« Previous Post | Blog Home | Next Post »


TJX and its Customers Suffer Enormous Data Breach

Posted on Jan 20, 2007 by Tom Fragala

This could be the big kahuna, the largest most serious data breach of all time. TJX is the parent company of Marshalls and T.J. Maxx. This security breach happened eight months ago. The full extent of it is unknown or not announced, but apparently some are saying it could reach 40 million accounts. And to make matters worse, it’s credit cards, debit cards and check transaction data. A goldmine for thiefs and potentially a huge threat (and inconvenience) for those effected. Remember, your checking account (and debit card) has only a fraction of the protections your credit card does. 

NewsFactor Network reports:

TJX, the parent company of Marshalls, T.J. Maxx, and several other national chains, said hackers breached a system that handles credit card, debit card, and check transactions in the United States and Puerto Rico. The company also said there is a possibility the breach is as far-reaching as the United Kingdom and Ireland.

Although officials from the Framingham, Mass.-based retail firm would not say how many customers had their data stolen by the computer hackers, the company did confirm that the breach happened in May 2006 and involved credit card information dating back to 2003.

The break-in was kept quiet until Wednesday, according to the company, at the request of law-enforcement officials.

The news on this is only going to get worse. What has me scratching my head is what did the criminals DO with the data? If law enforcement kept this quiet for 8 months, then wouldn't the amount of fraud on these account be catastrophic? And if the account holders were not notified, who knew and when?

Update: Was TJX improperly storing sensitive data it did not need? Why did it keep credit card and checking account data for several years? Is it so they can process customer returns? But why years? And can't they just ask the consumer for the card again? What am I missing here? The Massachusetts Banking Association things it's BS that TJX says they themselves are the victims. The MBA even issued a press release about this, saying that banks ultimately pay the price for fraud charge backs, not Visa or Mastercarda and not retailers like TJX.

If you want to get the latest news on this, I recommend visiting this link on Google News for "TJX data breach"..

Update 2: It gets worse. This from ITWorld Canada

...some of the banks affected by the breach have confirmed through credit card companies that the information stolen in the breach includes so-called Track 2 data taken from the magnetic stripes on the back of credit and debit cards...Track 2 data includes account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion. Its apparent inclusion in the breach at TJX provides fresh evidence that IT security remains fragile at some large retailers despite efforts by credit card companies to get them to better protect customer data.

Retailers are forbidden from storing such information under the Payment Card Industry (PCI) Data Security Standard being pushed by Visa, MasterCard International Inc. and other credit card companies. But many retailers continue to do so, often because their point-of-sale systems capture and store the data by default.


Update 1/24/07: The Boston Globe published an article today "Filling in the Gaps on the Data Breach". Except it doesn't fill in any gaps for me. The article doesn't answer many questions, but it's worth a read if you are effected by this. Why the heck doesn't TJX have a blog where they post updates?

Update 3: The Fraudwar blog says there is evidence that hundreds of thousands of compromised accounts are being used. And mentions my warning--watch out if you used your debit card as a credit card. Your relief from fraud will potentally be limited.

Update 3: TJX has a FAQ page with more information. Javelin Research has a fine blog post about this. And, inevitably, there is a class action lawsuit announced. Just because there was a huge breach, though, does not mean this lawsuit can go anywhere. After all, it is not a crime to have your network hacked. All they can do is plead "negligence," I guess, although what federal or state laws did TJX (not a financial institution) possibly violate? Is this a common law issue or UCC? Please comment if you truly know.

Filed under: Data Breach, Identity Theft

Tags: data theft, identitytheft, idtheft, security, security breach

Comments

Tom Mahoney on Jan 20, 2007

Of course the sad part of all this is that it was probably preventable. TJX was storing that data on a computer that was networked with the world but they are not permitted to store the data at all. Once the transaction is completed they are required to delete it.

Were they CISP compliant? Who knows. They should have been! If they were, then the industry had beeter take a good hard look at the requirements because the TJX breech would prove that they aren't working.

What do the bad guys do with this data? It depends on who got it. Some will try selling it and if they can't turn it over quickly, they'll get rid of it before they're caught with it. If this was organized crime or terrorist funding, you can assume they'll sit on it for a while until the dust settles.

And the real victims are the on-line merchants that end up getting hit with transactions using the card data. They'll be out theit product or service and shipping charges and they'll get hit with a chargeback fees of anywhere from $15 to $40.

And the cardholders - they just call the issuing bank and tell them they didn't make the charge and they get their money back. An inconvenience, to be sure, but not a monetary loss.

One can only hope that TJX gets everything that Visa and MasterCard can throw at them. They're certainly good candidates for the stupid of the year award.

Tom Mahoney, Director
Merchant911.org
Merchants united to protect aagainst credit card fraud

Post a Comment