Looks Like The Guy Who Set The Record For Largest Credit Card Breach Was Breaking His Own Record

from the raising-the-bar dept

Back in January, we noted that it looked like there might be a new winner in the battle to see who was responsible for the largest ever credit card breach. Until that time, the honor had gone to a series of department stores owned by TJX (TJ Maxx, Marshalls, etc.). That involved info on 94 million credit card holders. Not bad. But the newer deal, involving Heartland Payment Systems appeared to effect well over 100 million. Now, you may have seen the news reports this week that have upped that total to 130 million, as part of the announcement of indictments against three individuals for illegally accessing the data. But, what's fascinating is that the one guy in custody, Albert Gonzalez, was already in custody for his role in the TJX hack (along with some other retailers). Oh, and there's also the tidbit about how he was a government informant, handing over info on (you guessed it) the underworld involved in stolen credit card numbers.

9 Comments | Leave a Comment..

TJX Offers One-Day Sale To Make Up For Massive Data Breach

from the how-generous dept

Until earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people's credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores' WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they'd gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn't-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.

Carlo Longino is an expert at the Insight Community. To get insight and analysis from Carlo Longino and other experts on challenges your company faces, click here.

17 Comments | Leave a Comment..

Canadian Passport Website Falls For Oldest Privacy Breach On The Web

from the that-one-again? dept

Back in the early days of the web, there were plenty of stories about a rather simple security breach on various sites. Basically, many sites would simply pass a user's account number through as a part of the URL. If a user simply changed the URL, her or she could see the account info of that other issue associated with the new number. After a few such cases came to light, most web app designers quickly realized to plug that hole, and it's been quite some time since we've heard of a site with such a security hole. However, it appears that there are still a few. The site for Passport Canada, where people can apply for a Canadian passport apparently had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It's never nice to hear about a security flaw (especially on a gov't website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.

10 Comments | Leave a Comment..

Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse

from the stunning-incompetence dept

In the last few years, every time a massive data breach is reported, you can be assured of one thing: a few weeks after the initial report comes out, a second report will come out admitting that the breach was worse than previously expected. We saw it with Choicepoint. We saw it with the VA. It seems to always happen. In fact, with the now infamous TJX breach, we'd already mentioned that the problems were worse than originally announced -- making it the largest such breach ever reported. This wasn't surprising once you found out just how incompetent the company was -- failing to comply with nearly all of the credit card company's security guidelines and leaving their entire system wide open to anyone who could hack a simple insecure WEP WiFi system (something that's quite easily done). The data from the breach (unlike many other widely announced breaches) has already been used in numerous frauds, costing upwards of $60 million. With such astounding incompetence and a breach so large, should it come as any surprise that even the updated breach numbers weren't complete? That's right, thanks to documents being filed in the lawsuits against TJX, it's now coming out that the breach has impacted even more people than was earlier announced. Of course, the question still remains whether or not the punishment the company receives will matter. It doesn't seem like anything is really done to stop companies from being so careless, and there's no indication that's going to change in this case either.

15 Comments | Leave a Comment..

More People Busted With Credit-Card Numbers From TJX Breach

from the cha-ching dept

The Secret Service has busted four people in Florida, and recovered 200,000 credit cards from the TJX breach that was disclosed earlier this year. Recovering the credit-card numbers at this point does little more than link the fraudsters to the breach, but they're said to have been used to rack up more than $75 million in fraudulent charges. The people busted here didn't apparently participate in the theft of the credit-card data, but bought them from "known cybercriminals in Eastern Europe" and then used the numbers to make counterfeit cards. In any case, they're way more productive than another group of Florida scammers busted back in March, who only managed to rack up $8 million worth of goods at Sam's and Wal-Mart. Since banks get left holding the bag for this type of fraud, expect more lawsuits as they look to recover their losses from TJX's astounding level of incompetence.

6 Comments | Leave a Comment..