Stuck in Traffic – DevOps Velocity, take-aways from #HPEProtecf

Archive for September, 2016

TJ Maxx security incident timeline

Posted by

Here is an overview of the TJ Maxx security incident, CliffsNotes style.

 

The Actors

TJX companies

  • T.J. Maxx, Home Goods, Marshalls
  • The largest apparel and home fashions department store in the United States
  • Owns chains in USA, Canada, UK, Ireland, Germany, and Poland
    Headquartered in Framingham, MA
  • Founded in 1956

Hannaford Brothers

  • Supermarket chain in the United States
  • Headquartered in Scarborough, Maine
  • Subsidiary of Belgian Delhaize Group
  • Founded in 1883

Albert Gonzalez

  • Role: ringleader (Segvec)
  • Born 1981
  • Parents migrated from Cuba in 1970s
  • High School graduate — South Miami High School, Florida
  • Member of a black hat hacker group — Shadowcrew

Jonathan James

  • Role: hacker accomplice (c0mrade)
  • Born in 1983
  • Father is a computer programmer
  • High school graduate — Miami Palmetto High School, Florida
  • Prior conviction for computer crime — in 2000 for breaking into the
  • Defense Threat Reduction Agency

Damon Patrick Toey

  • Role: hacker accomplice
  • Born in 1985
  • Born in Virginia, moved to Florida

Aleksandr Suvorov

  • Role: programmer (Jonny Hell)
  • From Sillamae, Estonia

Maksym Yastremskiy

  • Role: the fence
  • Born in 1984
  • A Ukrainian vacationing in Turkey

The Timeline

July, 2005

  • Gonzales and his crew identify a weakness in TJX
  • Sensitive internal WiFi lan is running WEP
  • Gonzales, et al, compromise the networks
    • Install backdoors
    • Begin probing for sensitive data

August, 2005

  • TJX databases are compromised
    • Point of sales
    • Credit processing transaction
  • Gonzales, et al, have access to:
    • credit card, debit card, check, and merchandise return transactions
  • Maksym Yastremskiy begins trading stolen credit cards from TJX and Hartford

September, 2005

  • TJX upgrades its WiFi for security
    • Removes WEP, adds WPA
  • TJX begins monitoring for suspicious activities
  • Gonzales, et al, continue collecting and selling credit cards utilizing the backdoors previously installed

December, 2006

  • TJX detects the intrusion
  • TJX reports the incident to law enforcement
  • Gonzales, et al, continue collecting cards

January, 2007

  • TJX makes a public announcement on the attack
  • TJX notifies people who may have been affected
  • TJX engages third parties to overhaul its system security
    • Deloitte, General Dynamics, IBM

March, 2007
“By the end of March 2007, the number of affected customers had reached 45.7 million […] In addition to credit card numbers, personal information such as social security numbers and driver’s license numbers from 451,000 customers were downloaded by the intruders.”

2007-2008

  • Investigators identify 14 people involved
  • Investigators identify more targets
    • Barnes and Noble
    • Dave and Busters
    • Heartland Payment Systems
    • OfficeMax
    • Et cetera …

May, 2008

  • Jonathan James’ house is raided and his equipment is seized
  • James takes his life on May 18

September, 2008

  • Damon Patrick Toey pleads guilty and prosecutors agree to a plea deal
  • 11 (incl. Gonzales, Toey) arrested
  • USA contacts Estonia about Aleksandr Suvorov

August, 2009

  • Gonzales is indicated for the crime
  • Yastremskiy is arrested in Turkey, and USA seeks extradition