TJX violated nine of 12 PCI controls at time of breach, court filings say

More than 80GB of cardholder data was stolen; company had no clue

New documents filed in a Boston federal court Thursday by banks suing The TJX Companies Inc. over its data breach claim that the Framingham, Mass.-based retailer had not complied with nine of the 12 security controls mandated by the Payment Card Industry (PCI) data security standards when the breach occurred.

Among the deficiencies that contributed to the breach were a failure to properly configure its wireless network, a failure to segment networks carrying cardholder data from the rest of TJX's network and the storage of prohibited data. A forensics expert hired by the company to probe the incident, which exposed data on some 94 million accounts, also identified other deficiencies such as improper patching practices and a failure to maintain adequate logs.

According to the court documents filed yesterday, more then 80GB of cardholder data was illegally transferred to another site in California between July 2005, when the breach first occurred, and December 2006, when it was finally uncovered. TJX, however, did not notice that any such transfer was occurring during that time frame, the court documents noted.

In May 2006, a "traffic capture program" was apparently installed on TJX's networks by intruders to sniff out and capture sensitive cardholder data as it was transmitted -- unencrypted -- over the company's networks. The data that was illegally transferred included large amounts of so-called Track 2 information from the magnetic stripes on the back of payment cards. The storage of such data, which includes personal identification numbers and card verification codes, is explicitly banned under PCI.

The new information from the court documents is being used by the plaintiffs in an attempt to file an amended complaint against TJX. The plaintiffs in the case include the Massachusetts Bankers Association, the Connecticut Bankers Association, the Maine Association of Community Banks and AmeriFirst Banks.

According to the documents, TJX knew before the breach that its wireless networks were insufficiently protected, but took no steps to mitigate the situation. The company also knew that storing Track 2 data was a violation of PCI policies, but it continued to do so anyway.

In addition, the forensic analyst who conducted the investigation, said he had never seen such a "void of monitoring and capturing via logs activity" in a Level 1 merchant like he saw at TJX, the court filings noted.

"As a Level 1 merchant, TJX is subject to the strictest standards related to data security," the plaintiffs noted.

But "these additional facts materially support the claim that TJX's conduct generally" violated laws governing unfair trade practices, they said.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
10 super-user tricks to boost Windows 10 productivity
Shop Tech Products at Amazon