E X A M P L E C A S E – T. J .

M A X X
Corporate interest in information security was dramatically raised in 2007 following the
revelations of embarrassing information security breaches at several well-known companies.
Hackers had complete access to credit-card databases at many of the leading retailers in the
country including T.J. Maxx, Barnes and Noble, and Office Max (Figure 2.5 ).

F I G U R E 2 . 5 Albert Gonzalez, at the time ofhis indictment in August 2009

Hackers know that it is safe to be outside the target country to avoid prosecution. It was
therefore initially believed that the attacks were caused by hackers outside the country. However,
investigations revealed that the attacks were mostly from domestic sources and led to the
prosecution of 11 men in 5 countries, including the United States. Most interestingly, the
ringleader turned out to have been an informer for the US Secret Service.
Outcome
On August 5, 2008, the US government charged 11 individuals with wire fraud, damage to
computer systems, conspiracy, criminal forfeiture, and other related charges for stealing credit
card information from prominent retailers such as T.J. Maxx, BJ ’s Wholesale Club, Office Max,
and Barnes and Noble. In August 2009, many members of the same gang were again charged
with compromising Heartland Payment Systems, a credit-card processing company, and stealing
approximately 130 million credit-card numbers. With approximately 100 million families in the
United States, this translates to almost 1 credit card stolen from every American family. 5
members of the gang were indicted on July 25, 2013. 23, 24
Background
The gang involved in all these incidents had been in operation since 2003. Between 2003
and 2007, the gang used simple methods to exploit weaknesses in wireless security at retail
stores. At T.J. Maxx, they had found that many stores did not
use any security measures in their store wireless networks. As a result, obtaining employee user
names and passwords was as simple as waiting outside the stores in the morning with laptops and
listening to the network traffic as employees and managers logged into their accounts. Worse,
these user accounts had access to the corporate IT systems at T.J. Maxx, including those that
stored credit card information. Using this information, the hackers had a free run of the
company’s credit-card information. For almost a year, the gang members extracted the data,
stored it on the company’s own servers, and retrieved it at their own convenience. Their goal was
to use this information to sell fake credit cards at pennies on the dollar. This was the method
used by the gang in the attacks that formed the basis of the 2008 indictment. Beginning in
August 2007, the gang refined its skill set and began to use SQL injection attacks to place
malware on web applications and gain access to corporate databases. The gang used this
method in the attacks for which it was indicted in 2009.
The ringleader and his activities
 Albert Gonzalez, the ringleader of the gang, was a resident of Miami, Florida. Beginning
around 2003, he is believed to have driven around Miami, using his laptop computer to locate
insecure wireless access points at retail stores. Stores typically use these networks to transfer
credit-card information from cash registers to store servers. When an open network was located,
the gang would use a custom-written “sniffer” program to collect credit-card account numbers
(one of the most popular sniffers is Wireshark, an easy-to-use program that is available for free
use 25). Fake cards using these numbers were then sold in the gray market. The biggest victim
was T.J. Maxx, which lost information on over 40 million credit cards. Later, when the gang
graduated to SQL injection attacks, it would visit stores to identify the transaction processing
systems these companies used. The gang used this information to determine suitable attack
strategies to target the specific systems used by these companies. The gang also studied the
companies’ websites to identify their web applications and to develop appropriate attack
strategies for these websites. The ringleader, Albert Gonzalez, earned over $1 million in profits
by selling this card information. Apparently, at one time, his counting machine broke and he had
to manually count $340,000 in $20 bills. In August 2009, Albert Gonzalez agreed to plead guilty
to charges in the T.J. Maxx case, which had been fi led in 2008. Gonzalez became an informant
for the Secret Service in 2003 after being arrested for various crimes. As an informant for the
Secret Service, in October 2004, he helped the Secret Service indict 28 members of a website
Shadowcrew.com. Shadow crew stole credit-card information and sold it for profit. While in
operation, Shadow crew members stole tens of thousands of credit-card numbers. After the
Shadow crew operation was completed, however, Albert began his own exploits.
Impact
The direct damage from the attacks in terms of fraudulent charges on customer credit cards was
limited. In March 2007, one gang in Florida was caught using cards stolen from T.J. Maxx (TJX)
to buy approximately $8 million in goods at various Wal-Marts and Sam ’s Club stores in
Florida. However, the collateral damage from the incident has been colossal. TJX Companies,
Inc. (TJX) (T.J. Maxx Stores is one of the companies owned by the group, Marshalls is another)
settled with Visa for $40 million in November 2007 and with MasterCard in April 2008 for $24
million. The impact was nationwide. Tens of millions of customers had to be reissued credit
cards. Customers who had set up automated payments on the stolen cards received collection
notices from service providers when charges did not go through because the cards had been
canceled and new ones had been issued in their place.
Surprisingly, sales at T.J. Maxx do not seem to have been significantly affected by the
intrusion (Figure 2.6). Fraudulent expenses were refunded to customers by the
credit-card companies through the automatic protection programs offered by credit cards.
Customers do not seem to mind their cards information stolen so long as they are not held liable
for fraudulent transactions.
Significance
The T.J. Maxx case is significant for the study of information security and its relationship with
other professions because the case has been extensively documented in the press.
In addition, details are also available from the indictments made in the case. These readings
provide a rich account of the actors involved in information security, their motivations. and the
legal processes that follow major information security incidents.
REFERENCES
Pereira , J. “ How credit-card data went out wireless door ,” Wall Street Journal , May 4, 2007.
Pereira , J. , Levitz , J. and Singer-Vine , J. “ U.S. indicts 11 in global credit-card scheme ,” Wall
Street Journal , August 6, 2008 : A1.
United States of America vs. Albert Gonzalez, Criminal indictment in US District Court,
Massachusetts, August 5, 2008 (the T.J. Maxxcase).
United States of America vs. Albert Gonzalez, Criminal indictment in US District Court, New
Jersey, August 17, 2009 (the Heartland case).
Zetter , K. “ TJX Hacker was awash in cash; his penniless coder faces prison ,” Wired , June 18,
2009.
Gorman , S. “ Arrest in Epic Cyber Swindle ,” Wall Street Journal , August 18, 2009.
Gorman , S. “ Hacker sentenced to 20 years in massive data theft ,” Wall Street Journal , 2010 :
A1.
“ Albert Gonzalez ,” Wikipedia, http://en.wikipedia.org/wiki/ Albert_Gonzalez.
T.J. Maxx , 10-K reports, 2006–2010.
T.J. Maxx , 8-K fi ling, January 18, 2007 ; April 2, 2008; November 30, 2007.

EXAMPLE CASE QUESTIONS

• Who were the victims of the attacks?
• What technologies and tools were used in the attack?
• If you were responsible for system administration at T.J. Maxx, what are the
things you would have done to prevent the occurrence of the incidents
reported in the case?