Slashdot Mirror
TJX Is Biggest Data Breach Ever
jcatcw writes "Jaikumar Vijayan reports for Computerworld that TJX is finally offering more details about the extent of the compromise which, at 45.6M cards, is the biggest ever. He has been following the story since it started. The systems that were broken into processed payment card, checks, and returns for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico, and customers of Winners and HomeSense stores in Canada and T.K. Maxx in the U.K. Customer names and addresses were not included in the stolen data. So far the company has spent about $5 million in connection with the breach. Several lawsuits that have been filed against the company, including a suit by the Arkansas Carpenters Pension Fund, one of its shareholders, for failure to divulge more details about the breach."
Suggested new tag for stories like this - pwnshop
You can't talk about Wikipedia's flaws on Wikipedia
first we heard of this was our bank re-issuing visa cards for anyone who had shopped there in the past.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
When a breach like this happens, is the company legally obligated to inform those who may have had their information compromised?? If so, how the hell do you do that with 45 million people?
"But this one goes to 11!"
The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door.
Patriot illegal HP domestic wiretap Enron insider FBI trading Martha 9/11 Stewart Congressional inquiry comes to mind.
the NPG electrode was replaced with carbon blac
From TFA:
Customer names and addresses were not included with any of the payment card data believed stolen from the Framingham systems, TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for transactions
Also from TFA:
It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said.
Sounds like they're just desparately trying to control the obviously egregious oversights that happened here. It also sounds like they're still trying to figure out what has happened. To say that heads are rolling is probably the biggest understatement ever.
The simple answer for users, and it exists now: Revokeable Credit Cards.
The long term is separation of credit and banking from the Social Security system.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Lets say that you're sitting at home one day. You get your credit card statement. Apparently your card is maxed out at $10,000. Your interest rate has tripled and the company is calling you wondering why you spent $10,000 in Bumfuck, India.
Ok, so you're not responsible.
How do you know how they got your info? It could have been from a call center, when you called about double billing you over and over. It could have been when you called your bank, which also has call centers in India. It could have been when you lost your card, someone found it.
Point is, you probably will never know how they got your info. Only that they did. Even if you did find out, could you prove it in a court of law enough to sue TJX?
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
.. stolen data was used for purchases at Walmart in Florida by making fake credit cards.. it surely is a big organised crime
The worst part was getting a new PIN that didn't have the easy-to-remember "69" in the digits. Now I'm stuck with one that has no sexual connotations at all. Sniff.
Without knowing any details, I would have to say this kind of thing is inevitable. TJX is probably another company which views it's IT staff as nothing more than a cost center with all the expertise they need as being a simple commodity. Why pay somebody with real experience and a proven track record a good salary when you can hire somebody with a bunch of certificates for 1/3 the cost? Or intimidate an H1-B employee into working 75 hours a week?
I wonder if making the upper management personally responsible for losses in cases like these would change their perceptions.
OS, Web Server and Hosting History
davecb5620@gmail.com
This affects some purchasers from the Canadian retailers Winners, and HomeSense, as per this CBC article.
More importantly, there has been recent arrests in Florida relating to this case.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
..but decided not to tell anyone until late March, can we file a class action lawsuit for negligence if any of our card numbers were compromised, or illegally used?
"Useless organic meatbag" -HK-47
Credit scores, reports and identity are in trouble in the US. It is a large pink elephant in the living room, but no one with any influence wants to admit it. Your credit record can be inaccurate due to:
1. Credit Agency mistake
2. Creditor error
3. Criminal activity
4. Poor security measures by xyz company
5. ???
With each of these is these problems, the onus for repair is on the customer / victim. There is no standard or easy resolution.
One ring to bind them - should probably have more fiber and less rings in their diet.
'How do you know how they got your info?'
.. Example (Score:5, Interesting)
Well according to the article how they got the information by hacking TJX and using it to purchase large quantities of gift cards from Wal-Mart and Sam's Club. So in this case we don't have to wonder.
'in filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders'
'in partnership with the Gainesville Police Department, officials from the Florida Department of Law Enforcement said they have taken six of 10 suspects into custody for allegedly using the TJX customer data to purchase large quantities of gift cards from discount chains Wal-Mart and Sam's Club'
was
davecb5620@gmail.com
In other news a story on Microsoft's Get The FUD campaign mysteriously disappears, the title was: 'TJX Chooses Windows Over Linux for Reliability and Security'.
I'm joking, but you never know. On a more serious note: what mystifies me is why these companies need to store customers credit card details at all?! Having had experience with POS (Point of Sale) I know that the system should keep these details long enough to complete a transaction, then it should delete it.
Security starts with only keeping the information you need. Courts should be questioning why these companies retained this data in the first place!
I'm going to transform myself into a mighty hawk. Either that or I'll just go and work at Dixons, haven't decided yet.
This is what happens when you buy Microsoft's line about how Windows is adequate for anything other than video games.
And Vista's so slow and has so many driver problems, it can't even do that very well.
I post this fleeting thought here to see if this is viable, and maybe spark a thought in the minds of Credit Card companies.
What if our CC numbers weren't so persistant. I have cards in my wallet that don't expire for 3 or 4 years. Why not issue a new card every 12 months? That way, people who steal credit cards from these systems only have at most 12 months to use them.
One possible problem: recurring bills. Instead of the one time use cards that Amex used to have (I REALLY liked those) or that Discover Card has now, you issue a One Merchant number. So if I want to purchase dedicated server hosting, I give the server company a specially created CC number that doesn't expire after 1 year, but once 1 merchant uses it, only that merchant can use it again.
What about returns? Keep your receipts.
Ok slashdotters. Poke your holes!
--B
I agree with another post that mentions smart cards. Much more difficult to create fraudulent transactions when you _must_ insert the card into a reader for authentication.
But this is not about "banking" transactions. This is an almost unregulated gray area where the retailer is processing/managing it's own credit accounts. It sounds like those accounts stored individuals banking information along with their internal account info. (duhh!) This explains the ability for some bad guys to buy things elsewhere.
Some things to think about:
1. Did they write the software themselves? I suspect they didn't, but who knows. I'm sure there's hardly any reconciling/auditing features.
2. You will see more of these where accounts (ex. gift cards, store credit) will be fraudulently loaded with store credit for large-scale theft.
3. Since there is practically no regulation of this kind of financial activity (retailer-run credit accounts) expect quite a bit more theft. Both in dollars and banking info theft.
4. There's no way they have enough sysadmins/accountants doing the necessary auditing. Otherwise, they wouldn't have started what is a very profitable game for retailers. They operate as retailers, not banks.
Today's lesson: Don't get one of those store credit cards. You shouldn't be in debt to a retailer, ever.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
'The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door'
:)
An interesting exercise in fallacious reductio ad absurdum. Just because they passed the cards don't mean they wrote the code and the Florida police caught them port-scaning the server and only arrested them to give the real criminals time slip out the back door.
Do you seriously think the hackers would drive about Florida trying to pass the stolen cards, especially months after it went public. The six are more likely to be down stream crooks that purchased the stolen card details not realising where they came from.
Re:All encompassing (Score: 5, Interesting
davecb5620@gmail.com
The answer isn't expensive smart cards with new infrastructure. As you've stated, the smart card chips aren't used in the majority of places.
Fortunately, we don't have to so that. It's way simpler.
1. Require all credit cards to add a photograph to the back as well as a signature panel. Overlay parts of the photo with holograms to make sure it's tough to copy. (It's not like the "lost card" field does fuck all when you've lost the card.)
2. Put identity photographs in everyone's credit history. If you're getting a mortgage or credit card or something else where you have to go in person, then it's pretty obvious if you're faking it.
3. Have the credit agency computers call a number listed in the credit history every time the history is accessed. ("This is Equifax. Beardo has applied for a $500k mortgage. If you are not aware of this transaction, call 1-800-HEY-WAIT.")
That's it.
The reason we won't see this - ever - is because it will cost the banks money to implement. When they can instead blame the victims for their DARING to have their stuff stolen, why bother to invest in making a secure environment? After all, it's perfectly secure from the bank's point of view.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Today's lesson: Don't get one of those store credit cards. You shouldn't be in debt to a retailer, ever.
Most of the time, the "store card" is offered by a bank. CompUSA's credit card program is administered by HSBC, etc...
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
1) Get job with TJX 2) Steal customer credit card information 3) PROFIT!
Les Miserables Volume 1 now up with my reading of
VISA International made some recent changes that make you responsible for many cases like this. I'm not joking; I just canceled 2 cards of mine due to the change in legal language (only a few words different, but according to my attorney, it totally shifts burden). I'm looking forward to "pay-as-you-go" account ballance cards.
Deep insight is mainly useful to attackers who seek a very specific set of data from a particular target. People after credit card data typically just cast a wide net and exploit the low hanging fruit. Let a worm loose, it gets in somewhere. See what it finds. Exploit it. Much, much simpler. Of course since we lack the technical details you mentioned (and others) we have no idea what really happened, and the technical details would probably be interesting. I suspect that the weeks long delay in releasing the information that came out today was due to the fact that the investigators suspected, or merely feared, an inside job.
This is a common and largely emotional response to an attack like this. "Somebody broke into our highly secure system and stole 45 million customer records complete with credit card numbers? Inconceivable!" ("You keep using that word. I do not think it means what you think it means.")
It's certainly *not* a requirement to have "deep insight" into the code or even the specific computing infrastructure of the typical corporation in order to steal data. In fact, ordinary insight is sufficient once you have access, given the attacker has basic technical skills. Rather than deep insight, what is usually seen is a plodding industrial spam-like approach.
This sounds like a smokescreen. The "technology" might be quite simple and common. Any of these could apply, for example:
If you mod me down, I shall become more powerful than you could possibly imagine.
Yes, chargebacks can be a problem. But your other points are not unversial. For me, there is little need to keep the credit card information once the transaction has been completed. The only piece of info that I store is the Transaction ID. I never store the Authorization number. Once the transaction is auth'ed, there is no point.
Refunds don't have to be made the the same credit card. But if I wanted to enforce that as a policy, I could go back to my processor (VeriSign) and lookup the the credit card number using the Transaction ID.
Your mileage may vary. But that is my experience.
If congress were to pass a law that forbids banks from collecting social security numbers and mandates that they destroy all social security numbers already collected, has congress just solved the Identity Theft problem?
(Hint: the answer is "no")
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
I've seen the same. At Battelle, in Aberdeen, MD, more than one system had popups which arrived on the desktop when no browser was running. When I worked on the Aberdeen Proving Grounds military base, as a contractor for Battelle, the public use computers were absolutely riddled with quirks (eg. sound drivers failing, mouse clicks lost, shared drives disappearing and reappearing) which weren't consistent with usual WinNT problems, weren't part of announced outages, and didn't correspond with scheduled system maintenance or upgrades.
While none of these events were ever well-tracked or investigated and could just as easily been the generic useless malware variants I wouldn't be at all surprised if a thorough forensics investigation uncovered more targeted attacks or trojans which had been slipped in under the guise of innocuous maladware.
the NPG electrode was replaced with carbon blac
Bogus transactions appeared on my card last week. The transactions looked pretty much like the kind of purchases I do all the time anyway but somehow the card company (NatWest) security department noticed it was happening and blocked the card pretty quick. I shop at TK Maxx all the time and when I phoned them a couple months ago they said we can't tell you anything but look out for any fraud on your card. Well it happened so called them back yesterday and they said yep it was likely my card details came out of their break-in.
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
There is a gigantic difference between "managing your own accounts" and "processing your own transactions."
One involves issuing payment instruments. One involves being responsible for accepting those transactions and settling with whomever did issue that payment instrument.
It is frequently worthwhile for large, national merchants to maintain their own relationships to the issuing associations; they control all the data, and they don't have to pay a merchant processor a cut. Tater's Toe Service may only have Visa/MC transactions per day; TJMaxx likely has (had) millions.
Also, a gift card is not a credit instrument, it's a debit instrument. Whoever issues you such an instrument isn't lending you money, they already have it. There is a gigantic difference between a, for example, JCPenney (or any other "private label") credit card and a JCPenney gift card -- the only real similarity is that either can only be used at JCPenney.
Oh, and like hell private label isn't regulated; it's regulated exactly the same way Visa, MasterCard, American Express, Discover, and any other is.
In short, you have demonstrated that not only do you not know what you're talking about, but you managed to jump into unrelated areas... where you still didn't know what you're talking about.
Make the corporation,its board, and officers personally responsible for lost data....
As in Bank A looses 10K records of personal data which results in 100M in fraudulent charges. Bank A has to pay the merchants and CC companies 100M.....
You'll see data protections and security go up so fast you'll get whiplash....
(What? Hold people responsible?)