Society of Payment Security Professionals - Payment Security Blog

TJ Maxx - Largest Card Data Compromise in History

The new sites have been awash this week with reports (here, there, and everywhere) on how the TJ Maxx credit card compromise is shaping up to be the worst ever - just tipping the scales on the CardSystems compromise from a few years ago.

The SEC filing that has inspired these articles has some interesting information on the compromise. Searching for “COMPUTER INTRUSION” will get you to the section that talks about the events prior, during, and subsequent to the event. Quotes that stand out to me (all emphasis is mine):

“We do not believe that customer personal identification numbers (PINs) were compromised, because, before storage on the Framingham system, they are separately encrypted in U.S., Puerto Rican and Canadian stores at the PIN pad“

“For transactions after April 7, 2004 our Framingham system also generally began encrypting (meaning substituted characters for the actual characters using an encryption algorithm provided by our software vendor) all payment card and check transaction information.”

“Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.”

“Losses that we may incur as a result of the Computer Intrusion include losses arising out of claims by payment card associations and banks, customers, shareholders, governmental entities and others; technical, legal, computer systems and other expenses; and other potential liabilities, costs and expenses. Such losses could be material to our results of operation and financial condition.“

What does all this mean? It means that the PIN Pads are using banking system encryption (almost certainly 3DES) and key management and the intruders have not been able to compromise this. Therefore, the PIN blocks are safe.

However, the comments imply that the POS system was using custom encryption - or at the very least bad key management - which has been compromised. Remember - PCI DSS requires you to use dual control and split knowledge and proper key management practices to manage your keys, and it also requires you to use good cryptography. Never use custom crypto.

The final comment is for all of you who think that PCI DSS compliance is not worth the cost. TJ Maxx is facing losses that “… could be material to our results of operation and financial condition. ” Is not complying with the PCI DSS requirements worth risking your entire business for?

Update: Ambersail reports it’s all over the BBC as well. This story has hit all corners of the globe, and merchants everywhere should be addressing PCI.

Further Update: Cambridge security labs LightBlueTouchPaper blog has some more news from a British perspective.