Photo: Prat Moghe

Prat Moghe is the Founder & GM of Tizor, who has led Tizor from concept to leadership in the data auditing market. Tizor is now a subsidiary of Netezza (NYSE: NZ), a leader in data warehouse appliances.

Read More ยป

Subscribe By Email

Your email:

Links of Interest

Blogroll

Browse by Tag

Keepers

Data Auditing Blog

Current Articles | RSS Feed RSS Feed

How did the TJX data breach happen?

Posted by Prat Moghe on Wed, Apr 16, 2008
 | Submit to Digg digg it | Submit to Reddit reddit | Add to delicious delicious | Submit to StumbleUpon StumbleUpon | Share on Facebook Facebook | Share on Twitter Twitter | Share on LinkedIn LinkedIn 

Very few people actually know how the TJX breach happened. Here is the sequence based on Attorney Joel Lisker's testimony in US District Court (Master Docket No. 07-10162-WGY). Joe Lisker is the Senior Vice Chairman of Dudinsky Lisker & Associates, LLC. Previously he was the SVP for Security and Risk Management for MasterCard International.

As we see below, the attack itself happened in two phases. In phase 1, the attacker penetrated and found the target - in this case, the stored Track 2 data. The attacker also managed to extract this data out of the TJX network. In Phase 2, the attacker actually installed software on servers to get at all Track 2 data being transacted. This data was subsequently retrieved without setting off any alarms.

Actual Sequence
The figures below show a highly simplified picture of the TJX infrastructure and illustrate the attack in steps.

Phase 1: Breach initiation
(1) Initial breach of the TJX system likely happened as a result of deficiencies in the wireless network used by TJX. At the time of the attack, TJX employed WEP wireless encryption at the store location, with some known deficiencies. Part of the problem was that the network broadcast SSIDs - the service set identifier name assigned to the wireless network by the administrator.
(2)  After breaching the TJX wireless system, the attacker was able to gain administrative privileges to the RTS servers located at the TJX corporate headquarters in Framingham, MA. The RTS servers hold all cardholder data that is processed centrally for most TJX stores.
(3) Once the attacker was able to gain administrative privileges to the RTS servers, he was able to find historic Track 2 data improperly stored by TJX on these servers.
(4) The attacker then used FTP to copy this Track 2 data to another machine on the Internet, utilizing TJX's high-speed internet connection.

Phase 2: Breach escalation
(5) Until this point, the attacker could only get at historical stored Track 2 data. Now it gets audacious. To get at new data, the attacker actually installed custom written traffic capture software on the servers!
(6) The attacker used the software to record live TJX transaction data. The software tool was configured to extract the payment card track data from the transactions. This track data was then stored in tool's log file, unpretentiously called just "log".
(7) The attacker used this tool to copy and extract Track 2 data from payment card transactions from May 2006 to December 2006.

The net impact of this attack?
Estimated likely 100 million unique account numbers affected by the breach, of which one attack alone compromised 42 million payment cards (12 million MasterCards, over 25 million Visa cards).

In a subsequent post, I will outline security technologies that could have caught the TJX breach in action.

 

 


 

Tags: , ,

Comments

any word on how they gained access to the RTS servers? just because they got on the network doesn't mean they necessarily had access to log into anything on the network.
Posted @ Saturday, May 10, 2008 11:36 PM by CG
A few questions.
1) How did the attackers gain admin privileges in #3? This seems like a huge breakdown, as bad as using WEP encryption, and begs clarification.
2) How were TJX stores connected back to the datacenter? Just an open VPN connection with no traffic limitations? For example, just allowing ports for transactions to the RTS servers could have greatly limited the exposure. I'm just curious if that really was wide open and trusted.
3) In #1, I'm not sure I would say that broadcasting the SSID was really part of the problem. Someone skilled enough to supposedly custom write a sniffer and go to this length would defeat a hidden SSID in moments. It might have reduced their risk a little bit, but SSID broadcasting doesn't impact the security of the wireless network.
Posted @ Monday, May 12, 2008 9:38 AM by LonerVamp
I heard this had nothing at all to do with wireless, it was done via a compromised store kiosk used for job applications. 
 
Is this blog post based on known data, or is it just your speculation on a possible attack vector? 
 
It would be really great to see more follow-up and detail to this. Would it be possible for you to outline the attack a few levels deeper?
Posted @ Wednesday, July 09, 2008 8:07 AM by jones
Several readers have wondered why I haven't posted the follow up to this post. I apologize - its mostly been for lack of time. In a nut-shell, I see 3 technologies as applicable to the TJX problem.  
1. Host IPS - to catch malware on servers 
2. DAM - to track privileged users, and to detect leakage from database servers 
3. DLP - to track leakage, if unencrypted online channels were used for retrieval. 
 
One of these days, I will get around to posting this more formally. Thanks.  
 
-Prat
Posted @ Wednesday, October 29, 2008 5:06 PM by Prat Moghe
Prat: This is a uniquely valuable post on the TJX incident. Thank you for compiling it. . . . My view on TJX: Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the incident. Economically speaking, the TJX break-in was not as bad as we were led to believe. What do you think? --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
Posted @ Wednesday, November 26, 2008 11:07 AM by Benjamin Wright
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Receive email when someone replies.