Here is an overview of the TJ Maxx security incident, CliffsNotes style.
The Actors
TJX companies
- T.J. Maxx, Home Goods, Marshalls
- The largest apparel and home fashions department store in the United States
- Owns chains in USA, Canada, UK, Ireland, Germany, and Poland
Headquartered in Framingham, MA
- Founded in 1956
Hannaford Brothers
- Supermarket chain in the United States
- Headquartered in Scarborough, Maine
- Subsidiary of Belgian Delhaize Group
- Founded in 1883
Albert Gonzalez
- Role: ringleader (Segvec)
- Born 1981
- Parents migrated from Cuba in 1970s
- High School graduate — South Miami High School, Florida
- Member of a black hat hacker group — Shadowcrew
Jonathan James
- Role: hacker accomplice (c0mrade)
- Born in 1983
- Father is a computer programmer
- High school graduate — Miami Palmetto High School, Florida
- Prior conviction for computer crime — in 2000 for breaking into the
- Defense Threat Reduction Agency
Damon Patrick Toey
- Role: hacker accomplice
- Born in 1985
- Born in Virginia, moved to Florida
Aleksandr Suvorov
- Role: programmer (Jonny Hell)
- From Sillamae, Estonia
Maksym Yastremskiy
- Role: the fence
- Born in 1984
- A Ukrainian vacationing in Turkey
The Timeline
July, 2005
- Gonzales and his crew identify a weakness in TJX
- Sensitive internal WiFi lan is running WEP
- Gonzales, et al, compromise the networks
- Install backdoors
- Begin probing for sensitive data
August, 2005
- TJX databases are compromised
- Point of sales
- Credit processing transaction
- Gonzales, et al, have access to:
- credit card, debit card, check, and merchandise return transactions
- Maksym Yastremskiy begins trading stolen credit cards from TJX and Hartford
September, 2005
- TJX upgrades its WiFi for security
- TJX begins monitoring for suspicious activities
- Gonzales, et al, continue collecting and selling credit cards utilizing the backdoors previously installed
December, 2006
- TJX detects the intrusion
- TJX reports the incident to law enforcement
- Gonzales, et al, continue collecting cards
January, 2007
- TJX makes a public announcement on the attack
- TJX notifies people who may have been affected
- TJX engages third parties to overhaul its system security
- Deloitte, General Dynamics, IBM
March, 2007
“By the end of March 2007, the number of affected customers had reached 45.7 million […] In addition to credit card numbers, personal information such as social security numbers and driver’s license numbers from 451,000 customers were downloaded by the intruders.”
2007-2008
- Investigators identify 14 people involved
- Investigators identify more targets
- Barnes and Noble
- Dave and Busters
- Heartland Payment Systems
- OfficeMax
- Et cetera …
May, 2008
- Jonathan James’ house is raided and his equipment is seized
- James takes his life on May 18
September, 2008
- Damon Patrick Toey pleads guilty and prosecutors agree to a plea deal
- 11 (incl. Gonzales, Toey) arrested
- USA contacts Estonia about Aleksandr Suvorov
August, 2009
- Gonzales is indicated for the crime
- Yastremskiy is arrested in Turkey, and USA seeks extradition