A Simple Scheme to Rob 45,700,000 People

Three years ago a group of computer geeks slipped into the servers at Framingham-based TJX — the parent company of T. J. Maxx — and orchestrated the world’s biggest identity heist. Now, as the hackers head to prison and the secrets of their scam are revealed, one question remains: Are you any safer?

ROBERT MANN HAD A RATHER unusual lunchtime ritual, at least compared with the other mechanics at Rietzl Audi Porsche in Norwell: The 48-year-old would drive over to the local T. J. Maxx.

Though most people don’t think of the discount chain as a place to shop for food, Mann savored the snacks and condiments he found there. “They had good food and a lot of unusual sauces,” he says, and, best of all, “it was cheap.” He’d swipe his debit card through the machine at the register, and head back to work with a bag of his favorite Italian cookies.

Then Mann’s trips to the Maxx came to an abrupt end. It happened one afternoon in January 2007, when a cashier declined his debit card. Mann, who knew he had a few thousand dollars in his account, figured he had punched in the wrong PIN. But then he got declined again.

Back at home, when Mann logged on to his bank account at Rockland Trust, he couldn’t believe what he saw: His balance was draining before his eyes. Each time he refreshed the page, more money vanished. He felt a cold, sickening twist in his gut. Mann grabbed for his phone and could barely dial the number of his bank. Helpless confusion gripped him as he exclaimed, awkwardly, “I’m being compromised!”

The bank froze his account, but not in time to stop the damage: One hundred sixty-seven illegal transactions had been made, involving everything from calling cards to computer equipment to website payments. The crooks hadn’t just stolen his money, they had also ripped off his identity — one charge was a donation to a neo-Nazi organization in Germany. “It didn’t make any sense,” Mann says. “My account was getting hammered.”

Forty miles from Mann’s home in Pembroke, executives at the Framingham headquarters of the TJX Companies — which owns T. J. Maxx and a slew of discount retailers including Marshalls, HomeGoods, and A. J. Wright — were already piecing together the source of Mann’s problems. They had discovered that hackers had broken into the TJX computer system and stolen payment card numbers. Mann was just one of 45 million customers being victimized by one of the biggest credit card heists of all time.

Today, three years after the attack was discovered, the details of how the crime was perpetrated — and exactly how much damage was done — are finally coming into view. According to TJX’s filing with the Securities and Exchange Commission last year, the breach and the ensuing legal complaints brought by customers ended up costing the company more than $170 million. It’s a stark reminder of how vulnerable companies and consumers are in an increasingly digital economy. “One thing we learned is how aggressive and creative cybercriminals are, constantly finding ways to penetrate even the best computer security,” says TJX spokeswoman Sherry Lang.

  • Bla

    Editor refused to make the following requested correction: “TJX should be thanking me” -> “TJX should be thanking me for helping to clean out their technical staff.” as seen on the website of aut