Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Is Biggest Data Breach Ever

Posted by kdawson on from the millions-and-milliions dept.

jcatcw writes "Jaikumar Vijayan reports for Computerworld that TJX is finally offering more details about the extent of the compromise which, at 45.6M cards, is the biggest ever. He has been following the story since it started. The systems that were broken into processed payment card, checks, and returns for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico, and customers of Winners and HomeSense stores in Canada and T.K. Maxx in the U.K. Customer names and addresses were not included in the stolen data. So far the company has spent about $5 million in connection with the breach. Several lawsuits that have been filed against the company, including a suit by the Arkansas Carpenters Pension Fund, one of its shareholders, for failure to divulge more details about the breach."

7 of 104 comments (clear)

  1. Suggested by Stanistani · · Score: 4, Interesting

    Suggested new tag for stories like this - pwnshop

    --
    You can't talk about Wikipedia's flaws on Wikipedia
  2. Legal ramifications by Mister+Whirly · · Score: 2, Interesting

    When a breach like this happens, is the company legally obligated to inform those who may have had their information compromised?? If so, how the hell do you do that with 45 million people?

    --
    "But this one goes to 11!"
  3. All encompassing by HomelessInLaJolla · · Score: 3, Interesting

    The breach is sure to lend urgency to efforts by the major credit card companies to get retailers to implement PCI requirements...So far about 50% of Tier 1 merchants...are fully compliant

    TJX is a Tier 1 merchant and may even qualify to be a processor PCI requirements, even for Tier 1 merchants, don't seem to have much credibility when a rogue gang of six people can infiltrate TJX and Wal-Mart.

    Losses experienced by Wal-Mart and the banks issuing the credit cards total more than $8 million and are still being calculated I'd like more technical details. Are there any theories about how the attackers breached the system? Who wrote the front line software which they breached? Who wrote the operating system it runs on? Who wrote the database system which was being used? Who was in charge of network monitoring and security at the time? What tools were they misusing (obviously) that they weren't able to catch this ahead of time?

    The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door.

    Patriot illegal HP domestic wiretap Enron insider FBI trading Martha 9/11 Stewart Congressional inquiry comes to mind.
    --
    the NPG electrode was replaced with carbon blac
  4. what OS was it running on .. by rs232 · · Score: 3, Interesting

    OS, Web Server and Hosting History

    --
    davecb5620@gmail.com
  5. Re:Example by 955301 · · Score: 1, Interesting

    yes, you can find out. Almost all companies who do lookups against card information have trace information. A court will be able to get that information.

    --
    You are checking your backups, aren't you?
  6. The Complicator's Card by Beardo+the+Bearded · · Score: 3, Interesting

    The answer isn't expensive smart cards with new infrastructure. As you've stated, the smart card chips aren't used in the majority of places.

    Fortunately, we don't have to so that. It's way simpler.

    1. Require all credit cards to add a photograph to the back as well as a signature panel. Overlay parts of the photo with holograms to make sure it's tough to copy. (It's not like the "lost card" field does fuck all when you've lost the card.)

    2. Put identity photographs in everyone's credit history. If you're getting a mortgage or credit card or something else where you have to go in person, then it's pretty obvious if you're faking it.

    3. Have the credit agency computers call a number listed in the credit history every time the history is accessed. ("This is Equifax. Beardo has applied for a $500k mortgage. If you are not aware of this transaction, call 1-800-HEY-WAIT.")

    That's it.

    The reason we won't see this - ever - is because it will cost the banks money to implement. When they can instead blame the victims for their DARING to have their stuff stolen, why bother to invest in making a secure environment? After all, it's perfectly secure from the bank's point of view.

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  7. Re:Example by FuryG3 · · Score: 2, Interesting

    This EXACT situation happened to me.

    I was traveling internationally, lost my wallet, reported cards as stolen. Ended up finding the wallet (with money, yay!) but had to wait for my new cards to get to my house in the US, and then to me in Europe.

    Fast forward 2 weeks. I receive my cards in Europe and 2 days later I notice that there's a charge on one of my cards for something I didn't buy. And it was made BETWEEN the times that I reported my card "stolen" and when I activated my new card. The charges are getting wiped off my bill, but still, I'll never know what was going on.

    Did someone at the hotel get my card number? If so, how could they use it 1 1/2 weeks after it was reported stolen?
    Did someone grab the number while it was being shipped in the USPS (charges were before it was shipped int'l)? If so, how could they use a card before it's activated?
    Was it just an error at my Financial Institution? How can that happen?

    Unfortunately Providian (now WaMu) won't tell me what card number they used to make the transaction (new one or old one?). That would narrow it down a lot, but they claim "they don't have that information." I don't know what would worry me more, them actually not having that information or them lying to me to cover their ass, but I suspect it's the latter...