In this episode of Defrag This, we’re taking a look back at one of the most monumental events in hacker history—the 2007 hack of TJX companies, which was, at the time, the biggest breach of consumer data in the history of the United States.
To help us explore the TJX hack, break down what happened, and explore what the hack meant for security and compliance culture in the US, we were lucky enough to enlist the help of Mike Drasher, Senior Integrations Engineer here at Ipswitch, and former Infrastructure Engineer at TJX. Back in 2007, Mike was actually the first person to notice the suspicious application on TJX’s network that led to the discovery of the attack.
Now, if you’re thinking “why haven’t I heard of this?” I don’t blame you. Twelve years is a long time by any measure, but it’s ancient history in terms of cybersecurity history. So here’s a quick breakdown of the attack.
The Biggest Hack in US History
First discovered in 2007, this breach of TJX Corporations, the Boston-based parent company of TJ Maxx, Marshalls, and Boston Market was, at the time, the biggest breach of consumer data in the history of the United, with up to 94 million records breached.
Though the hack wasn’t discovered until 2007, hackers had first gained access to the TJX network in 2005 through a WiFi connection at a retail store, and were eventually able to install a sniffer program that could recognize and capture sensitive cardholder data as it was transmitted over the company's networks unencrypted. The hackers used that program exfiltrate millions of credit and debit card numbers over an 18-month period, until finally being discovered in January of 2007.
The TJX hackers were a group of 10 individuals, based all over the world, led by Albert Gonzalez, who was working as an informant for the Secret Service at the time of the crime. Gonzalez had previously been indicted for his role in the ShadowCrew cybercrime forum, but the charges were dropped after he cooperated with investigators and provided information on his coconspirators. Obviously, that wasn’t enough to convince Gonzalez to stop his illicit activities though, and the hacker even wrote on a hacking forum that his goal was to earn $15M, buy a yacht and retire. Gonzalez went on to be involved in several other hacks, including the TJX attack, the hack of Dave & Busters, and the Heartland Payment Systems attack.
Gonzalez would eventually be arrested on charges stemming from the Dave & Busters hack. He was eventually convicted to 20 years in federal prison for his part in the TJX attack, as well as the hack of Dave and Busters, and the Heartland Payment Systems hack. That sentence is still the lengthiest ever imposed for hacking or identity-theft.
At the time of the hack, PCI DSS, the Payment Card Industry Data Security Standard, was a brand new thing, having just been implemented in June of 2005, and companies were still coming to terms with the regulation, and struggling to figure out compliance. For those of you keeping up with GDPR, that may sound pretty familiar. While TJX firmly denies that it was at all negligent in allowing the attack to happen, the company was accused of being non-compliant with 9 of the 12 principles of PCI DSS in court.
TJX eventually paid 9.7 million to 41 states in a settlement, and the hack prompted credit bureaus to seek legislation requiring retailers to be responsible for the compromised customer information saved in their systems. There was no new legislation in the US, but security became a much more prominent part of corporate culture in the wake of the TJX and Heartland Payment Systems hacks. Now, over 10 years later, we’re finally starting to see legislation gain steam across the globe, with the adoption of the GDPR, and the consideration of other data protection bills in brazil, the UK, and states across the US.