TJ Maxx security incident timeline

Archive for the ‘General’ Category

TJ Maxx security incident timeline

Posted by

Here is an overview of the TJ Maxx security incident, CliffsNotes style.


The Actors

TJX companies

  • T.J. Maxx, Home Goods, Marshalls
  • The largest apparel and home fashions department store in the United States
  • Owns chains in USA, Canada, UK, Ireland, Germany, and Poland
    Headquartered in Framingham, MA
  • Founded in 1956

Hannaford Brothers

  • Supermarket chain in the United States
  • Headquartered in Scarborough, Maine
  • Subsidiary of Belgian Delhaize Group
  • Founded in 1883

Albert Gonzalez

  • Role: ringleader (Segvec)
  • Born 1981
  • Parents migrated from Cuba in 1970s
  • High School graduate — South Miami High School, Florida
  • Member of a black hat hacker group — Shadowcrew

Jonathan James

  • Role: hacker accomplice (c0mrade)
  • Born in 1983
  • Father is a computer programmer
  • High school graduate — Miami Palmetto High School, Florida
  • Prior conviction for computer crime — in 2000 for breaking into the
  • Defense Threat Reduction Agency

Damon Patrick Toey

  • Role: hacker accomplice
  • Born in 1985
  • Born in Virginia, moved to Florida

Aleksandr Suvorov

  • Role: programmer (Jonny Hell)
  • From Sillamae, Estonia

Maksym Yastremskiy

  • Role: the fence
  • Born in 1984
  • A Ukrainian vacationing in Turkey

The Timeline

July, 2005

  • Gonzales and his crew identify a weakness in TJX
  • Sensitive internal WiFi lan is running WEP
  • Gonzales, et al, compromise the networks
    • Install backdoors
    • Begin probing for sensitive data

August, 2005

  • TJX databases are compromised
    • Point of sales
    • Credit processing transaction
  • Gonzales, et al, have access to:
    • credit card, debit card, check, and merchandise return transactions
  • Maksym Yastremskiy begins trading stolen credit cards from TJX and Hartford

September, 2005

  • TJX upgrades its WiFi for security
    • Removes WEP, adds WPA
  • TJX begins monitoring for suspicious activities
  • Gonzales, et al, continue collecting and selling credit cards utilizing the backdoors previously installed

December, 2006

  • TJX detects the intrusion
  • TJX reports the incident to law enforcement
  • Gonzales, et al, continue collecting cards

January, 2007

  • TJX makes a public announcement on the attack
  • TJX notifies people who may have been affected
  • TJX engages third parties to overhaul its system security
    • Deloitte, General Dynamics, IBM

March, 2007
“By the end of March 2007, the number of affected customers had reached 45.7 million […] In addition to credit card numbers, personal information such as social security numbers and driver’s license numbers from 451,000 customers were downloaded by the intruders.”


  • Investigators identify 14 people involved
  • Investigators identify more targets
    • Barnes and Noble
    • Dave and Busters
    • Heartland Payment Systems
    • OfficeMax
    • Et cetera …

May, 2008

  • Jonathan James’ house is raided and his equipment is seized
  • James takes his life on May 18

September, 2008

  • Damon Patrick Toey pleads guilty and prosecutors agree to a plea deal
  • 11 (incl. Gonzales, Toey) arrested
  • USA contacts Estonia about Aleksandr Suvorov

August, 2009

  • Gonzales is indicated for the crime
  • Yastremskiy is arrested in Turkey, and USA seeks extradition

Promoting the Development of a Security Professional

Posted by

Posted on TripWire: Security for Life: Promoting the Development of a Security Professional

This week marks the fifth and final week of National Cyber Security Awareness Month (NCSAM) 2015. The theme of Week 5 of NCSAM is “Building the Next Generation of Cyber Professionals.”

We cannot tackle security alone. We need to focus on building a generation of dedicated, well-educated security professionals to help defend against the online threats of tomorrow.

With this in mind, here are some recommendations on how we, as a society, can encourage young people to become interested in information security. We also provide tips on how budding security professionals can make the most out of their new careers.


Once a security professional has found their niche in infosec, they can then begin to leverage their unique skills to make connections and deepen their careers.

“Throughout my career, those who I have seen go the furthest the fastest make mentors and friends in the community,” states J Wolfgang Goerlich, Strategist at CBI and head of the CBI Academy.

“They don’t just attend conferences; they present and volunteer. They find open source projects to collaborate on. In these and many other ways, people develop their skills by contributing daily, weekly, and monthly,” adds Goerlich.

Like any career, information security requires ongoing effort and dedication. Those practitioners who internalize that fact are sure to succeed, one way or another.

Read the full article at

Friday Books and Talks 10-25-2013

Posted by

Here are some of the books and talks that I enjoyed this week, in no particular order.


Strategic Renaissance: New Thinking and Innovative Tools to Create Great Corporate Strategies
by Evan M. Dudik

“In this insightful primer on corporate strategy development, Dudik shows why the traditional strategic goal of sustainable competitive advantage is being replaced with a new goal: opportunity creation and exploitation. Dudik also explores the business application of a classic military strategy: the hammer and the pivot.”


Engaged! Outbehave Your Competition to Create Customers for Life
by Gregg Lederman

“Customers love it when employees are ENGAGED to deliver an experience. However, it doesn’t come easy for most companies. The level to which your workforce is ENGAGED also has a significant impact every day on employees’ happiness and productivity, the customer experience, and your company’s profitability. Your company can be one that customers love to do business with … one that turns customers into loyal followers who buy more and more often. The journey through ENGAGED!, will teach you what leading companies do to create customer love.”


TED: Psychedelic science
By Fabian Oefner

“Swiss artist and photographer Fabian Oefner is on a mission to make eye-catching art from everyday science. In this charming talk, he shows off some recent psychedelic images, including photographs of crystals as they interact with soundwaves. And, in a live demo, he shows what really happens when you mix paint with magnetic liquid–or when you set fire to whiskey.”

I enjoy the transfer of one sense to another, from sound to motion, motion to light, light to visuals, and so on. Oefner is a great example of capturing scientific moments and creating artwork from these moments.

InfoSec Institute: IT Thought Leader Interview

Posted by

J. Wolfgang Goerlich is an influential leader and IT management executive with the ability to act as a cultural change agent, driving security initiatives and raising security postures. He currently works as a Cyber Security Strategist for Creative Breakthrough Inc (CBI) and has been in the industry for over 20 years. Areas of expertise include managing culture, ITGRC, security community and mentorship, application security and team leadership.

1. Early this year, you took the position of cyber security strategist at CBI. What exactly does this position entail?

As a security strategist at CBI, my role is connecting people and ideas to develop strategies for improving cyber security. I work with the senior leadership at CBI’s customers to understand their business strategy and collaborate on plans for aligning and maturing their security activities. Within CBI, I provide technical leadership and expertise toward our service lines and vendor partnerships. On select engagements, I work directly with the consulting team to deliver impactful results to our customers.

Another aspect of my position, which I find rewarding, is leading the CBI Academy. I have been mentoring and coaching professionals in my local community for years, so leading the Academy was a natural fit. We often hear CISOs talk about the lack of security talent for staffing their teams. At the same time, we often hear students talk of the difficulty in identifying and gaining the in-demand skills. With CBI Academy, we bridge the gap with an apprenticeship program that accelerates the careers of recent university graduates.

Read the rest at:

Friday Books and Talks 05/08/2015

Posted by

The Spider’s Strategy
by Amit Mukherjee

To thrive in a world where networks of companies increasingly compete with other networks, managers can no longer focus solely on excellence in planning and execution. In The Spider’s Strategy, top business consultant Amit S. Mukherjee provides the tools you need to sense and respond to unexpected events. He shows how and why managers in your company must apply his four powerful “Design Principles” today.



The Well-Timed Strategy
by Peter Navarro

It’s not enough to understand the business cycle and the industry cycle. In The Well-Timed Strategy, Peter Navarro discusses today’s unprecedented level of macroeconomic turbulence – from oil price hikes to drought and disease. Whether an executive, a strategist or an investor, Navarro provides the tools to align every facet of business strategy, tactics and operations to reflect changing business conditions. Keeping in mind finance, supply chains, production, marketing, HR and more, the author outlines ways to profit from the chaos of business cycle volatility by implementing the appropriate strategy.

Friday Books and Talks 04/24

Posted by

Best Practices Are Stupid
by Stephen M. Shapiro

What if almost everything you know about creating a culture of innovation is wrong? What if the way you are measuring innovation is choking it? What if your market research is asking all of the wrong questions? It’s time to innovate the way you innovate.

Hire people you don’t like. Bring in the right mix of people to unleash your team’s full potential. Asking for ideas is a bad idea. Define challenges more clearly. If you ask better questions, you will get better answers. Don’t think outside the box; find a better box. Instead of giving your employees a blank slate, provide them with well-defined parameters that will increase their creative output. Failure is always an option. Looking at innovation as a series of experiments allows you to redefine failure and learn from your results.

Nonstop innovation is attainable and vital to building a high-performing team, improving the bottom line, and staying ahead of the pack.



Flash Foresight: How to See the Invisible and Do the Impossible
by Daniel Burrus, John David Mann

Flash Foresight offers seven radical principles you need to transform your business today. From internationally renowned technology forecaster Daniel Burrus—a leading consultant to Google, Proctor & Gamble, IBM, and many other Fortune 500 firms—with John David Mann, co-author of the Wall Street Journal bestseller The Go-Giver, comes this systematic, easy-to-implement method for identifying new business opportunities and solving difficult problems in the twenty-first century marketplace.



How I use sonar to navigate the world
By Daniel Kish

Daniel Kish has been blind since he was 13 months old, but has learned to “see” using a form of echolocation. He clicks his tongue and sends out flashes of sound that bounce off surfaces in the environment and return to him, helping him to construct an understanding of the space around him. In a rousing talk, Kish demonstrates how this works and asks us to let go of our fear of the “dark unknown.”

Friday Books and Talks 04/17/2014

Posted by

Give and Take: Why Helping Others Drives Our Success
by Adam M. Grant

For generations, we have focused on the individual drivers of success: passion, hard work, talent, and luck. But today, success is increasingly dependent on how we interact with others. It turns out that at work, most people operate as either takers, matchers, or givers. Whereas takers strive to get as much as possible from others and matchers aim to trade evenly, givers are the rare breed of people who contribute to others without expecting anything in return.

Using his own pioneering research as Wharton’s youngest tenured professor, Adam Grant shows that these styles have a surprising impact on success. Although some givers get exploited and burn out, the rest achieve extraordinary results across a wide range of industries. Give and Take highlights what effective networking, collaboration, influence, negotiation, and leadership skills have in common. This landmark book opens up an approach to success that has the power to transform not just individuals and groups, but entire organizations and communities.



Anticipate: The Art of Leading by Looking Ahead
by Rob-Jan de Jong

Business schools, leadership gurus, and strategy guides agree – leaders must have a vision. But the sad truth is that most don’t…or at least not one that compels, inspires, and energizes their people. How can something so essential be practiced so little in real life? Vision may sound like a rare quality, unattainable by all except a select few – but nothing could be further from the truth. Anyone can expand their visionary capacity. You just need to learn how. In Anticipate, strategy and leadership expert Rob-Jan de Jong explains that to develop vision you must sharpen two key skills. The first is the ability to see things early – spotting the first hints of change on the horizon. The second is the power to connect the dots – turning those clues into a gripping story about the future of your organization and industry. Packed with stories and practices, Anticipate provides proven techniques for looking ahead and exploring many plausible futures – including the author’s trademarked Future Priming process, which helps distinguish signal from noise. You will discover how to: tap into your imagination and open yourself to the unconventional; become better at seeing things early; frame the big-picture view that provides direction for the future; communicate your vision in a way that engages others and provokes action. When you anticipate change before your competitors, you create enormous strategic advantage. That’s what visionaries do…and now so can you.

Comfortable professionalism

Posted by

“I will show you some absolutely terrifying things, as we progress through today and tomorrow, and I will show you things you guys can do to make people very, very, very uncomfortable where you work.”

Every time I turn on my car, John Strand’s voice says the above quote. The clip is audio from a SANS course that my car has stuck on repeat. I have heard it thousands of times now.

“Make people very, very, very uncomfortable” came to mind when watching Chris Roberts (@Sidragon1) tweet about plane hacking Wednesday night and into Thursday morning. He tweeted about messing with a plane’s oxygen … while on a plane … on the day the FBI released a report on plane security hacks.

People were indeed very uncomfortable. And the story did not end comfortably for Chris, that day.

I appreciate John’s work and the SANS courses. I enjoy Chris’s work and his One World Lab research. Both are fine people, with intelligent ideas, and enjoyable presentations. But let’s put hacking aside for the moment.

I wonder if car mechanics get training on how to make drivers feel very uncomfortable. I wonder if medical students have conferences celebrating making patients feel uncomfortable. I wonder the same about virtually any professional services. Perhaps I am a fortunate exception, however, every service I use is staffed with folks who do the exact opposite.

The folks I hire go out of their way to put me at ease, answer any questions, share knowledge without pretense. It is what professionals do. It fosters trust. It is the mark of customer service. It defines their role as trusted advisor for my health, my car, my home, my family.

Returning to hacking and information security, there is no need to make folks uncomfortable. The terrifying things in IT are well publicized. We know. Things are broken. Criminals are misusing technology. We have a lot of work to do. Everyone gets it.

Let’s make the people we work with comfortable. Let’s look at absolutely practical things. Why? Because that is what professionals do. Let’s get some work done.

Friday Books and Talks 04/10/2014

Posted by

Working with Emotional Intelligence
by Daniel Goleman

Do you have what it takes to succeed in your career?

The secret of success is not what they taught you in school. What matters most is not IQ, not a business school degree, not even technical know-how or years of expertise. The single most important factor in job performance and advancement is emotional intelligence. Emotional intelligence is actually a set of skills that anyone can acquire, and in this practical guide, Daniel Goleman identifies them, explains their importance, and shows how they can be fostered.

For leaders, emotional intelligence is almost 90 percent of what sets stars apart from the mediocre. As Goleman documents, it’s the essential ingredient for reaching and staying at the top in any field, even in high-tech careers. And organizations that learn to operate in emotionally intelligent ways are the companies that will remain vital and dynamic in the competitive marketplace of today—and the future.

Comprehensively researched, crisply written, and packed with fascinating case histories of triumphs, disasters, and dramatic turnarounds, Working with Emotional Intelligence may be the most important business book you’ll ever read.

Drawing on unparalleled access to business leaders around the world and studies in more than 500 organizations, Goleman documents an astonishing fact: in determining star performance in every field, emotional intelligence matters twice as much as IQ or technical expertise.

Readers also discover how emotional competence can be learned. Goleman analyzes five key sets of skills and vividly shows how they determine who is hired and who is fired in the top corporations in the world. He also provides guidelines for training in the “emotionally intelligent organization,” in chapters that no one, from manager to CEO, should miss.

Working with Emotional Intelligence could prove to be the most important reference for bottom-line business people in the first decades of the 21st century.


Power Listening: Mastering the Most Critical Business Skill of All
by Bernard T. Ferrari

Listening is harder than it looks- but it’s the difference between business success and failure.

Nothing causes bad decisions in organizations as often as poor listening. But Bernard Ferrari, adviser to some of the nation’s most influential executives, believes that such missteps can be avoided and that the skills and habits of good listening can be developed and mastered. He offers a step-by-step process that will help readers become active listeners, able to shape and focus any conversation.

Ferrari reveals how to turn a tin ear into a platinum ear. His practical insights include:

  • Good listening is hard work, not a passive activity
  • Good listening means asking questions, challenging all assumptions, and understanding the context of every interaction
  • Good listening results in a new clarity of focus, greater efficiency, and an increased likelihood of making better decisions
  • Good listening can be the difference between a long career and a short one