TJX Companies: 94 Million Cards Stolen Over 18 Months
Attackers parked in TJX store car parks with a laptop and antenna, cracked the retailer's weak WEP Wi-Fi encryption, and silently siphoned payment card data for over a year.
Background
TJX Companies — parent of TJ Maxx, Marshalls, and HomeGoods — relied on outdated WEP (Wired Equivalent Privacy) Wi-Fi encryption in its stores. WEP had been cryptographically broken since 2001, yet TJX had not upgraded to WPA. The company also stored unencrypted card data far longer than PCI DSS allowed.
The Attack
A group led by convicted fraudster Albert Gonzalez drove to TJX store parking lots and used a laptop with a directional antenna to capture Wi-Fi traffic. They cracked the WEP keys in minutes, gained access to the store network, pivoted to corporate systems in Framingham, Massachusetts, and installed a packet sniffer that silently captured card authorisation traffic. The attack went undetected from July 2005 to December 2006.
Response
TJX discovered anomalous activity in December 2006. Forensic investigation by IBM and General Dynamics took months. Visa and MasterCard initiated card reissuance programmes. TJX notified customers in January 2007. The company ultimately paid $256 million in settlements and remediation costs.
Outcome
94 million credit and debit card numbers were exposed — the largest retail breach to that date. The incident directly catalysed tougher enforcement of PCI DSS standards and accelerated the retail industry's adoption of end-to-end encryption and chip-and-PIN.
Key Takeaways
- WEP encryption is cryptographically broken — always use WPA2 or WPA3
- Do not store payment card data beyond what is operationally necessary
- Network segmentation between store POS and corporate systems limits blast radius
- Physical proximity attacks (wardriving) bypass all logical perimeter controls