How TJMaxx Hackers Stole 45.7 Million Credit Cards

TJMaxx computer system intruders who stole 45.7 million credit cards siphoned off customer data using a program they implanted on the company’s servers, recent regulatory filings reveal.

The worm operated undetected for at least 18 months, capturing credit card numbers, then changing timelogs and moving data around to erase its tracks.

Initial speculation suggested that the thieves had access to the retailer’s encryption key. Now it may be that the program captured data before it was encrypted.

If the latter, the ramifications are immense, as it means every single retailer’s credit card processing system is at risk. — BEN POPKEN

TJX Intruder Had Retailer’s Encryption Key [eWeek] (Thanks to Brandon!)


Edit Your Comment

  1. velocipenguin says:

    The article only says that the crackers in question had access to the decryption algorithm used by TJX. Access to the algorithm is not at all important, unless your company is run by idiots who think using a s00p3r-s3kr1t proprietary crypto scheme guarantees security. Most of the world’s most important crypto algorithms – including 3DES, the (somewhat inadequate) scheme used by every bank in the world – are available to the public. The only thing that counts is the encryption key; if TJX left their crypto keys in an area accessible to malicious intruders, then they deserve to be sued for everything they’ve got. Encryption – regardless of algorithm – is completely worthless unless the key is kept as secure as possible.

  2. electronics says:

    a worm? I suspect that Paula Rosenblum doesn’t know what she’s talking about when it comes to technology. The hackers didn’t give a rat about how many cards they had access to, only that they had access to them. Whether it was 100, 1 million, or 45 million doesn’t make a difference. The amount of abuse of the credit cards was likely very, very low when compared to the credit cards exposed. Hackers don’t go after stuff like this to get in the media because as soon as that happens, it means that they can’t leach off people’s accounts anymore.

    Throughout the breach, they had *access to* upwards of 45.7 million cards, but that doesn’t mean that they *got* 45.7 million cards. The payment card industry tries to take the most liberal guess possible, since they have to worry about all the cardholders who potentially got their data stolen.

  3. faust1200 says:

    It was totally social engineering.

    Here’s part of the alleged transcript:

    “Hello!! This is Terrance James Maxx. I seemed to have forgotten my password and I can’t get onto the server…”