Security experts speak out on TK Maxx fiasco

The TK Maxx hackers stole details of 45.7 million credit and debit cards from the UK and the US

Leading security experts have spoken out after hackers accessed 46 million card details at the parent company of store chain TK Maxx.

Mike Smart, product manager at Secure Computing , says the need for such companies to have adequate protection is obvious. "The visibility of this type of attack further strengthens the need for wider reaching preventive technology, he says. "We find that 80 per cent of confidential data is typically undetectable by 90 per cent of firewalls used by most companies."

And Smart should know: his company has just secured a data protection deal with one of the UK's largest retailers - Arcadia Group . Arcadia is behind some of the largest names on the high street such as TopShop and Burton.

"Hacking into a corporate network and extracting data unnoticed is easy," admits Smart. One of the main reasons for this is that network traffic is much more complex today - instant messaging and web mail traffic clouds the ability to see illicit traffic.

Security firm ConSentry specialises in identity based network control - only allowing certain people on to the network - and thinks that stores need to be more careful about who they let access their networks. Director Alex Raistrick says: "It's a no-brainer that many security breaches are a result of the wrong people gaining access to sensitive information.

"The most effective approach is to allow only appropriate and authorised users access to this kind of data, by creating a full usage log," says Raistrick. "Retail organisations need to wake up and have more of a focus on user-based authentication controls, as the fewer people that have access to sensitive personal content, the better."

Pete Baxter of anti-malware specialist Sana Security thinks the same is true of corporate anti-virus software: "Anti-virus software often doesn't spot a malware threat or hack immediately and, as a result, the damage is being done within seconds.

"Behavioural based anti-malware software recognises any non-typical activity on the network and stops it dead before it can go any further."

The TK Maxx hackers stole details of 45.7 million credit and debit cards from the UK and the US. The raid happened to mainframes in Watford and at the US base of parent company TJX in Framingham, near Boston. The chain's IT experts became suspicious prior to Christmas when unfamiliar software was found on the company's servers. They notified the enforcement agencies and called in experts from IBM .

The revelation - which the company is calling an "unauthorised intrusion" - was revealed in the TJX annual report, which also provided a free UK phone number for anybody who may have been affected: 0800 779015. The original raids appear to have taken place in 2005.


Dan (Twitter, Google+) is TechRadar's Former Deputy Editor and is now in charge at our sister site Covering all things computing, internet and mobile he's a seasoned regular at major tech shows such as CES, IFA and Mobile World Congress. Dan has also been a tech expert for many outlets including BBC Radio 4, 5Live and the World Service, The Sun and ITV News.