Attackers exploited weak WEP encryption on in-store Wi-Fi to enter TJX's network, then used SQL injection and weak access controls to reach the central transaction database.
TJX settled for $256 million across lawsuits and fines. The breach became the canonical example cited in PCI DSS audits and drove adoption of WPA2 in retail environments.
The Incident
In January 2007, TJX Companies (parent of TJ Maxx, Marshalls, and HomeGoods) disclosed that attackers had accessed its systems and stolen data on approximately 94 million credit card accounts. The breach had been ongoing since at least July 2005 — eighteen months of undetected access.
The Root Cause
The initial entry point was a Wi-Fi access point at a Marshalls store in Miami that was still using WEP encryption — cracked in under a minute with freely available tools. Once on the store's network, the attackers pivoted to TJX's corporate network, where they found SQL injection vulnerabilities in internal applications. These vulnerabilities gave them access to the central transaction processing database, which stored card data with weak or no encryption.
The Pattern
TJX illustrates the compounding nature of security failures. No single vulnerability was extraordinary — weak Wi-Fi encryption, SQL injection in internal apps, and unencrypted card storage were all known, documented problems. The catastrophe came from their combination. Each failure assumed the others wouldn't be exploited.
The Aftermath
The $256 million total cost included settlements with Visa, Mastercard, and affected banks, plus ongoing monitoring obligations. The breach became the standard reference case for PCI DSS auditors — "you don't want to be the next TJX" was the compliance industry's most effective argument for the next five years.