<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

Podcast - 12 Years Later: How the TJX Hack Changed Security and Compliance

Jeff Edwards| February 01 2019

| Podcasts, security, Compliance, Hacks


In this episode of Defrag This, we’re taking a look back at one of the most monumental events in hacker history—the 2007 hack of TJX companies, which was, at the time, the biggest breach of consumer data in the history of the United States.

To help us explore the TJX hack, break down what happened, and explore what the hack meant for security and compliance culture in the US, we were lucky enough to enlist the help of Mike Drasher, Senior Integrations Engineer here at Ipswitch, and former Infrastructure Engineer at TJX. Back in 2007, Mike was actually the first person to notice the suspicious application on TJX’s network that led to the discovery of the attack.

Now, if you’re thinking “why haven’t I heard of this?” I don’t blame you. Twelve years is a long time by any measure, but it’s ancient history in terms of cybersecurity history. So here’s a quick breakdown of the attack.

The Biggest Hack in US History

First discovered in 2007, this breach of TJX Corporations, the Boston-based parent company of TJ Maxx, Marshalls, and Boston Market was, at the time, the biggest breach of consumer data in the history of the United, with up to 94 million records breached.

Though the hack wasn’t discovered until 2007, hackers had first gained access to the TJX network in 2005 through a WiFi connection at a retail store, and were eventually able to install a sniffer program that could recognize and capture sensitive cardholder data as it was transmitted over the company's networks unencrypted. The hackers used that program exfiltrate millions of credit and debit card numbers over an 18-month period, until finally being discovered in January of 2007.

The Hackers

The TJX hackers were a group of 10 individuals, based all over the world, led by Albert Gonzalez, who was working as an informant for the Secret Service at the time of the crime. Gonzalez had previously been indicted for his role in the ShadowCrew cybercrime forum, but the charges were dropped after he cooperated with investigators and provided information on his coconspirators. Obviously, that wasn’t enough to convince Gonzalez to stop his illicit activities though, and the hacker even wrote on a hacking forum that his goal was to earn $15M, buy a yacht and retire. Gonzalez went on to be involved in several other hacks, including the TJX attack, the hack of Dave & Busters, and the Heartland Payment Systems attack.

Gonzalez would eventually be arrested on charges stemming from the Dave & Busters hack. He was eventually convicted to 20 years in federal prison for his part in the TJX attack, as well as the hack of Dave and Busters, and the Heartland Payment Systems hack. That sentence is still the lengthiest ever imposed for hacking or identity-theft.

Compliance Implications

At the time of the hack, PCI DSS, the Payment Card Industry Data Security Standard, was a brand new thing, having just been implemented in June of 2005, and companies were still coming to terms with the regulation, and struggling to figure out compliance. For those of you keeping up with GDPR, that may sound pretty familiar. While TJX firmly denies that it was at all negligent in allowing the attack to happen, the company was accused of being non-compliant with 9 of the 12 principles of PCI DSS in court. 

TJX eventually paid 9.7 million to 41 states in a settlement, and the hack prompted credit bureaus to seek legislation requiring retailers to be responsible for the compromised customer information saved in their systems. There was no new legislation in the US, but security became a much more prominent part of corporate culture in the wake of the TJX and Heartland Payment Systems hacks. Now, over 10 years later, we’re finally starting to see legislation gain steam across the globe, with the adoption of the GDPR, and the consideration of other data protection bills in brazil, the UK, and states across the US.

managed file transfer

Topics: Podcasts, security, Compliance, Hacks

Leave a Reply

Your email address will not be published. Required fields are marked *


Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.