Looks Like The Guy Who Set The Record For Largest Credit Card Breach Was Breaking His Own Record

from the raising-the-bar dept

Back in January, we noted that it looked like there might be a new winner in the battle to see who was responsible for the largest ever credit card breach. Until that time, the honor had gone to a series of department stores owned by TJX (TJ Maxx, Marshalls, etc.). That involved info on 94 million credit card holders. Not bad. But the newer deal, involving Heartland Payment Systems appeared to effect well over 100 million. Now, you may have seen the news reports this week that have upped that total to 130 million, as part of the announcement of indictments against three individuals for illegally accessing the data. But, what's fascinating is that the one guy in custody, Albert Gonzalez, was already in custody for his role in the TJX hack (along with some other retailers). Oh, and there's also the tidbit about how he was a government informant, handing over info on (you guessed it) the underworld involved in stolen credit card numbers.

9 Comments | Leave a Comment..

TJX Offers One-Day Sale To Make Up For Massive Data Breach

from the how-generous dept

Until earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people's credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores' WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they'd gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn't-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.

Carlo Longino is an expert at the Insight Community. To get insight and analysis from Carlo Longino and other experts on challenges your company faces, click here.

17 Comments | Leave a Comment..

Eleven Charged In Massive TJX Data Loss... But Many Are Still Overseas

from the this-is-hardly-over dept

We've had numerous posts about the massive (some say the largest ever) data breach by TJX, parent company of retailers like TJ Maxx and Marshalls. So, it's certainly worth mentioning the story making headlines that the "culprits" of the breach have been charged in the case, but it shouldn't exactly put your mind at ease about these breaches. After all, the credit card info they accessed (over 40 million cards by most accounts) is still out there, though many card holders have already changed their numbers. But, more importantly, it sounds as though most of those responsible aren't in the US at all and are basically sitting free in Eastern Europe and Asia. Hell, one of those "charged" is only known by his online username, with no indication where he might be located. So, yes, it's good that the feds tracked down some of the folks responsible, but most of them are probably still out there getting access to the credit cards your provider sent you to replace the ones compromised by these guys in the first place.

14 Comments | Leave a Comment..

Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse

from the stunning-incompetence dept

In the last few years, every time a massive data breach is reported, you can be assured of one thing: a few weeks after the initial report comes out, a second report will come out admitting that the breach was worse than previously expected. We saw it with Choicepoint. We saw it with the VA. It seems to always happen. In fact, with the now infamous TJX breach, we'd already mentioned that the problems were worse than originally announced -- making it the largest such breach ever reported. This wasn't surprising once you found out just how incompetent the company was -- failing to comply with nearly all of the credit card company's security guidelines and leaving their entire system wide open to anyone who could hack a simple insecure WEP WiFi system (something that's quite easily done). The data from the breach (unlike many other widely announced breaches) has already been used in numerous frauds, costing upwards of $60 million. With such astounding incompetence and a breach so large, should it come as any surprise that even the updated breach numbers weren't complete? That's right, thanks to documents being filed in the lawsuits against TJX, it's now coming out that the breach has impacted even more people than was earlier announced. Of course, the question still remains whether or not the punishment the company receives will matter. It doesn't seem like anything is really done to stop companies from being so careless, and there's no indication that's going to change in this case either.

15 Comments | Leave a Comment..

Shocker, TJX Credit Card Breach Settlement Proposal Lacks Any Real Settlement

from the oops-we're-real-sorry dept

TJX, the parent corporation of retailer TJ Maxx,proposed a settlement to the class action suits leveed against it in what could be largest credit card breach ever, approximately 45 million records. TJX is offering claimants up to three years of credit monitoring along with $20,000 identity theft insurance coverage. This settlement sounds pretty good, until you read the fine print (via Consumerist). In order to qualify for the settlement, you must have returned an item to the store without a receipt; this limits the claimants to approximately 455,000 people, or only about 1% of class. The remaining 44.5 million are only eligible for $30 vouchers in store credit, and only with documented proof of a loss. This definitely seems like a slap on the wrist for TJX. Sure, it's bad, but surely TJX hasn't lost 77% of its customer base from this incident. Finally, in a clever move at the end of the settlement proposal, TJX took this as an opportunity to announce that all of its stores will be having a 15% sale sometime in 2008. Way to turn a class action lawsuit settlement into free advertising, TJ Maxx.

6 Comments | Leave a Comment..

Did TJX Know About Massive Security Breach Long Before It Revealed It?

from the dates-not-adding-up dept

We've already seen that, as with just about every other data leak, the massive data leak from clothing retailer TJX was a lot worse than originally reported. However, some are now asking whether the company also hasn't come entirely clean about when the breach occurred and when the company knew about it. The official statements from TJX suggest that the company became aware that its own horrible security was breached on December 18th, 2006, and informed the FBI by December 22nd. However, as the article above notes, there's evidence suggesting that TJX was familiar with the breach well before that. Remember that a bunch of folks had been arrested in Florida for using the TJX data in scams. The police in that case have filed some reports, noting that TJX had alerted them to a breach back in March of 2006 -- and, in fact, the Florida investigators filed reports on their investigation in November 2006... well before TJX even claims that it knew of the breach. It certainly raises some questions about when TJX really became aware of the breach, and when the company finally alerted people that their data may have been compromised.

1 Comments | Leave a Comment..

Now Maybe TJX Will Take Data Security Seriously

from the when-you-put-it-that-way dept

While personal data leaks continue to occur at a pretty regular clip, very few companies or government agencies take the problem very seriously. This is mostly because after the initial bout of bad PR, the repercussions are minimal, so few groups bother to spend the time and resources needed to put proper preventative measures in place. Perhaps, though, that will begin to change as the costs of these data leaks and breaches become more publicized. For instance, TJX, the retailer that suffered the largest breach of credit-card data ever, reported this week that its second-quarter costs related to that breach came in at more than 10 times its initial estimates, and added up to 25 cents per share in the quarter. The raw figure of $117 million still isn't that much, but it cut the company's earnings per share in half from the year-ago quarter -- and that's bound to upset the company's investors. They're likely to be even more annoyed if they look into the details of the breach: earlier reports highlighted the company's security incompetence, but a story this week made things look even worse. The breach was apparently perpetrated by using poorly secured in-store kiosks, which were on the corporate network and not behind firewalls. Attackers stuck USB keys in the kiosks and loaded software that allowed them to be controlled remotely, and used as gateways onto the network. While it certainly doesn't look like TJX was paying a lot of attention to security, a 25 cent per share loss will make investors take notice -- and that, hopefully, will force companies to take data leaks and security more seriously.

12 Comments | Leave a Comment..

More People Busted With Credit-Card Numbers From TJX Breach

from the cha-ching dept

The Secret Service has busted four people in Florida, and recovered 200,000 credit cards from the TJX breach that was disclosed earlier this year. Recovering the credit-card numbers at this point does little more than link the fraudsters to the breach, but they're said to have been used to rack up more than $75 million in fraudulent charges. The people busted here didn't apparently participate in the theft of the credit-card data, but bought them from "known cybercriminals in Eastern Europe" and then used the numbers to make counterfeit cards. In any case, they're way more productive than another group of Florida scammers busted back in March, who only managed to rack up $8 million worth of goods at Sam's and Wal-Mart. Since banks get left holding the bag for this type of fraud, expect more lawsuits as they look to recover their losses from TJX's astounding level of incompetence.

6 Comments | Leave a Comment..