TJX Waging Legal Battle To Keep Security Details Secret

Court filings have begun for what frightens TJX most: being ordered to reveal publicly how the data breaches occurred.

The TJX data breach has been a veritable data dynamo of details that, if carefully pieced together, say virtually nothing.

But those details have typically hinted at a wide range of security problems, including weak firewall protection, encryption irregularities, wireless problems and a Trojan horse that may have been planted.

After months of motions and arguments, filings have begun for the argument that frightens TJX the most: Whether U.S. District Court Judge William Young will order that TJX reveal publicly exactly how it believes the breaches occurred and why they happened.

In hearings in a Boston court the week of Oct. 22, attorneys representing banks that are suing TJX specifically asked Young for permission to make public reports that TJX had prepared detailing the mishaps. TJX is aggressively fighting such efforts.

At issue are five reports, plus a few related pieces of testimony. The reports are: one prepared by ATW on May 1, called the "Card Compromise Forensic Investigation Report" (Exhibit 5); a June 11 report by General Dynamics called "Advanced Information Systems, Intrusion into the TJX Companies, Inc.s Computer System" (Exhibit 8); a Verisign CISP compliance report from Sept. 19, 2004 (Exhibit 9); and a Cybertrust CISP compliance report from Sept. 6, 2006 (Exhibits 8, 9, and 10, collectively, the reports on compliance).

Young will likely look at several factors, including relevance and significance. However, the pivotal question is likely to be whether the contents of those reports will additionally weaken TJXs security.

The Framingham, Mass., retailer focuses on very specific details, such as the current location of various servers, and argues that such information would put consumers at more risk.

"The ATW Report and GD Presentation both provide detailed, nonpublic information about how TJXs computer system was compromised in 2005 and 2006," said a TJX document filed Oct. 24. "If revealed publicly, [it] could serve as a road map for persons trying to attack TJXs computer system or other participants in the payment card system."

"These documents are a sideshow and plaintiffs seek to include them only as part of their wider strategy to seek to discredit TJX at every turn," the TJX attorneys wrote.

The plaintiffs have countered that the handful of current details could be removed, leaving intact information about the state of the systems early on, systems that have since been fixed and otherwise changed.

Retail Center Editor Evan Schuman can be reached at


Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.