Feeds

Fraud linked to TJX data heist spreads

North American banks and retailers warn

Using blade systems to cut costs and sharpen efficiencies

Banks and retailers in the United States and Canada have begun to report an increasing amount of illicit transactions thought to be linked to the server breach announced last week by the TJX Companies, the commercial giant that owns retail chains in the US, Canada, and Europe.

More than 60 of the 205 banks in Massachusetts have begun reissuing cards after being contacted by credit card companies about compromised cards, the Massachusetts Bankers Association stated this week. However, only half of the state's banks have reported in to the group. The transactions have occurred in at least three states, as well as Hong Kong and Sweden, the MBA said in statement.

The group warned consumers that credit card and bank fraud does not necessarily mean the data thieves have stolen someone's identity.

"The two can be related but, thankfully, most often they are separate and distinct," MBA president and CEO Daniel Forte said. "Be vigilant and don't give thieves any more information to make ID theft more of a risk."

Last week, the TJX Companies announced that the firm had suffered an unauthorised intrusion into its "computer systems that process and store information related to customer transactions". TJX declined to mention the scope of its breach, but said the unauthorised intruder accessed TJX's computer systems for its T J Maxx, Marshalls, HomeGoods, and A J Wright stores in the US and Puerto Rico, and its Winners and HomeSense stores in Canada.

In Vermont, one bank had to reissue cards to 1,600 customers because of the compromise, according to the Associated Press. In Canada, thousands of customer who shopped at Winners and HomeSense stores have become the victims of fraud, according to news reports.

With many states passing breach notification laws, such privacy-affecting pronouncements have become a regular part of corporate news in 2005 and 2006, but in many cases no link is made between the breach and subsequent data fraud.

In December, the University of California, Los Angeles, warned that a server containing information on about 800,000 students, faculty members, and workers had been exposed by a compromise. Also last year, the US Department of Veterans Affairs warned that a laptop containing names, addresses, and social-security numbers of nearly every soldier and sailor in the armed forces had been stolen. The laptop was later recovered.

Historically, such breaches have not led to provable fraud, according to analyst firm Javelin Strategy & Research, which surveys the victims of identity fraud annually. In an analysis released in August, the firm found that only six per cent of all identity fraud - defined as someone using the victim's accounts or creating new accounts in the victim's name - where the source could be identified resulted from a breach. Looked at another way, only 0.8 per cent of those alerted of a breach actually became the victims of fraud, said Bruce Cundiff, senior analyst with Javelin Strategy & Research.

Even so, the cost of cleaning up a breach is enormous and, to a large extent, shouldered by the banks.

"It makes sense that the banks are crying foul because the banks have to foot the bill," Cundiff said. "There is an uproar among banks, saying that - through no fault of our own - we have to pay to fix this."

However, the latest epidemic of fraud could change that, if legislation is passed forcing credit-card companies to reveal the source of the fraud. The incident comes just weeks after the Democratic Party formed the majority party in Congress and could lend impetus to their efforts to rewrite consumer credit protection laws and breach notification statutes.

"I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why," Rep. Barney Frank (D-Mass), chairman of the House Committee on Financial Services, said in a statement following the announcement of the TJX breach last week. "This is further evidence of the need for a provision that Democrats pushed for in last year's debate over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility."

It's a change that banks are looking forward to as well, Forte said in the MBA's statement.

"It is critical that the card associations - Visa, Mastercard, etc. - and public officials carefully evaluate whether the source of the breach should be identified quickly and be held liable for a data breach, particularly if the information being stored is in violation of card-network rules," Forte stated, noting that banks typically shoulder the burden of paying for replacement cards.

The TJX Companies stock price fell $0.40, or about 1.3 per cent, by midday on Friday.

Update

The article was updated at 2:30 p.m. PST to include a comment from Bruce Cundiff, senior analyst with Javelin Strategy & Research. The article was originally published at 9 a.m. PST.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.