45-million Credit Card #s stolen from TJ Maxx...who is responsible here? | FerrariChat

45-million Credit Card #s stolen from TJ Maxx...who is responsible here?

Discussion in 'Other Off Topic Forum' started by REMIX, Mar 29, 2007.

This site may earn a commission from merchant affiliate links, including eBay, Amazon, Skimlinks, and others.

  1. REMIX

    REMIX Two Time F1 World Champ

    This is getting ridiculous. I think these companies need to be held accountable for once. Seems like every week there's a breach. Your credit gets destroyed by thieves and YOU have to suffer. If nothing else, Congress (yes, Congress) needs to force the credit reporting industry to revamp its practices and take some of the wind out of their sails. They wield way too much power and need to be reigned in. Cannot do anything with a crappy credit rating (open a bank account, rent an apartment).Time this came to an end.

    These companies (i.e., TJ maxx) need to pay for their oversight as well.

    RMX

    ---

    TJ Maxx Parent Company Data Theft Is The Worst Ever


    The intrusion hands the retailer the dubious honor of surpassing the 40 million stolen customer record mark, something that only CardSystems had been able to achieve.


    By Larry Greenemeier
    InformationWeek

    March 29, 2007 01:00 PM

    TJX Co., the parent company of T.J. Maxx and other retailers, on Wednesday dropped a bombshell in its ongoing investigation of a customer data breach by announcing in an Securities and Exchange Commission filing that more than 45 million credit and debit card numbers have been stolen from its IT systems. Information contained in the filing reveals a company that had taken some measures over the past few years to protect customer data through obfuscation and encryption. But TJX didn't apply these policies uniformly across its IT systems and as a result still has no idea of the extent of the damage caused by the data breach.

    As a result, TJX is a company under siege. The company recorded a fourth-quarter charge of about $5 million to cover the costs of containing and investigating the breach, as well as improving the security of its IT systems, communicating with customers, and paying legal fee. The U.S. Federal Trade Commission has launched an investigation of TJX. While the FTC wouldn't reveal the nature of the investigation or when it began, it's likely the result of the data breach. And lawsuits have begun to fly, including one by the Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock.

    The intrusion into TJX's IT systems also hands the retailer the dubious honor of surpassing the 40 million stolen customer record mark, something that only CardSystems had been able to achieve. And it puts to shame the Veterans Affairs Department, which last year briefly lost track of more than 26 million records thanks to a stolen employee laptop.

    The effects of the stolen TJX data, not to mention the underground cyber criminal economy that trades in customer data, are already being felt. TJX, General Dynamics Corp., IBM, and the various law enforcement entities investigating the cyber attack still don't know who took the customer information, but it's clear where some of that information ended up. Data stolen from TJX recently surfaced at Wal-Mart stores in Florida, where it's been used to help thieves steal about $8 million in merchandise from Wal-Mart stores. The thieves used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam's Club gift cards, and then used those to hit stores in 50 of the Florida's 67 counties.

    TJX claims it also doesn't know "whether there was one continuing intrusion or multiple, separate intrusions," according to the SEC filing. What the company does know is that on Dec. 18, it learned of suspicious software on its computer systems. By Dec. 21, "there was strong reason to believe that our computer systems had been intruded upon and that an intruder remained on our computer systems," the filing says. Given that the intruder was still operating, U.S. Secret Service advised TJX officials that disclosure of the suspected intrusion might impede their criminal investigation and requested that the company keep a lid on the incident until law enforcement gave them the green light to announce the breach.

    The company disclosed the breach on Jan. 17, only to later find that that the intrusion may have been initiated earlier than it had originally reported and that additional customer information potentially had been stolen. Based on the investigation to date, it's believed that TJX's computer systems were first accessed by an unauthorized intruder in July 2005, on subsequent dates in 2005, and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after Dec. 18.

    While it's easy to wag a finger at TJX, which has more than 2,000 retail locations in the U.S. and many more in areas including Canada, Puerto Rico, and the U.K., for shoddy security, the truth isn't so simple. The company has a history of implementing some measures to protect customer information, but it didn't apply these measures consistently or firmly enough to withstand the sophisticated of the attack against its systems.

    The customer information was taken from TJX computers in Framingham, Mass., that process and store information related to payment card, check, and certain merchandise return transactions for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico. TJX's Winners and HomeSense stores in Canada and the company's computer systems in Watford, U.K., that process and store information related to payment card transactions at T.K. Maxx in the U.K. and Ireland, also were breached.

    But, transactions stored in its Framingham systems haven't included data contained in payment card magnetic stripes since September 2003. And by April 2006, the Framingham system generally also masked payment card PINs, some other portions of payment card transaction information, and some portions of check transaction information. Masked data is permanently deleted and replaced with asterisks. For transactions after early April 2004, the Framingham system also "generally" began encrypting all payment card and check transaction information, according to the filing.

    Still, TJX failed to completely lock down its customer data. The cyber thieves that hit the company may have stolen payment card data from the Framingham system during the payment card issuer's approval process, in which data is transmitted to payment card issuers without encryption, the filing says. TJX's security may have been further compromised by the cyber criminals having access to the decryption tool for the encryption software that TJX uses. This could have been the result of an insider or a successful hack by the cyber thieves into a TJX database where the keys were stored.

    The sophistication of the attack against its systems means that TJX has been able to identify only some of the information that was stolen, although the filing doesn't specify the exact means used to commit the breach. The investigation is ongoing, but TJX believes it "may never be able to identify much of the information believed stolen."

    TJX is learning a tough lesson in comprehensive data security as well as the lengths that attackers will go to steal data. The only bright spot to emerge from this disaster would be for other businesses to learn from TJX's mistakes. Granted, that's small consolation to the retailer, whose troubles are far from over.
     
  2. S Brake

    S Brake F1 World Champ

    Aug 3, 2006
    17,182
    Utah
    Full Name:
    Dave
    I agree with the credit industry having too much power. My credit got ruined because a doctors bill was never forwarded to me after I moved from an apartment. Once I found out that I had a delinquent account I called the collection agency and paid it off. For a college student it has made things really inconvenient. I think that if it is something like my case where it obviously wasn't intentional and the debt has been paid off it shouldn't have a huge impact on credit.
     
  3. RacerX_GTO

    RacerX_GTO F1 World Champ
    Silver Subscribed

    Nov 2, 2003
    14,750
    Oregon
    Full Name:
    Gabe V.
    I get the feeling, that this is another one of those companies that didn't think their IT security department was really that important. And now look what happened.

    My take on this is that if you are going to run a company that handles sensative information such as financial information, there had better be a high security standard that must be met before computer systems are plugged into a network. If that security criteria is not met, then those computers are not allowed to process any information. IT security is constantly being updated within it's own community, there's always new firewalls being develped, new ways to design "honey pots" and ways to encrypt sensative data. There is no excuse today, while maintining an IT security department, to not be part of this loop.

    I'm not a fan at all of government getting into private business, but if the private sector could run with this and enforce it within, it could be a win for not only the companies, but the clients who buy from them.
     
  4. djui5

    djui5 F1 Veteran

    Aug 9, 2006
    5,418
    Phoenix, Arizona
    I agree, this is f'n out of line. We live in a society ruled by credit, like you said you can't do **** without, and these companies are being so reckless with such private information. The identity theft industry is thriving on jackasses like this. When your numbers get stolen, it's a nightmare to ever get them back and your life will never be the same. So sad that we have to live in an economy like this. They want to move into a completely plastic/card society. Yeah right.
     
  5. frefan

    frefan F1 Veteran

    Apr 21, 2004
    7,370
    IT managers are either lazy, ignorant and/or constrained by politics or budgets. Its time for some of them to spend some time in the big hous with the CEOs who take massive salaries and at the same time cut IT budgets, to rethink their careers and obligations. just my .02
     
  6. SRT Mike

    SRT Mike Two Time F1 World Champ

    Oct 31, 2003
    23,343
    Taxachusetts
    Full Name:
    Raymond Luxury Yacht
    On a tangential note, Microsoft is largely to blame due to the sheer number of gaping holes they leave in security of their products. It's atrocious how insecure Windows, IE, Office, Outlook and other applications are. Then again, a company probably should probably know that and take steps to protect against it.

    I've always found that it's a good practice not to keep CC numbers if you don't need them. Unless someone is a recurring customer of mine that I need to charge on an ongoing basis, I erase their CC number 3 months after the sale. I only keep it 3 months because that's the longest I can do a refund on a CC (and I need to know the original CC number to do a refund).

    I can't understand why TJ Maxx would want to keep 45 million CC numbers on file. Maybe I am missing something but if they are not going to be charging those numbers, why keep them?

    It makes consumers jumpy. It still bothers me when I go to a store and they ask for my phone number or ZIP code - NOYB!
     
  7. Etcetera

    Etcetera Two Time F1 World Champ
    Silver Subscribed

    Dec 7, 2003
    23,984
    Full Name:
    C6H14O5
    Where do they state they were using MS products at the time of the cracks?
     
  8. SRT Mike

    SRT Mike Two Time F1 World Champ

    Oct 31, 2003
    23,343
    Taxachusetts
    Full Name:
    Raymond Luxury Yacht
    They don't. That's why it's a tangent.

    But MS is singlehandedly responsible for some of the worst gaping security holes around. Coupled with a badly designed IT infrastructure could lead to disastrous effects (like loss of CC numbers).

    Maybe one of the PC's that had access to the data was running Windows :) You don't need to break into the server directly to get to the data on the server. Any unit with access that is compromised compromises everything it has access to.
     
  9. Etcetera

    Etcetera Two Time F1 World Champ
    Silver Subscribed

    Dec 7, 2003
    23,984
    Full Name:
    C6H14O5
    A well designed and administered IT infrastructure using MS products is no less secure than anything else.
     
  10. frefan

    frefan F1 Veteran

    Apr 21, 2004
    7,370
    Its not M$ fault. TJ should not have stored the cc#s in the database unencrypted. Its ok to store the data for repeat customers (who wants to type their cc# every time). The application can retrieve the cc# from the database, unencrypt it with the customers login info during a transaction only. Its not that hard.
     
  11. REMIX

    REMIX Two Time F1 World Champ

    I just think some of the teeth need to be knocked out of the credit industry. It's so fcuked up IMO. The consumer is the enemy who must be "kept in line" these days. The credit industry is not set up or designed to deal with these problems, either. There's NO accountability on behalf of the bureaus OR the parties who mishandle this information. There are no checks and balances to protect people or their information. The burden is on the consumer. Period. Good luck because you essentially have zero recourse if someone steals your identity from TJ Maxx (of all places) and screws up your life. Someone needs to be held accountable for all of this BS.

    Here's something else - your FICO is not supposed to be relied upon 100% by lenders anyway, but people do.

    The best part? The bureaus are making a fortune off of "credit monitoring". In my opinion they created the problem.

    RMX
     
  12. TG

    TG F1 Veteran

    Oct 26, 2004
    6,290
    Newport Beach, CA
    Full Name:
    Taylor
    Honestly whens the last time you guys went to TJ Maxx?



    Comeon you can tell us :D
     
  13. 62 250 GTO

    62 250 GTO F1 Veteran

    Jan 9, 2004
    7,765
    Nova Scotia Canada
    Full Name:
    Neil
    If TJ Maxx didn't break a law, then no one has to be blamed.

    If a bank vault is secure and built well and someone blows the door open, who really can be blamed?

    It's too bad though, that's a lot of info.
     
  14. REMIX

    REMIX Two Time F1 World Champ

    Stealing money from a safe and stealing someone's identity are entirely different things. Typically a bank is insured against those kinds of losses and the loss of what's in the vault won't make it nearly impossible for the bank to continue conducting business in the manner to which it is accustomed.

    A more fitting analogy would be the bank vault being blown open and robbed, and the insurance company - without consideration - BLAMING the bank, tarnishing its business reputation and then denying the claim unless they could prove to their satisfaction no one associated with them had anything to do with the break in.

    In the real world, the destruction of the person's financial life can be near ruinous. You can't call an insurance company to fix that.

    RMX
     
  15. ZINGARA 250GTL

    ZINGARA 250GTL F1 World Champ
    Owner

    Jun 21, 2002
    17,499
    PA
    Full Name:
    Ken
    Fine! Everything that has been said is fine. Accountability is fine. Getting angry is fine. Getting the worst blithering idiots of all time (Congress) involved is fine. Getting you to monitor your transactions is.................too much trouble to ask. If you don't check it weekly, why is that someone else's issue? Sorry.
     
  16. smg2

    smg2 F1 World Champ
    Sponsor

    Apr 1, 2004
    16,329
    Dumpster Fire #31
    Full Name:
    SMG
    so you monitor it? big whoop, once they have stolen your info and run with it you're screwed! all the jumping up and down won't fix it. sure you may get your money back but your info is still out their and they don't issue new SSNs'. just the other week the bank posted a $11.50 charge, all I have is a 1-800# for the charge I call the number and get another recording directing the caller to another 866#. it's flagged as fraud and the bank refunds the money. but the bigger question is, will it happen again and what other info do they have?
     
  17. David_S

    David_S F1 World Champ
    Silver Subscribed

    Nov 1, 2003
    11,260
    Mountains of WNC...
    Full Name:
    David S.
    Bingo! Hit the nail right on the head. Didn't even know TJ Maxx was still around.
     

Share This Page