T.J. Maxx and Identity Theft: The Never-Ending Story

By Steven W. Teppler, JD

Shoppers who made purchases at designer discount chains like T.J. Maxx and Marshalls between July 2005 and December 2006 may have thought they were getting a bargain, but their credit cards weren’t the only things getting swiped at the checkout counter.

TJX Companies, Inc., the department store holding company that owns subsidiaries such as T.J. Maxx, Marshalls, HomeGoods and Bob’s Stores, disclosed, in a Securities and Exchange Commission (SEC) filing on Feb. 21, 2007, that it had “suffered an unauthorized intrusion into its computer systems that process store information related to customer transactions.”

A month later, in a March 28 SEC filing, TJX announced that over 45 million customer records of credit and debit card numbers, as well as customer driver’s license information, had been “stolen” by hackers who had gained entry into the computer systems at the company’s headquarters in the U.S. and in England, making the TJX credit card heist the largest in history.

That same month, authorities arrested several individuals for running a criminal enterprise in Florida that allegedly used some of the data stolen from TJX to obtain more than $8 million in electronics and gifts, according to the Florida Department of Law Enforcement.

Authorities have not arrested anyone believed to be responsible for the TJX security intrusion, which has so far cost TJX over $143 million, according to a TJX SEC filing in August. In addition to the initial $25 million TJX initially spent on the security breach, the company stated a $118 million after-tax charge in the second quarter of fiscal year 2008. TJX estimated in the filing that it could spend another $21 million in noncash charges in fiscal year 2009. The Boston Globe estimated the computer intrusion cost TJX $256 million before taxes.

What went wrong at TJX? Most of the information remains nonpublic, but what has surfaced in an Oct. 25 Boston Globe article is sufficiently alarming to merit notice. The Globe reported that former MasterCard security executive Joseph Lisker claims TJX met “just three of the 12 requirements credit card companies impose on merchants to protect consumer data.” The Globe also reported that TJX seemed not to have properly configured its wireless network, and that the vector of attack occurred at two of its Miami locations. The expropriation of consumer data probably began at this time. This compromise vector in turn appeared to have permitted access to network servers at TJX headquarters, which apparently lacked proper firewall or other adequate perimeter protections. In all likelihood, this is how the data representing the more than 45 million accounts was compromised and expropriated.

In September, TJX announced a proposed settlement to the majority of class action lawsuits pending in the United States stemming from the security breach. These lawsuits alleged not only the failure of TJX data security systems, but also a failure to inform its more than 45 million account holders of the breach for at least a month.

The salient terms of the proposed settlement included, generally, three years of free credit monitoring, up to two years of identity theft insurance, vouchers for intrusion-based losses suffered by customers, and driver’s license replacement costs associated with the computer intrusion, according to a TJX press release. Notably, this settlement was also made expressly contingent on the “completion of an evaluation by plaintiffs’ independent security expert on the computer security enhancements made and planned by TJX and acceptance by the plaintiffs’ counsel of these enhancements,” according to a TJX press release. This near-complete capitulation, by a public company whose initial resolve was to “vigorously” contest these lawsuits, underscores the risks inherent to maintaining an insecure and unsecured computer information environment.

Although these measures were adopted by TJX in settlement, the story by no means truly ends here, because the problems caused by the data compromise are not really remediated in any fashion that might be considered permanent.

First, TJX acknowledged that it had deleted (in accordance with its routine data-retention policy) much of the information relating to the accountholder information that had been stolen. The fact remains that the true extent of the damages, or even the identities of those who are or who may in the future suffer damages, may never be known because the very information relating to the personally identifiable information that was compromised was deleted.

“The technology used by the intruder has … made it impossible for us to determine the contents of most of the files we believe were stolen,” according to the TJX March SEC filing. “We believe that we may never be able to identify much of the information believed stolen.”

Moreover, although the class actions appear to be in the process of settling out, a group of banks and other financial institutions are still seeking unspecified damages from TJX in connection with these data breaches.

Information, now in the form of computer data, has always been an enterprise’s most valuable asset. Today, computer data is a company’s greatest asset. Business does not get done without information. As can be seen from the TJX problem, an exploited vulnerability in an enterprise’s computer information system can readily result in financial consequences that are material. If such vulnerabilities are not detected and are not disclosed, an enterprise runs the risk of being accused of having a material weakness sufficient to cause an internal control problem, ultimately resulting in a potential for material misrepresentation and a Sarbanes-Oxley Act violation.

If information is truly the greatest enterprise asset, appropriate measures must be taken on an ongoing basis to protect that information from compromise both from without and from within the four walls of the enterprise itself. Without policies and processes in place to detect and prevent such enterprise data breaches and compromises, the result can mean hundreds of millions of dollars in losses, tens of millions of dollars in penalties, as well as criminal penalties for covered entities certifying as to their internal controls under Section 404 of the Sarbanes-Oxley Act.

Steven W. Teppler is an attorney, an inventor and a CEO of TimeCertain, LLC, an information securities company. He counsels the legal, auditing and information security communities about evolving theories of computer-generated information and evolving theories of liability, practice and evidence in an electronic-data universe. He can be reached at steppler@comcast.net.