Brown Forces Parent Company of TJ Maxx and Marshall's to Block Credit Card Hackers

Tuesday, June 23, 2009
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

Oakland- After a “massive breach” jeopardized the personal information of 50 million consumers, Attorney General Edmund G. Brown Jr. today joined 40 other states in requiring TJX--the parent company of TJ Maxx, Marshall’s, HomeGoods, and A.J. Wright-- to bolster the security of its databases.

“TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people,” Brown said. “This agreement requires the company to carefully test its security systems and upgrade them to the highest contemporary standards.”

In January 2007, TJX announced that hackers had gained access to portions of its computer databases, which stored credit and debit card numbers, social security numbers and personal information of over 50 million customers.

Subsequently, 41 state attorneys general launched an investigation into how the hackers gained access and if the company did enough to protect its customers.

The investigation found that TJX failed to address the security flaws identified in a 2004 internal audit. This audit found major vulnerabilities connected to using firewalls, encrypting cardholder data, updating anti-virus software and regularly testing security systems. Just one year later, hackers from several different countries exploited the same vulnerabilities the audit identified.

The hackers accessed the company’s databases, connected to unsecured wireless networks, on two separate occasions. The first breach occurred in 2005 when hackers accessed TJX’s main server in Framingham, Mass. They targeted unencrypted and unprotected data such as: names, addresses, social security numbers, military ID numbers, and driver’s license numbers. The hackers obtained 94 million unique credit/debit card numbers.

The second breach occurred in 2006 in which the hackers installed an Open Virtual Private Network (Open VPN) on the main server. Using this connection, the intruders were able to capture card data such as: account numbers, cardholder names, credit card expiration dates, and PIN numbers. The hackers were able to intercept the data as it was being transmitted from banks to the 1,774 retail stores where customers were making purchases. The company estimates tens of millions of credit card transactions were intercepted.

These consumers were put at risk of identity theft, and many were forced to incur credit monitoring costs.

To date, 11 individuals have been arrested in connection with the incidents. Three of the hackers are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People’s Republic of China and one is from Belarus.

Under the agreement, the company must:
• Implement and maintain an Information Security Program designed to protect the security, confidentiality and integrity of personal information within 120 days;
• Designate employees to coordinate and be accountable for the new Information Security Program;
• Conduct a thorough risk assessment of the program;
• Conduct regular testing and monitoring of the effectiveness of the program;
• Replace or upgrade all wired and wireless systems;
• Refrain from storing all personal data such as: account number, cardholder name, expiration date, and PIN on the magnetic strip on the back of credit cards;
• Install intruder detection systems and other devices to track and monitor unauthorized access; and
• Participate in pilot programs for testing new security-related payment card technology.

In addition, TJX will pay $5.5 million for data protection and consumer protection efforts; $2.5 million to a Data Security Fund to be used to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information and $1.75 million in other costs and fees associated with the investigation.

California has 73 TJ Maxx stores, 103 Marshall’s stores, 7 A.J. Wright stores and 31 HomeGoods stores. California will receive $624,393 as part of the agreement.

States involved in today’s agreement are: Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.

A copy of the settlement agreement is attached.

# # #
AttachmentSize
PDF icon tjxassurancesofcompliance852.95 KB