Ladies And Gentlemen, We May Have A New Winner For Most Credit Card Data Leaked

from the congrats-all-around dept

There was some talk yesterday about how TJX, the parent company for discount clothing stores T.J. Maxx, Marshalls and some others had lost some credit card data after their systems were hacked. Today, additional information is starting to come out suggesting that this may take the lead as the largest single set of compromised credit card data, reaching even beyond the 40 million or so records lost by CardSystems a few years back. Since those responsible for that data loss only got a slap on the wrist, perhaps it’s not surprising that others haven’t done much to beef up credit card security. In fact, another article on this story claims that, despite strict guidelines from Visa and Mastercard for how this type of data needs to be handled only 31% actually comply with the guidelines — and apparently TJX is among those who don’t comply (big surprise there). Since it’s apparent that not much has happened in the past few years to better protect our data, expect plenty of fretting over what this means and how to do a better job… until enough people forget about it, and we’re all set up for a year or two down the road when we’ll have a new winner in the largest single data leak ever.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Ladies And Gentlemen, We May Have A New Winner For Most Credit Card Data Leaked”

Subscribe: RSS Leave a comment
Anonymous Coward says:

If you didn’t know better, you would think that people within corporations that control large amounts of credit card data are actually colluding with the Russian mob that buys the consumer data.

Why not? The chance of criminal prosecution for “accidentally” losing the data is zero. Hell, there aren’t even any risks from civil litigation. And I’m sure that you can set up a nice offshore account with the proceeds from the sale of 40-50 mill credit card numbers.

Amerin says:

Well I think they should be held responsible

Any business that stores Credit card data, short of processing the transaction, should be held responsible when they have a leak, and 40 million credit card numbers go off into the ether. You should be allowed to SUE the crap out of the company that allowed the leak!

If you have ever had your identity riped off and what a hassle it is to get it cleaned up! Its a freaking nightmare!

Those companies that just shrug off security of the data loss, after a few people win some large sums for pain and suffering, and let me tell you dealing with false info on your credit history is a night mare to fix !

Leaky Pete says:

What's a feller to do?

What’s the course of action should your name be one of those 40 million? Is alerting your credit card company to the possibility of your info being leaked necessary? Does that alert get reflected negatively somehow on one’s credit history?

Does this leak apply only to those that have a TJX card or is it also applicable to anyone who has charged a purchase at their stores?

The info holding company should be liable for info theft. Especially as those who’ve provided said information have done so with the expectations of that information being held securely.

Morgan (user link) says:

I wonder if I got hit here

Anyone know when this actually happened? Because for the first time ever I had fraudulent charges around the turn of the year.

I would love if that were the case, not for any damages (I got a hold of the vendors before anything was sent) but just for the explanation. The only charge that ended up finalizing was like $100 fortunately.

I like to think I’m very careful online and it was definitely disquieting to see charges someone else placed on my bank statement.

Pesti says:

Here we go...

While watching the football playoffs along with the rest of
the millions of dedicated fans, Mastercard treats us with that cute little commercial where a fast moving, perfectly run, “Burger Joint” comes to a screeching standstill because some poor schumck has the odasity to use CASH!!! instead of just
swipping a “Preferred credit card”….and of course everyone
in the place gives the guy the evil eye for being different..
All that for a fricken Hamburger!!!!

Think were not being “Prepped” for a more convieniant, and “safer” cashless monetary system?? I’m with oops,
insidious thats the word…

Vogue says:

Re: Here we go...

Point taken Pesti!

I can’t believe how many businesses no longer accept checks! It’s definitely a first step in something major forthcoming! The reasons businesses are giving for the exclusion of business with checks is getting ridiculous too. I read a sign just today that said it was due to the increased bank costs associated with using checks! My thought on this was ‘Don’t you have to process a transaction regardless of payment method?’ So rather than say they are fumbling idiots in the world of commerce and can’t develop a system of checks and balances to keep a few morons from writing hot checks, they simply default to a moronic answer like ‘Sorry, costs are too high!’

Buddha and Murphy both say “Don’t run business if you can’t accept legal tender in all of its forms.”

idea says:

Re: Re: Here we go...

I see a business opportunity with third-party certification of businesses that don’t store CC data, encrypted or not, just a hash of your card data and date of transaction so they can verify the card you provide is the card they credit. Distribute green cert. stickers to businesses who are audited… I see $$$$$

smarter than you says:

What do you mean why?

Are you the same retard who tries to return merchandise without a reciept and then get angry because they will only put it back on the card it was purchased with? This is why they store it. Go return something to WalMart. They don’t even ask for the card anymore. They do it because you complain if they don’t.

Good bank says:

at least they got it right

My bank acquired the list of CC numbers from this incident that had been leaked, cross referenced it with their members’ numbers and reissued cards to each member whose number was compromised. I was irritated when my CC was declined, but happy to find my bank had done the right thing. More banks need to be proactive like this….

Dam says:

Job Opening in Framingham, MA

Wanted: Competent CIO to oversee large multi-store operation. Must be familiar with simple things like SECURITY of stored data. Must also train staff to not answer questions about security over the phone and become vistims of social engineering.

Please send your resume and your first-born to:
TJX’s Corporate Headquarters are located in Framingham, Massachusetts:
The TJX Companies, Inc.
770 Cochituate Road
Framingham, Massachusetts 01701
Main Number: (508) 390-1000

We want your first-born because if you screw up, we’ll sell him/her to the gypsies.

Anonomya says:

Checks are worse!

‘Don’t you have to process a transaction regardless of payment method?’

NO! If I hang a sign on my cash register that says “We only accept beer” then you have to pay me in beer if you want to make a purchase. Checks are less secure and more costly to handle than credit cards. Go ahead, use a check. You’re giving the clerk and everyone in between who has to touch it your banking account number, your routing number, full name, home address, and usually the name of your spouse as well if it’s a joint account. They have it in their hands after you leave and are free to make photocopies, write down that info, etc without anyone knowing. I can’t believe people are still using checks!

At least with a credit card, it’s in your sight the whole time the clerk has it. Usually receipts only have the last 4 digits. So unless the clerk has some sort of copying device attached to the swiper (or a photographic memory), they have no way of getting your number.

As far as the extra processing cost, think about it. That piece of paper gets stored somewhere until the store has a good sized pile, then someone takes it to the bank, then someone working at the bank has to do data entry and scan your check (they’ll do that whether or not you’re signed up for electronic statements). That’s then got to get stored as an image file in their computer systems, which takes up more space than a simple text string as a result of a credit card transaction would. As a result, banks charge a premium for handling paper checks. This charge gets passed on to the business, and the business can’t tell you “Well it’s going to cost you $3 more than the next guy because you’re using a check” because people who try to use checks freak out at statements like that. They don’t understand how much extra processing it takes!

Yet another not to take checks is that any moron can go down to the Staples and buy a color printer and even blank checks. It’s so much easier and cheaper to make counterfeit checks than it was even five years ago, so there are a lot more of them floating around. And there is no way to verify funds from a check while the person stands there, like you can do with a credit card.

On top of that, it looks suspicious. With debit cards being handed out like candy, why would someone who has a checking account bother to use a check instead of the debit card? Why carry around checks and waste time in line writing them out if you aren’t up to something?

Checks are good for paying relatives or friends, in birthday cards as gifts… and that’s about it.

Tyshaun says:

Re: Checks are worse!

Checks are good for paying relatives or friends, in birthday cards as gifts… and that’s about it.

I gotta agree with that. I just can’t understand why anyone uses a check, except for little grey haired people who are suspicious of credit cards and too scared to carry cash.

As per security, I’ve read some studies that show with the amount of counterfeit currency out there, credit/debit cards can actually considered more safe because the available funds can be verified instantly and when stolen they can be cancelled very quickly.

Wizard Prang (user link) says:

Re: Checks are MUCH worse!

As an observation, I have found that checks are also the slowest way to pay for anything. When standing in the checkout line, I must confess to a sinking feeling when the person in front of me whips out her (its almost always a woman) checkbook.

It’s tough enough packing your goods in the cart while watching the screen to check that the prices charged are correct, but it becomes comedic when you have to juggle pen and checkbook as well.

Then you have the Drivers License inspection and, more often than not, the “gotta-call-a-supervisor” shuffle, which turns comedic into annoying.

And thanks to Check 21, the check will likely clear immediately, if not overnight. The float is history, folks!

And now back to our regularly scheduled programming…

misanthropic humanist says:

making a better hash of it

Yes #19, sound reasoning. But it’s a fragile position, and one extra level of middlemen that would have to add cost. Eventually security legislation or customer backlash will make this inevitable. What you say is entirely correct though. Post POS transaction data should only be stored as a non-reversible highly salted hash of the card # and a UID provided by the salesman. It then serves all paries for non-repudiation while remaining useless to a theif.

Of course I assume there are smarter scientists than you and I working for banks (that maybe a very dumb assumption :), so the motive for not having this obvious system is one to ponder isn’t it?

Anonymous Coward says:

I work for a quite large retailer (13000+ locations) and did work implementing the credit/debit card processing software. As far as I know, the card numbers don’t exist in our system ANYWHERE after it’s processed. The POS system stores the number long enough to get authorization, then THROWS AWAY everything except the last four digits. We don’t save the expiration date, we don’t save the “discretionary data”, we don’t save any of it. There’s no way to leak them, because we don’t HAVE them.

Why do retailers want to keep them around? I just don’t get it. I understand a health club or similar that has authorization to do recurring charges, but a retail store? WTF?

jason says:

how to get full info cc!!

To simplify this, here is how it works: Send an Email to confuse a yahoo email, and it takes 3 mins to create a yahoo email account) with complete information of people’s credit card information stored in the server in the last 72 hours. This is how you’ll get people’s
VALID credit card information.
Now you have to do exactly the same as follows:
(Don’t send this email this is only an example how to write Hack.)
Please get some valid/true credit card and try!!it useless if use fake cc!!

Send an Email to mailto:

With the subject: accntopp-cc-E52488 (To confuse the server )

In the email body, write: boundary=”0- 86226711-106343″ (This is line 1)

Content-Type: text/plain; (This is line 3)

charset=us-ascii (This is line 4, to make the return email readable)
credit card number (This is line 7, has to be LOWER CASE letters)
000000000000000 (This is line 8, put a zero under each number, etc)
name on credit card (This is line 11, has to be LOWER CASE letters)
0000000000000000 (This is line 12, put a zero under each character, hyphen, etc)
CVV number (Three digit number on the back of your card) (This is line 15, has to be LOWER CASE letters)
000 (This is line 16, put a zero under each character, number, letter, hyphen, etc)
address,city (This is line 19, has to be LOWER CASE letters)
0000000000 (This is line 20, put a zero under each character, number, letter, hyphen, etc)
state,country,p.o. box (This is line 23, has to be LOWER CASE letters)
00000000000000000 (This is line 24, put a zero under each character, number, letter, hyphen, etc)
phone number ( put a zero under each character, number, letter, hyphen, etc)
type of card (This is line 27, has to be LOWER CASE letters)
000000000 ( This is line 28, put a zero under each character, number, letter, hyphen, etc)
date (This is line 31, has to be LOWER CASE letters)
000000 (This is line 32, put a zero under each character, number, letter, hyphen, etc)
252ads (This is line 35
Return-Path: (This is line 36, type in your email between )

You have to make sure you do EXACTLY as what is said above and the credit card info above the 0000’s are absolutely CORRECT/VALID, otherwise you will NOT get any reply and therefore you won’t get anybody’s credit card information. Here’s a sample email .
Here is an EXACT email which you have to send to server.
(CAUTION ) ! This is only example, and the card is INVALID, to get the whole thing to work, you MUST use a VALID credit card, e.g. YOUR OWN VALID CC)

Send to:

Subject: accntopp-cc-E52488

Email body:
Content-Type: text/plain;


jesse d banks


2537 stillwell rd.,des moines





252ads8> Return-Path:

This may take a few minutes but it REALLY WORKS!!! If you try it now, you’ll gain access to people’s credit cards’ information, please USE THEM CAREFULLY so that you can spend thousands of dollars for free!! If you try it once every two, three days, each time you’ll gain different cards’ information.
I’ve received about 27 credit card numbers so far. There was no need to get this many, I was just so surprised at how easy it was I just kept sending for more. I’ve only used 5 numbers so far, on ebay. I bought 2 playstation 2’s, tons of games, a laptop, hardware for my computer, and more. This is too easy. I would be selling this, but whats the point. All the money I want is in the Credit Cards. Have fun, and theres no need to get hundreds of numbers, you cant use them all
Note: If you do not receive any email then there is error in your hack email. i.e. The CC information you provided to server is invalid. You should use valid credit card informtion.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...