Search This Blog

Tuesday, November 13, 2007


VISA KNEW TJX HAD SECURITY PROBLEMS


The Visa credit card company knew in late 2005 that TJX (TJ Maxx, Marshalls) had “extensive security problems,” but made the decision to allow the retail chain to remain non PCI compliant until 2009. This meant that TJX did not have to meet the payment card industry security requirements at that time. In a eWEEK.com article by Evan Schuman, a Visa VP wrote the conceding letter in December of 2005, months after the bad guys had hacked into the TJX system. Whether or not the retailer was doing their best to mitigate the problem remains to be seen, but what is for sure is the fact that this turned into the largest data breach that this country has ever experienced. 94 million credit card numbers are out there, and they are there because the ID thieves planned to use them to steal consumers’ names and private information. I did a post on this in late October which you can see here. The theme of that article was that we cannot depend on business to protect our names and personal data, and this latest disclosure of Visa’s earlier decision on TJX PCI compliance supports that premise. TJX said in their original announcement that “only” 45.6 million credit card numbers were stolen, adding that 75% were unusable. Let’s hope this applies to the 94 million figure as well, but, regardless, even at the lower number, there will still be 11.4 million usable credit cards in the hands of the crooks. You can read more about this in a ComputerWorld article where a lot of the current litigation against TJX by several banks, including a class-action lawsuit, is covered. The 94 million figure is based on information from the bank litigants, but TJX is sticking to its original number. A leading technology expert says the reason for the discrepancy is the fact that TJX probably didn’t have the necessary records for complete analysis of the incident. Steven D. Bearak , chief executive of Identity Force in Framingham, Mass., also where TJX is headquartered, comments: “"Customers are at a high risk. This was an intentional, malicious intrusion into TJX's system. This appears to have been an attack, well thought out, well planned, and well executed." I emphasize this point again to convince the American public that there is money behind the madness of these identity thieves…the consumers’ money. Stealing your sensitive data for profit is a business, a very sophisticated one, and it’s not going to go away any time soon. There are band-aids to prevent further harm after the initial damage is done, but none of these will guarantee your security unless you literally shut down your credit access. There is only one way that the consumer can live his or her normal lifestyle and maintain a level of security for their names and private information that is totally secure. That is to have control over this sensitive data, and while we’re at it let’s compensate the name-holder when it is sold. And you will continue to hear this until it sinks in.

No comments: