Ladies And Gentlemen, We May Have A New Winner For Most Credit Card Data Leaked

from the congrats-all-around dept

There was some talk yesterday about how TJX, the parent company for discount clothing stores T.J. Maxx, Marshalls and some others had lost some credit card data after their systems were hacked. Today, additional information is starting to come out suggesting that this may take the lead as the largest single set of compromised credit card data, reaching even beyond the 40 million or so records lost by CardSystems a few years back. Since those responsible for that data loss only got a slap on the wrist, perhaps it's not surprising that others haven't done much to beef up credit card security. In fact, another article on this story claims that, despite strict guidelines from Visa and Mastercard for how this type of data needs to be handled only 31% actually comply with the guidelines -- and apparently TJX is among those who don't comply (big surprise there). Since it's apparent that not much has happened in the past few years to better protect our data, expect plenty of fretting over what this means and how to do a better job... until enough people forget about it, and we're all set up for a year or two down the road when we'll have a new winner in the largest single data leak ever.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Jan 19th, 2007 @ 11:22am

    If you didn't know better, you would think that people within corporations that control large amounts of credit card data are actually colluding with the Russian mob that buys the consumer data.

    Why not? The chance of criminal prosecution for "accidentally" losing the data is zero. Hell, there aren't even any risks from civil litigation. And I'm sure that you can set up a nice offshore account with the proceeds from the sale of 40-50 mill credit card numbers.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Morgan, Jan 19th, 2007 @ 11:23am

    Visa/MC Need to Enforce

    Before we end up with some ridiculous legislation on this, Visa/MC needs to hammer these vendors until they comply. The alternative is sooo, so much worse. Some kind of card 'rights' SarbOx bill.

    Visa/MC are relentless and remorseless on chargeback decisions, you'd think they could get the same people onto compliance.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    whoa there, Jan 19th, 2007 @ 11:29am

    FUCK FUCK FUCK SarbOx

    and that's all I have to say about that

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Bum, Jan 19th, 2007 @ 11:30am

    I remember

    when I got the letter from my merchant account(visa/mastercard) detailing how I would have to comply with their new rule or not store the data. We chose not to store because it was cheaper than complying. I should have just ignored their memo like everyone else.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    misanthropic humanist, Jan 19th, 2007 @ 11:30am

    oops

    One leak is understandable. Twice is careless. Forty Million really needs looking at. I wonder if this isn't some ploy to render the credit card "honour system" void and mandate draconian ID requirements.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    me, Jan 19th, 2007 @ 11:43am

    credit cards

    Yet another reason i don't use credit cards

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Amerin, Jan 19th, 2007 @ 12:03pm

    Well I think they should be held responsible

    Any business that stores Credit card data, short of processing the transaction, should be held responsible when they have a leak, and 40 million credit card numbers go off into the ether. You should be allowed to SUE the crap out of the company that allowed the leak!

    If you have ever had your identity riped off and what a hassle it is to get it cleaned up! Its a freaking nightmare!

    Those companies that just shrug off security of the data loss, after a few people win some large sums for pain and suffering, and let me tell you dealing with false info on your credit history is a night mare to fix !

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    s short, Jan 19th, 2007 @ 12:08pm

    hacked credit card info

    It'll be a cold day in hell before I go back in a T.J. Maxx or Marshalls

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Leaky Pete, Jan 19th, 2007 @ 12:14pm

    What's a feller to do?

    What's the course of action should your name be one of those 40 million? Is alerting your credit card company to the possibility of your info being leaked necessary? Does that alert get reflected negatively somehow on one's credit history?

    Does this leak apply only to those that have a TJX card or is it also applicable to anyone who has charged a purchase at their stores?

    The info holding company should be liable for info theft. Especially as those who've provided said information have done so with the expectations of that information being held securely.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Greg, Jan 19th, 2007 @ 12:15pm

    Any business that stores Credit card data, short of processing the transaction, should be held responsible when they have a leak

    Yeah, I really don't get why they were storing that data anyway. They obviously need some work on the HOW of their storage, but really, why was that data even there, in the first place?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Morgan, Jan 19th, 2007 @ 12:18pm

    I wonder if I got hit here

    Anyone know when this actually happened? Because for the first time ever I had fraudulent charges around the turn of the year.

    I would love if that were the case, not for any damages (I got a hold of the vendors before anything was sent) but just for the explanation. The only charge that ended up finalizing was like $100 fortunately.

    I like to think I'm very careful online and it was definitely disquieting to see charges someone else placed on my bank statement.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Pesti, Jan 19th, 2007 @ 12:19pm

    Here we go...

    While watching the football playoffs along with the rest of
    the millions of dedicated fans, Mastercard treats us with that cute little commercial where a fast moving, perfectly run, "Burger Joint" comes to a screeching standstill because some poor schumck has the odasity to use CASH!!! instead of just
    swipping a "Preferred credit card"....and of course everyone
    in the place gives the guy the evil eye for being different..
    All that for a fricken Hamburger!!!!

    Think were not being "Prepped" for a more convieniant, and "safer" cashless monetary system?? I'm with oops,
    insidious thats the word...

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    smarter than you, Jan 19th, 2007 @ 1:29pm

    What do you mean why?

    Are you the same retard who tries to return merchandise without a reciept and then get angry because they will only put it back on the card it was purchased with? This is why they store it. Go return something to WalMart. They don't even ask for the card anymore. They do it because you complain if they don't.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Good bank, Jan 19th, 2007 @ 1:42pm

    at least they got it right

    My bank acquired the list of CC numbers from this incident that had been leaked, cross referenced it with their members' numbers and reissued cards to each member whose number was compromised. I was irritated when my CC was declined, but happy to find my bank had done the right thing. More banks need to be proactive like this....

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Dam, Jan 19th, 2007 @ 1:45pm

    Job Opening in Framingham, MA

    Wanted: Competent CIO to oversee large multi-store operation. Must be familiar with simple things like SECURITY of stored data. Must also train staff to not answer questions about security over the phone and become vistims of social engineering.

    Please send your resume and your first-born to:
    TJX's Corporate Headquarters are located in Framingham, Massachusetts:
    The TJX Companies, Inc.
    770 Cochituate Road
    Framingham, Massachusetts 01701
    Main Number: (508) 390-1000

    We want your first-born because if you screw up, we'll sell him/her to the gypsies.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Stand Back, it's Intellectual Blather, Jan 19th, 2007 @ 2:03pm

    I like it

    would like to see the list of leaked...if I'm on there it might mean I can disregard current balance!?

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Eric, Jan 19th, 2007 @ 2:06pm

    Lemonade

    I sense a business opportunity here....

    A company dedicated to handling identity monitoring and repair, paid for by judges decree and settlement money from TJX lawsuit.

    Oh wait, involves lawyers....
    nevermind.

    -Eric

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Vogue, Jan 19th, 2007 @ 3:31pm

    Re: Here we go...

    Point taken Pesti!

    I can't believe how many businesses no longer accept checks! It's definitely a first step in something major forthcoming! The reasons businesses are giving for the exclusion of business with checks is getting ridiculous too. I read a sign just today that said it was due to the increased bank costs associated with using checks! My thought on this was 'Don't you have to process a transaction regardless of payment method?' So rather than say they are fumbling idiots in the world of commerce and can't develop a system of checks and balances to keep a few morons from writing hot checks, they simply default to a moronic answer like 'Sorry, costs are too high!'

    Buddha and Murphy both say "Don't run business if you can't accept legal tender in all of its forms."

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonomya, Jan 19th, 2007 @ 4:46pm

    Checks are worse!

    'Don't you have to process a transaction regardless of payment method?'

    NO! If I hang a sign on my cash register that says "We only accept beer" then you have to pay me in beer if you want to make a purchase. Checks are less secure and more costly to handle than credit cards. Go ahead, use a check. You're giving the clerk and everyone in between who has to touch it your banking account number, your routing number, full name, home address, and usually the name of your spouse as well if it's a joint account. They have it in their hands after you leave and are free to make photocopies, write down that info, etc without anyone knowing. I can't believe people are still using checks!

    At least with a credit card, it's in your sight the whole time the clerk has it. Usually receipts only have the last 4 digits. So unless the clerk has some sort of copying device attached to the swiper (or a photographic memory), they have no way of getting your number.

    As far as the extra processing cost, think about it. That piece of paper gets stored somewhere until the store has a good sized pile, then someone takes it to the bank, then someone working at the bank has to do data entry and scan your check (they'll do that whether or not you're signed up for electronic statements). That's then got to get stored as an image file in their computer systems, which takes up more space than a simple text string as a result of a credit card transaction would. As a result, banks charge a premium for handling paper checks. This charge gets passed on to the business, and the business can't tell you "Well it's going to cost you $3 more than the next guy because you're using a check" because people who try to use checks freak out at statements like that. They don't understand how much extra processing it takes!

    Yet another not to take checks is that any moron can go down to the Staples and buy a color printer and even blank checks. It's so much easier and cheaper to make counterfeit checks than it was even five years ago, so there are a lot more of them floating around. And there is no way to verify funds from a check while the person stands there, like you can do with a credit card.

    On top of that, it looks suspicious. With debit cards being handed out like candy, why would someone who has a checking account bother to use a check instead of the debit card? Why carry around checks and waste time in line writing them out if you aren't up to something?

    Checks are good for paying relatives or friends, in birthday cards as gifts... and that's about it.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    idea, Jan 19th, 2007 @ 4:51pm

    Re: Here we go...

    I see a business opportunity with third-party certification of businesses that don't store CC data, encrypted or not, just a hash of your card data and date of transaction so they can verify the card you provide is the card they credit. Distribute green cert. stickers to businesses who are audited... I see $$$$$

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    misanthropic humanist, Jan 19th, 2007 @ 6:12pm

    making a better hash of it

    Yes #19, sound reasoning. But it's a fragile position, and one extra level of middlemen that would have to add cost. Eventually security legislation or customer backlash will make this inevitable. What you say is entirely correct though. Post POS transaction data should only be stored as a non-reversible highly salted hash of the card # and a UID provided by the salesman. It then serves all paries for non-repudiation while remaining useless to a theif.

    Of course I assume there are smarter scientists than you and I working for banks (that maybe a very dumb assumption :), so the motive for not having this obvious system is one to ponder isn't it?

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Tyshaun, Jan 19th, 2007 @ 10:56pm

    Re: Checks are worse!

    Checks are good for paying relatives or friends, in birthday cards as gifts... and that's about it.

    I gotta agree with that. I just can't understand why anyone uses a check, except for little grey haired people who are suspicious of credit cards and too scared to carry cash.

    As per security, I've read some studies that show with the amount of counterfeit currency out there, credit/debit cards can actually considered more safe because the available funds can be verified instantly and when stolen they can be cancelled very quickly.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Lori, Jan 24th, 2007 @ 12:45pm

    Re: Here we go...

    That's a Visa add, not MasterCard

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Lori, Jan 24th, 2007 @ 12:47pm

    Re: at least they got it right

    And we (the banks) would LOVE to do that...but it's not free for us to do...

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Lori, Jan 24th, 2007 @ 12:50pm

    Re: Re: Here we go...

    There are many dishonest people who hack into computer systems...butt there are MILLIONS and MILLIONS of dishoney people who see nothing wrong with writing a bad check.....and BILLIONS of morons who can not be bothered to balance their checkbooks so they don't even know they are writing a bad chack

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Feb 21st, 2007 @ 7:54pm

    I work for a quite large retailer (13000+ locations) and did work implementing the credit/debit card processing software. As far as I know, the card numbers don't exist in our system ANYWHERE after it's processed. The POS system stores the number long enough to get authorization, then THROWS AWAY everything except the last four digits. We don't save the expiration date, we don't save the "discretionary data", we don't save any of it. There's no way to leak them, because we don't HAVE them.

    Why do retailers want to keep them around? I just don't get it. I understand a health club or similar that has authorization to do recurring charges, but a retail store? WTF?

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Wizard Prang, Mar 22nd, 2007 @ 10:54am

    Checks are MUCH worse!

    As an observation, I have found that checks are also the slowest way to pay for anything. When standing in the checkout line, I must confess to a sinking feeling when the person in front of me whips out her (its almost always a woman) checkbook.

    It's tough enough packing your goods in the cart while watching the screen to check that the prices charged are correct, but it becomes comedic when you have to juggle pen and checkbook as well.

    Then you have the Drivers License inspection and, more often than not, the "gotta-call-a-supervisor" shuffle, which turns comedic into annoying.

    And thanks to Check 21, the check will likely clear immediately, if not overnight. The float is history, folks!

    And now back to our regularly scheduled programming...

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    john, May 24th, 2007 @ 10:26am

    everyone

    To know how to hack peoples credit cards in 10 mins or even less in a few easy steps then go on this blog or url.



    http://blog.myspace.com/193987950

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    jason, Jan 13th, 2008 @ 10:26pm

    how to get full info cc!!

    To simplify this, here is how it works: Send an Email to confuse a yahoo email, and it takes 3 mins to create a yahoo email account) with complete information of people's credit card information stored in the server in the last 72 hours. This is how you'll get people's
    VALID credit card information.
    Now you have to do exactly the same as follows:
    (Don't send this email this is only an example how to write Hack.)
    Please get some valid/true credit card and try!!it useless if use fake cc!!

    Send an Email to mailto: server01010@yahoo.com

    With the subject: accntopp-cc-E52488 (To confuse the server )

    In the email body, write: boundary="0- 86226711-106343" (This is line 1)

    Content-Type: text/plain; (This is line 3)

    charset=us-ascii (This is line 4, to make the return email readable)
    credit card number (This is line 7, has to be LOWER CASE letters)
    000000000000000 (This is line 8, put a zero under each number, etc)
    name on credit card (This is line 11, has to be LOWER CASE letters)
    0000000000000000 (This is line 12, put a zero under each character, hyphen, etc)
    CVV number (Three digit number on the back of your card) (This is line 15, has to be LOWER CASE letters)
    000 (This is line 16, put a zero under each character, number, letter, hyphen, etc)
    address,city (This is line 19, has to be LOWER CASE letters)
    0000000000 (This is line 20, put a zero under each character, number, letter, hyphen, etc)
    state,country,p.o. box (This is line 23, has to be LOWER CASE letters)
    00000000000000000 (This is line 24, put a zero under each character, number, letter, hyphen, etc)
    phone number ( put a zero under each character, number, letter, hyphen, etc)
    type of card (This is line 27, has to be LOWER CASE letters)
    000000000 ( This is line 28, put a zero under each character, number, letter, hyphen, etc)
    date (This is line 31, has to be LOWER CASE letters)
    000000 (This is line 32, put a zero under each character, number, letter, hyphen, etc)
    252ads (This is line 35
    Return-Path: (This is line 36, type in your email between )

    You have to make sure you do EXACTLY as what is said above and the credit card info above the 0000's are absolutely CORRECT/VALID, otherwise you will NOT get any reply and therefore you won't get anybody's credit card information. Here's a sample email .
    Here is an EXACT email which you have to send to server.
    (CAUTION ) ! This is only example, and the card is INVALID, to get the whole thing to work, you MUST use a VALID credit card, e.g. YOUR OWN VALID CC)

    Send to: server01010@yahoo.com

    Subject: accntopp-cc-E52488

    Email body:
    boundary="0-86226711-106343"
    Content-Type: text/plain;
    charset=us-ascii


    4013993145565451
    0000000000000000

    jesse d banks
    00000000000

    523
    000

    2537 stillwell rd.,des moines
    00000000000000000000000

    la,usa,50567
    0000000000

    645-867-9950
    00000000000

    visa
    0000

    03/2006
    0000000

    252ads8> Return-Path:

    This may take a few minutes but it REALLY WORKS!!! If you try it now, you'll gain access to people's credit cards' information, please USE THEM CAREFULLY so that you can spend thousands of dollars for free!! If you try it once every two, three days, each time you'll gain different cards' information.
    I've received about 27 credit card numbers so far. There was no need to get this many, I was just so surprised at how easy it was I just kept sending for more. I've only used 5 numbers so far, on ebay. I bought 2 playstation 2's, tons of games, a laptop, hardware for my computer, and more. This is too easy. I would be selling this, but whats the point. All the money I want is in the Credit Cards. Have fun, and theres no need to get hundreds of numbers, you cant use them all
    HACKERS FOREVER!!!!
    Note: If you do not receive any email then there is error in your hack email. i.e. The CC information you provided to server is invalid. You should use valid credit card informtion.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Someone, Jul 23rd, 2008 @ 12:03am

    Anybody wants to hack the Staples retail store POS?
    I know a lot about it and am eager to help.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This