Feeds

Fraud linked to TJX data heist spreads

North American banks and retailers warn

The Power of One eBook: Top reasons to choose HP BladeSystem

Banks and retailers in the United States and Canada have begun to report an increasing amount of illicit transactions thought to be linked to the server breach announced last week by the TJX Companies, the commercial giant that owns retail chains in the US, Canada, and Europe.

More than 60 of the 205 banks in Massachusetts have begun reissuing cards after being contacted by credit card companies about compromised cards, the Massachusetts Bankers Association stated this week. However, only half of the state's banks have reported in to the group. The transactions have occurred in at least three states, as well as Hong Kong and Sweden, the MBA said in statement.

The group warned consumers that credit card and bank fraud does not necessarily mean the data thieves have stolen someone's identity.

"The two can be related but, thankfully, most often they are separate and distinct," MBA president and CEO Daniel Forte said. "Be vigilant and don't give thieves any more information to make ID theft more of a risk."

Last week, the TJX Companies announced that the firm had suffered an unauthorised intrusion into its "computer systems that process and store information related to customer transactions". TJX declined to mention the scope of its breach, but said the unauthorised intruder accessed TJX's computer systems for its T J Maxx, Marshalls, HomeGoods, and A J Wright stores in the US and Puerto Rico, and its Winners and HomeSense stores in Canada.

In Vermont, one bank had to reissue cards to 1,600 customers because of the compromise, according to the Associated Press. In Canada, thousands of customer who shopped at Winners and HomeSense stores have become the victims of fraud, according to news reports.

With many states passing breach notification laws, such privacy-affecting pronouncements have become a regular part of corporate news in 2005 and 2006, but in many cases no link is made between the breach and subsequent data fraud.

In December, the University of California, Los Angeles, warned that a server containing information on about 800,000 students, faculty members, and workers had been exposed by a compromise. Also last year, the US Department of Veterans Affairs warned that a laptop containing names, addresses, and social-security numbers of nearly every soldier and sailor in the armed forces had been stolen. The laptop was later recovered.

Historically, such breaches have not led to provable fraud, according to analyst firm Javelin Strategy & Research, which surveys the victims of identity fraud annually. In an analysis released in August, the firm found that only six per cent of all identity fraud - defined as someone using the victim's accounts or creating new accounts in the victim's name - where the source could be identified resulted from a breach. Looked at another way, only 0.8 per cent of those alerted of a breach actually became the victims of fraud, said Bruce Cundiff, senior analyst with Javelin Strategy & Research.

Even so, the cost of cleaning up a breach is enormous and, to a large extent, shouldered by the banks.

"It makes sense that the banks are crying foul because the banks have to foot the bill," Cundiff said. "There is an uproar among banks, saying that - through no fault of our own - we have to pay to fix this."

However, the latest epidemic of fraud could change that, if legislation is passed forcing credit-card companies to reveal the source of the fraud. The incident comes just weeks after the Democratic Party formed the majority party in Congress and could lend impetus to their efforts to rewrite consumer credit protection laws and breach notification statutes.

"I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why," Rep. Barney Frank (D-Mass), chairman of the House Committee on Financial Services, said in a statement following the announcement of the TJX breach last week. "This is further evidence of the need for a provision that Democrats pushed for in last year's debate over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility."

It's a change that banks are looking forward to as well, Forte said in the MBA's statement.

"It is critical that the card associations - Visa, Mastercard, etc. - and public officials carefully evaluate whether the source of the breach should be identified quickly and be held liable for a data breach, particularly if the information being stored is in violation of card-network rules," Forte stated, noting that banks typically shoulder the burden of paying for replacement cards.

The TJX Companies stock price fell $0.40, or about 1.3 per cent, by midday on Friday.

Update

The article was updated at 2:30 p.m. PST to include a comment from Bruce Cundiff, senior analyst with Javelin Strategy & Research. The article was originally published at 9 a.m. PST.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.