A Simple Scheme to Rob 45,700,000 People

Three years ago a group of computer geeks slipped into the servers at Framingham-based TJX — the parent company of T. J. Maxx — and orchestrated the world’s biggest identity heist. Now, as the hackers head to prison and the secrets of their scam are revealed, one question remains: Are you any safer?

In September 2009 in Boston, Gonzalez pleaded guilty to 19 counts of conspiracy, fraud, and aggravated identity theft. As of this writing, he faces up to 25 years in prison. Still, Gonzalez’s going to jail doesn’t, on its own, make consumers any less vulnerable to future attacks. And as enormous as the TJX breach was, it was by no means an isolated event. The state’s Office of Consumer Affairs and Business Regulation estimates that more than one million Bay State residents have been victimized by data breaches in the past two years. Thomas G. Shapiro, a Boston attorney who represented a group of TJX customers in a class-action suit filed against the company over the payment card thefts, says the evidence “showed that TJX was pretty lax and did not meet up-to-date security standards. But when you’re a consumer and go into a store, how do you know if security arrangements are [up to date]?”

Avivah Litan, an analyst with the information-technology research firm Gartner, estimates TJX will end up spending roughly $125 million to fix its security problems, but even that may not be enough. “The only way to prevent these types of hackers in the future is to make a major change to card payment systems,” Litan says.

Some countries, for example, include a smart chip on credit cards, which ensures the card can be unlocked and used only with a personal identification number. TJX is now among those pressing for this “chip and PIN” technology in the United States.

In the meantime, other precautions are being put into place. On March 1, Massachusetts implemented a strict new data-privacy law in the wake of the TJX attack. The law requires companies that hold on to personal data for employees or consumers to create safeguards, such as encryption — the sort of thing that could have prevented the TJX breach.

Of course, stopping data breaches is a cat-and-mouse game, and it’s likely that hackers will score again somewhere. They are driven not by simple greed, but by something more complex and difficult to curtail: ego. “Perhaps the most important thing to understand about Gonzalez’s crimes is that the motivation for them was predominantly the thrill of accomplishing more and more difficult computer feats and not just personal greed,” his attorney Martin Weinberg has said. “In addition, because of his single-minded focus on his computer and his interpersonal defects and the fact that those he harmed were faceless…Gonzalez was, during the time when he was committing his crimes, unable to appreciate the harm he was doing to others.”

But it’s too late for those who suffered from his handiwork, like Robert Mann. Though his bank covered his lost account balance, he’s still sour on TJX. As part of a class-action settlement by TJX, he received a $30 gift card. But he has no use for it: He avoids T. J. Maxx. These days, he says, “I make my lunch at home.”            


  • Bla

    Editor refused to make the following requested correction: “TJX should be thanking me” -> “TJX should be thanking me for helping to clean out their technical staff.” as seen on the website of aut