutting edge with regards to their ability to steal this type of proprietary information. Because it means money to them, I mean you're talking about potentially huge sums of money with small transactions on each of these accounts."

One retail security expert, who asked to remain anonymous as he works for a large retailer not mentioned in the indictments, agreed that vast improvements in retail security have happened in the last few years—and that PCI deserves a lot of the credit for that. But it's equally important to note, he said, how absolutely terrible retail security was just a few years ago.

"I think that stores started from a position of absolutely no security. Retailers just ran that wave for years and years," he said. "It wasn't until PCI kicked in that they started taking security seriously."

And then, around 2000, cyber thieves realized the gold mine that was the retail landscape, especially with wireless access points. The thieves "matured their profession, they refined their tactics. When they found retailers sitting there wide open, they were the proverbial kid in a candy store," he said.

After quite a few bloody noses, retailers started sharply improving security. "The retailers hardened themselves by an order of magnitude," he said. "But 1,000 percent better wasn't enough."