Confirmed as the largest exposure of consumer information on record in the United States, the network intrusion experienced by TJX Companies highlights serious data security risks posed by outdated payment card systems, experts observed.
In an annual report filed with the SEC on March 28, TJX offered many more details of the attack that allowed intruders to make off with more customers' information than it had previously shared with the public.
According to the report, an undetermined number of outsiders repeatedly broke into a portion of the company's IT systems between 2005 and 2007, exposing the personal information -- including credit and debit card numbers -- of roughly 45.6 million people.
TJX specifically said that the attackers were able to penetrate an area of its network used to store payment card and transactional data at two different locations.
At the time that TJX hired IBM and General Dynamics to begin investigating the break-in during Dec. 2006, the consultants found that the malware tools used by the data thieves were still present in the company's systems.
Ironically, the TJX data heist, which has already led to fraud in the U.S. and overseas, displaces another incident related to a hack of payment card systems as the most sizeable breach of all time. In mid-2005, card processor CardSystems Solutions had its IT systems hacked to the tune of more than 40 million consumer records.
Security experts said it is no coincidence that the two largest consumer data thefts on record involve break-ins to payment card systems.
In addition to holding the sensitive customer information that cyber-criminals and offline fraudsters need most to carry out their schemes, companies that have not moved to upgrade their systems over the last several years are likely running applications that do not offer much resistance to attack, analysts said.
"These older payment systems were not designed with security in mind, and the people building them only really started paying attention to security in the last few years, so, it's easy to blame TJX for coming up short, but I'd bet there are a lot of other companies in the same shoes," said Aviviah Litan, analyst with Gartner.
Things have improved slowly since major credit card issuers forced the adoption of the PCI (Payment Card Industry Data Security Standard) in 2004, which was co-authored by Visa USA and MasterCard, the analyst said. However, many older systems remain vulnerable despite the guideline, Litan said.
MasterCard, among others, has commented publicly that TJX's systems were not compliant with PCI standards when they were attacked.
The analyst said that sources were telling her that the attack carried out against TJX originated in Eastern Europe and likely took advantage of an unprotected wireless network somewhere at the company to break into the software controllers that drive its point-of-sale registers in addition to hacking into its back-end systems.
Most companies do not monitor all their point-of-sale controllers, and from there, the criminals were likely able to find a way to penetrate the firm's back-end servers, she said.