Feeds

Fraud linked to TJX data heist spreads

North American banks and retailers warn

5 things you didn’t know about cloud backup

Banks and retailers in the United States and Canada have begun to report an increasing amount of illicit transactions thought to be linked to the server breach announced last week by the TJX Companies, the commercial giant that owns retail chains in the US, Canada, and Europe.

More than 60 of the 205 banks in Massachusetts have begun reissuing cards after being contacted by credit card companies about compromised cards, the Massachusetts Bankers Association stated this week. However, only half of the state's banks have reported in to the group. The transactions have occurred in at least three states, as well as Hong Kong and Sweden, the MBA said in statement.

The group warned consumers that credit card and bank fraud does not necessarily mean the data thieves have stolen someone's identity.

"The two can be related but, thankfully, most often they are separate and distinct," MBA president and CEO Daniel Forte said. "Be vigilant and don't give thieves any more information to make ID theft more of a risk."

Last week, the TJX Companies announced that the firm had suffered an unauthorised intrusion into its "computer systems that process and store information related to customer transactions". TJX declined to mention the scope of its breach, but said the unauthorised intruder accessed TJX's computer systems for its T J Maxx, Marshalls, HomeGoods, and A J Wright stores in the US and Puerto Rico, and its Winners and HomeSense stores in Canada.

In Vermont, one bank had to reissue cards to 1,600 customers because of the compromise, according to the Associated Press. In Canada, thousands of customer who shopped at Winners and HomeSense stores have become the victims of fraud, according to news reports.

With many states passing breach notification laws, such privacy-affecting pronouncements have become a regular part of corporate news in 2005 and 2006, but in many cases no link is made between the breach and subsequent data fraud.

In December, the University of California, Los Angeles, warned that a server containing information on about 800,000 students, faculty members, and workers had been exposed by a compromise. Also last year, the US Department of Veterans Affairs warned that a laptop containing names, addresses, and social-security numbers of nearly every soldier and sailor in the armed forces had been stolen. The laptop was later recovered.

Historically, such breaches have not led to provable fraud, according to analyst firm Javelin Strategy & Research, which surveys the victims of identity fraud annually. In an analysis released in August, the firm found that only six per cent of all identity fraud - defined as someone using the victim's accounts or creating new accounts in the victim's name - where the source could be identified resulted from a breach. Looked at another way, only 0.8 per cent of those alerted of a breach actually became the victims of fraud, said Bruce Cundiff, senior analyst with Javelin Strategy & Research.

Even so, the cost of cleaning up a breach is enormous and, to a large extent, shouldered by the banks.

"It makes sense that the banks are crying foul because the banks have to foot the bill," Cundiff said. "There is an uproar among banks, saying that - through no fault of our own - we have to pay to fix this."

However, the latest epidemic of fraud could change that, if legislation is passed forcing credit-card companies to reveal the source of the fraud. The incident comes just weeks after the Democratic Party formed the majority party in Congress and could lend impetus to their efforts to rewrite consumer credit protection laws and breach notification statutes.

"I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why," Rep. Barney Frank (D-Mass), chairman of the House Committee on Financial Services, said in a statement following the announcement of the TJX breach last week. "This is further evidence of the need for a provision that Democrats pushed for in last year's debate over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility."

It's a change that banks are looking forward to as well, Forte said in the MBA's statement.

"It is critical that the card associations - Visa, Mastercard, etc. - and public officials carefully evaluate whether the source of the breach should be identified quickly and be held liable for a data breach, particularly if the information being stored is in violation of card-network rules," Forte stated, noting that banks typically shoulder the burden of paying for replacement cards.

The TJX Companies stock price fell $0.40, or about 1.3 per cent, by midday on Friday.

Update

The article was updated at 2:30 p.m. PST to include a comment from Bruce Cundiff, senior analyst with Javelin Strategy & Research. The article was originally published at 9 a.m. PST.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?