A Simple Scheme to Rob 45,700,000 People

Three years ago a group of computer geeks slipped into the servers at Framingham-based TJX — the parent company of T. J. Maxx — and orchestrated the world’s biggest identity heist. Now, as the hackers head to prison and the secrets of their scam are revealed, one question remains: Are you any safer?

But some experts think TJX’s security wasn’t that great to begin with. “It’s a terrible example of what can happen when appropriate security measures are not taken,” says Barbara Anthony, undersecretary of the state’s Office of Consumer Affairs and Business Regulation. “It’s a wake-up call.” One of the men sentenced in the heist has another way of putting it. Stephen Watt, a hacker who will soon begin serving a two-year prison term for his role in the scheme, considered the TJX attack “embarrassingly simple.” 

“This was just the money they lost from their own incompetence,” he says. “TJX should be thanking me.”

WEDGED BETWEEN THE MASS. PIKE and Lake Cochituate in Framingham, the massive brick-and-glass headquarters of TJX looks like a place befitting a national retail empire. But the corporate sheen belies the company’s deep roots as a scrappy family-run firm. In 1919, immigrant brothers Max and Morris Feldberg opened the New England Trading Company in order to supply department stores with ladies’ underwear. By the Great Depression, the Feldbergs had gotten into the retail business for themselves, with a chain of stores called the Bell Hosiery Shops. In 1956, Max’s and Morris’s sons expanded the business, opening a department store in Hyannis named Zayre, which is Yiddish for “very good.”

The Feldbergs’ formula was as simple as it was successful: They sold off-price, upscale goods to shoppers who’d been priced out of higher-end retailers. During the recession of the 1970s, the company added a new discount store, T. J. Maxx, first in Auburn and Worcester and then beyond. Acquisitions and innovations followed, and by the mid-1990s, people who had never heard of TJX were nonetheless shopping at its discount chains, buying name-brand clothes at Marshalls or spatulas at HomeGoods. Today, with $19 billion in annual revenues and more than 2,600 stores nationwide, it’s one of the largest off-price retail empires in the country.

As TJX’s reach spread throughout North America and into Europe, there was one guy in particular who wasn’t a fan: Stephen Watt. Growing up in Melbourne, Florida, in the 1980s and ’90s, he’d pound the dashboard whenever his value-hunting mom would steer the car toward a T. J. Maxx or Marshalls. “Please don’t make me go in there with all these fat people and shitty clothes!” he’d plead.

Watt had reason to feel like an oddball in his town. “I personally consider it to be like the eighth or possibly the ninth bulge of hell,” he says. A seven-foot-tall blond whiz kid, Watt was a star student — he earned a 4.37 grade point average in high school — who had little in common with his classmates. After teaching himself computer code, a 15-year-old Watt found like-minded misfits in the burgeoning hacker underworld. He frequented a chat room for globalHell, a hacker collective notorious for defacing the websites of the U.S. Army and the White House, among others. “They were basically a bunch of script-kid morons, but it seemed exciting to me since I knew nothing about hacking or security,” he says.


  • Bla

    Editor refused to make the following requested correction: “TJX should be thanking me” -> “TJX should be thanking me for helping to clean out their technical staff.” as seen on the website of aut