TJX: It’s the target of the largest known customer record theft of all time, and it’s a case in point that encryption is not a silver bullet.

This is the heart of the encryption problem, quoted from the 10-K filing The TJX Companies made to the Securities and Exchange Commission:

“Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the Computer Intrusion during 2006 could have enabled the Intruder to steal payment card data from our Framingham system during the payment card issuer’s approval process, in which data (including the track 2 data) is transmitted to payment card issuer’s without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.”

Encryption has no value when data isn’t encrypted, obviously, but credit cards can’t be processed when their numbers are encrypted. Hence, a smart crook will seek a way to get the data during that window of time when it’s in that state of being “in the clear”—that is, unencrypted.

TJX’s intruder also had a backup plan if data in the clear wasn’t attainable: namely, the decryption key.