45-million Credit Card #s stolen from TJ Maxx...who is responsible here?

This is getting ridiculous. I think these companies need to be held accountable for once. Seems like every week there's a breach. Your credit gets destroyed by thieves and YOU have to suffer. If nothing else, Congress (yes, Congress) needs to force the credit reporting industry to revamp its practices and take some of the wind out of their sails. They wield way too much power and need to be reigned in. Cannot do anything with a crappy credit rating (open a bank account, rent an apartment).Time this came to an end.

These companies (i.e., TJ maxx) need to pay for their oversight as well.

RMX

---

TJ Maxx Parent Company Data Theft Is The Worst Ever


The intrusion hands the retailer the dubious honor of surpassing the 40 million stolen customer record mark, something that only CardSystems had been able to achieve.


By Larry Greenemeier
InformationWeek

March 29, 2007 01:00 PM

TJX Co., the parent company of T.J. Maxx and other retailers, on Wednesday dropped a bombshell in its ongoing investigation of a customer data breach by announcing in an Securities and Exchange Commission filing that more than 45 million credit and debit card numbers have been stolen from its IT systems. Information contained in the filing reveals a company that had taken some measures over the past few years to protect customer data through obfuscation and encryption. But TJX didn't apply these policies uniformly across its IT systems and as a result still has no idea of the extent of the damage caused by the data breach.

As a result, TJX is a company under siege. The company recorded a fourth-quarter charge of about $5 million to cover the costs of containing and investigating the breach, as well as improving the security of its IT systems, communicating with customers, and paying legal fee. The U.S. Federal Trade Commission has launched an investigation of TJX. While the FTC wouldn't reveal the nature of the investigation or when it began, it's likely the result of the data breach. And lawsuits have begun to fly, including one by the Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock.

The intrusion into TJX's IT systems also hands the retailer the dubious honor of surpassing the 40 million stolen customer record mark, something that only CardSystems had been able to achieve. And it puts to shame the Veterans Affairs Department, which last year briefly lost track of more than 26 million records thanks to a stolen employee laptop.

The effects of the stolen TJX data, not to mention the underground cyber criminal economy that trades in customer data, are already being felt. TJX, General Dynamics Corp., IBM, and the various law enforcement entities investigating the cyber attack still don't know who took the customer information, but it's clear where some of that information ended up. Data stolen from TJX recently surfaced at Wal-Mart stores in Florida, where it's been used to help thieves steal about $8 million in merchandise from Wal-Mart stores. The thieves used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam's Club gift cards, and then used those to hit stores in 50 of the Florida's 67 counties.

TJX claims it also doesn't know "whether there was one continuing intrusion or multiple, separate intrusions," according to the SEC filing. What the company does know is that on Dec. 18, it learned of suspicious software on its computer systems. By Dec. 21, "there was strong reason to believe that our computer systems had been intruded upon and that an intruder remained on our computer systems," the filing says. Given that the intruder was still operating, U.S. Secret Service advised TJX officials that disclosure of the suspected intrusion might impede their criminal investigation and requested that the company keep a lid on the incident until law enforcement gave them the green light to announce the breach.

The company disclosed the breach on Jan. 17, only to later find that that the intrusion may have been initiated earlier than it had originally reported and that additional customer information potentially had been stolen. Based on the investigation to date, it's believed that TJX's computer systems were first accessed by an unauthorized intruder in July 2005, on subsequent dates in 2005, and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after Dec. 18.

While it's easy to wag a finger at TJX, which has more than 2,000 retail locations in the U.S. and many more in areas including Canada, Puerto Rico, and the U.K., for shoddy security, the truth isn't so simple. The company has a history of implementing some measures to protect customer information, but it didn't apply these measures consistently or firmly enough to withstand the sophisticated of the attack against its systems.

The customer information was taken from TJX computers in Framingham, Mass., that process and store information related to payment card, check, and certain merchandise return transactions for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico. TJX's Winners and HomeSense stores in Canada and the company's computer systems in Watford, U.K., that process and store information related to payment card transactions at T.K. Maxx in the U.K. and Ireland, also were breached.

But, transactions stored in its Framingham systems haven't included data contained in payment card magnetic stripes since September 2003. And by April 2006, the Framingham system generally also masked payment card PINs, some other portions of payment card transaction information, and some portions of check transaction information. Masked data is permanently deleted and replaced with asterisks. For transactions after early April 2004, the Framingham system also "generally" began encrypting all payment card and check transaction information, according to the filing.

Still, TJX failed to completely lock down its customer data. The cyber thieves that hit the company may have stolen payment card data from the Framingham system during the payment card issuer's approval process, in which data is transmitted to payment card issuers without encryption, the filing says. TJX's security may have been further compromised by the cyber criminals having access to the decryption tool for the encryption software that TJX uses. This could have been the result of an insider or a successful hack by the cyber thieves into a TJX database where the keys were stored.

The sophistication of the attack against its systems means that TJX has been able to identify only some of the information that was stolen, although the filing doesn't specify the exact means used to commit the breach. The investigation is ongoing, but TJX believes it "may never be able to identify much of the information believed stolen."

TJX is learning a tough lesson in comprehensive data security as well as the lengths that attackers will go to steal data. The only bright spot to emerge from this disaster would be for other businesses to learn from TJX's mistakes. Granted, that's small consolation to the retailer, whose troubles are far from over.

 

I just think some of the teeth need to be knocked out of the credit industry. It's so fcuked up IMO. The consumer is the enemy who must be "kept in line" these days. The credit industry is not set up or designed to deal with these problems, either. There's NO accountability on behalf of the bureaus OR the parties who mishandle this information. There are no checks and balances to protect people or their information. The burden is on the consumer. Period. Good luck because you essentially have zero recourse if someone steals your identity from TJ Maxx (of all places) and screws up your life. Someone needs to be held accountable for all of this BS.

Here's something else - your FICO is not supposed to be relied upon 100% by lenders anyway, but people do.

The best part? The bureaus are making a fortune off of "credit monitoring". In my opinion they created the problem.

RMX

 

Stealing money from a safe and stealing someone's identity are entirely different things. Typically a bank is insured against those kinds of losses and the loss of what's in the vault won't make it nearly impossible for the bank to continue conducting business in the manner to which it is accustomed.

A more fitting analogy would be the bank vault being blown open and robbed, and the insurance company - without consideration - BLAMING the bank, tarnishing its business reputation and then denying the claim unless they could prove to their satisfaction no one associated with them had anything to do with the break in.

In the real world, the destruction of the person's financial life can be near ruinous. You can't call an insurance company to fix that.

RMX