TJX Waging Legal Battle To Keep Its Security Glitch Details Secret

The TJX data breach has been a veritable data dynamo of details that, if carefully pieced together, say virtually nothing.

But those details have typically hinted at or suggested a wide range of security problems, including weak firewall protection, encryption irregularities, wireless problems and a Trojan horse that may or may not have been planted.

After months of motions and arguments, filings have begin for the argument that frightens TJX the most: whether U.S. District Court Judge William Young will order that TJX reveal publicly exactly how it believes the breaches occurred and why they happened.

This week, attorneys representing banks that are now suing TJX specifically asked Young for permission to make public reports that TJX had prepared detailing the mishaps. TJX is aggressively fighting such efforts.

At issue are five reports, plus a few related pieces of testimony. The reports are: one prepared by ATW on May 1, 2007, called the Card Compromise Forensic Investigation Report (Exhibit 5); a June 11, 2007, report by General Dynamics called Advanced Information Systems, Intrusion into the TJX Companies, Inc.'s Computer System (Exhibit 8); a Verisign CISP compliance report from Sept. 19, 2004 (Exhibit 9); and a Cybertrust CISP compliance report from Sept. 6, 2006 (Exhibits 8, 9, and 10, collectively, the "Reports on Compliance").

The federal judge will likely look at several factors, including relevance and significance. But the pivotal question is likely to be whether the contents of those reports will additionally weaken TJX's security.

TJX focuses on very specific details, such as the current location of various servers, and argues that such information would put consumers at more risk.

"The ATW Report and GD Presentation both provide detailed, non-public information about how TJX's computer system was compromised in 2005 and 2006," said a TJX document filed Wednesday. "If revealed publicly, (it) could serve as a roadmap for persons trying to attack TJX's computer system or other participants in the payment card system."

"These documents are a sideshow and Plaintiffs seek to include them only as part of their wider strategy to seek to discredit TJX at every turn," the TJX attorneys wrote.

The plaintiffs have countered that the handful of current details could be removed, leaving intact information about the state of the systems early on, systems that have since been fixed and otherwise changed.