TJX DATA BREACH MORE THAN DOUBLES, PROVING THE EXPERTS RIGHT AGAIN

There are two things that the privacy community has been saying for some time now—and that includes this blog—re. announcements of data breaches. First, the number of personal records lost that is quoted by the company is probably less than it really is. Second, the selling of the stolen information by the ID theft underworld will continue for months to come. And that is exactly what has happened in the TJX (TJ Maxx, Marshalls in the US, Winners and HomeSense in Canada) case which originally reported 45.7 million credit and debit card numbers stolen, but according to recent court documents in lawsuits against TJX, the new number is officially 94 million. Second, fraud-related cases from the breach involving Visa cards alone already range from $68 to $83 million spread across 13 countries, and, according to Visa USA’s VP of investigations and fraud management, this will continue for who knows how long. (See MSNBC story) One of the reasons the Visa executive, and other privacy activists like myself are so sure the stealing of victims’ private information will continue is that it has happened before. Another is that the identity crooks were cruising around the Marshalls’ parking lot in 2005, able to access what they wanted using a directional antenna to download the data. And what they wanted was customer sensitive data to sell. eWeek.com breaks the total down to 29 million MasterCard victims, and 65 million Visa victims, these figures also taken right from the same court files in Boston. The breach continued undetected for seventeen months, during which time the hackers had a field day in TJX’s central database. Legal action has also been filed against Fifth Third Bancorp which processed some payment card transactions, and banks affected are seeking class action certification so others can join in the complaint. From our neighbors up North, all news radio 680 reports that there is a new survey that says the Canadians “are very nervous about their personal information.” That can be attributed to the fact that Canadian privacy law is much stronger than here in the US. (See earlier post on TJX) There’s a good chronology of incidents from the TJX breach, also on eWeek.com, that follows how the bad guys moved 80GB of data and remained undetected for seven months. First of all, TJX was found not to be PCI compliant. The Payment Card Industry (PCI), including Visa and MasterCard, require merchants to protect cardholder information by adhering to a set of security standards. Therefore, it was rather simple through a high-speed connection for the intruder to transfer the data to another site on the Internet in California. Even in 2004 before the breach, TJX had several security deficiencies identified that included specific violations. This was confirmed by a company consultant who added that he had never seen such a void of monitoring in a company this size as he saw at TJX. It’s like the old saying, the gift that keeps giving. Well, this is the kind of breach that keeps taking…your money and time.