Feeds

Fraud linked to TJX data heist spreads

North American banks and retailers warn

Beginner's guide to SSL certificates

Banks and retailers in the United States and Canada have begun to report an increasing amount of illicit transactions thought to be linked to the server breach announced last week by the TJX Companies, the commercial giant that owns retail chains in the US, Canada, and Europe.

More than 60 of the 205 banks in Massachusetts have begun reissuing cards after being contacted by credit card companies about compromised cards, the Massachusetts Bankers Association stated this week. However, only half of the state's banks have reported in to the group. The transactions have occurred in at least three states, as well as Hong Kong and Sweden, the MBA said in statement.

The group warned consumers that credit card and bank fraud does not necessarily mean the data thieves have stolen someone's identity.

"The two can be related but, thankfully, most often they are separate and distinct," MBA president and CEO Daniel Forte said. "Be vigilant and don't give thieves any more information to make ID theft more of a risk."

Last week, the TJX Companies announced that the firm had suffered an unauthorised intrusion into its "computer systems that process and store information related to customer transactions". TJX declined to mention the scope of its breach, but said the unauthorised intruder accessed TJX's computer systems for its T J Maxx, Marshalls, HomeGoods, and A J Wright stores in the US and Puerto Rico, and its Winners and HomeSense stores in Canada.

In Vermont, one bank had to reissue cards to 1,600 customers because of the compromise, according to the Associated Press. In Canada, thousands of customer who shopped at Winners and HomeSense stores have become the victims of fraud, according to news reports.

With many states passing breach notification laws, such privacy-affecting pronouncements have become a regular part of corporate news in 2005 and 2006, but in many cases no link is made between the breach and subsequent data fraud.

In December, the University of California, Los Angeles, warned that a server containing information on about 800,000 students, faculty members, and workers had been exposed by a compromise. Also last year, the US Department of Veterans Affairs warned that a laptop containing names, addresses, and social-security numbers of nearly every soldier and sailor in the armed forces had been stolen. The laptop was later recovered.

Historically, such breaches have not led to provable fraud, according to analyst firm Javelin Strategy & Research, which surveys the victims of identity fraud annually. In an analysis released in August, the firm found that only six per cent of all identity fraud - defined as someone using the victim's accounts or creating new accounts in the victim's name - where the source could be identified resulted from a breach. Looked at another way, only 0.8 per cent of those alerted of a breach actually became the victims of fraud, said Bruce Cundiff, senior analyst with Javelin Strategy & Research.

Even so, the cost of cleaning up a breach is enormous and, to a large extent, shouldered by the banks.

"It makes sense that the banks are crying foul because the banks have to foot the bill," Cundiff said. "There is an uproar among banks, saying that - through no fault of our own - we have to pay to fix this."

However, the latest epidemic of fraud could change that, if legislation is passed forcing credit-card companies to reveal the source of the fraud. The incident comes just weeks after the Democratic Party formed the majority party in Congress and could lend impetus to their efforts to rewrite consumer credit protection laws and breach notification statutes.

"I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why," Rep. Barney Frank (D-Mass), chairman of the House Committee on Financial Services, said in a statement following the announcement of the TJX breach last week. "This is further evidence of the need for a provision that Democrats pushed for in last year's debate over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility."

It's a change that banks are looking forward to as well, Forte said in the MBA's statement.

"It is critical that the card associations - Visa, Mastercard, etc. - and public officials carefully evaluate whether the source of the breach should be identified quickly and be held liable for a data breach, particularly if the information being stored is in violation of card-network rules," Forte stated, noting that banks typically shoulder the burden of paying for replacement cards.

The TJX Companies stock price fell $0.40, or about 1.3 per cent, by midday on Friday.

Update

The article was updated at 2:30 p.m. PST to include a comment from Bruce Cundiff, senior analyst with Javelin Strategy & Research. The article was originally published at 9 a.m. PST.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.