TJX breach was twice as big as admitted, banks say
World's biggest credit card heist now estimated at 94 million accounts
The world's largest credit card heist may be bigger than we thought. Much bigger.
According to court documents filed by a group of banks, more than 94 million accounts fell into the hands of criminals as a result of a massive security breach suffered by TJX, the Massachusetts-based retailer.
That's more than double what TJX fessed up to in March, when it estimated some 45.7 million card numbers were stolen during a 17-month span in which criminals had almost unfettered access to the company's back-end systems. Going by the smaller estimate, TJX still presided over the largest data security SNAFU in history. But credit card issuers are accusing TJX of employing fuzzy math in an attempt to contain the damage.
"Unlike other limited data breaches where 'pastime hackers' may have accessed data with no intention to commit fraud, in this case it is beyond doubt that there is an extremely high risk that the compromised data will be used for illegal purposes," read the document, filed Tuesday in US District Court in Boston. "Faced with overwhelming exposure to losses it created, TJX continues to downplay the seriousness of the situation."
TJX officials didn't return a call requesting comment for this story.
The new figures may mean TJX will have to pay more than previously estimated to clean up the mess. According to the document, Visa has incurred fraud losses of $68m to $83m resulting from the theft of 65 million accounts. That calculates to a cost of $1.04 to $1.28 per card. Applying the same rate to the 29 million MasterCard numbers lost, the total fraud losses alone could top more than $120m.
Research firms have estimated the total loss from the breach could reach $1bn once settlements, once legal settlements and lost sales are tallied. But that figure was at least partly based on the belief that fewer than 46 million accounts were intercepted.
TJX has taken serious flack for allowing the breach to happen. Last month, Canada's privacy commissioner criticized the company for collecting too much data and using inadequate means of protecting it. According to the commissioner's report, TJX believes intruders gained access through company Wi-Fi networks that employed Wired Equivalent Privacy (WEP) as the sole means of securing the system.
Security pros have long known the encryption protocol can be cracked through brute force attacks, sometimes in a matter of minutes.
So far, there have been no arrests directly associated with the breach. However, six people detained in Florida after using credit card information stolen from TJX later pleaded guilty to fraud-related charges.
US law enforcement officials have also taken a keen interest in a Ukrainian man arrested for selling stolen credit card numbers in online forums. Many of the stolen accounts belonged to customers whose credentials were siphoned out of TJX's rather porous network.
The plaintiff's filings came in a legal tussle over whether the bank's lawsuit should qualify as a class action. TJX is arguing the banks don't qualify as a class, an outcome that would significantly increase the costs of pursuing the case. ®
What about ID security in healthcare?
Earlier this year, Ontario, Canada's Information Privacy Commissioner, Dr Ann Cavoukian, reported on the theft of a laptop replete with individually identifiable data on patients at Canada's leading children's hospital.
While her solution was data encryption, her analysis has broader application.
The fact of the matter is that healthcare and the information technology that supports electronic health records and the like cannot claim to have in place or even in plan patient-identity protections adequate in the face of opportunistic, pandemic-scope identity-related crime, such as occurred with TJX.
The Commissioner urged all Ontario hospitals and anyone collecting personal health information not to store it electronically if patient identities can't be protected.
It therefore follows, doesn't it, that "Ontario hospitals and anyone collecting personal health information" should not be storing it electronically?
What do people think?
Re : Still Wondering
"Wouldn't it have been cheaper for TJX to hire a good information / security person responsible to prevent this......."
Perhaps they did.. but like so most companies probably ignored what he said. I would like to think I'm a good security person and the biggest problem is Management buy-in, especially when everbody is fighting for the same pot of resources.
This is how the average Execs mind works.-
Marketing make pretty adverts and bring in customers, (alledgely) and hence revenue.
Security keeping saying that we should do things in a particular way, and justs costs money. And hey! we didn't get attacked last year so we must be safe.
Where do you think the resources get allocated?
By the way there are many reasons to store payment card numbers, recurring payments, online profiles etc. It's permitted by the Payment card industry (e.g VISA, Mastercard, AMEX) but it is now mandatory to be compliant with the PCI DSS. This dictates how PAN numbers can be stored safetly (encryopted, limited access etc) CVC/CVV/CV2 or pin numbers cannot be stored.
Solution to this problem was developed over 10 years ago!!
Simple solution to all credit card fraud was thought of over 10 years ago and patented. SImply, store set of unique numbers on the credit card and each time used press a button to display a unique processing code for that transaction. Code would be confirmed by bank, same way as current CVC/Security code but would be a unique code to that transaction. US Patent 5627355A1 covers basic outline and was filed in May 1997 (Banks currently promoting a handheld terminal to put your card into to achieve same goal) Physical Credit Card sized Products that could achieve this simple process have been available on the market for over 4 years. This simple solution could reduce 90%+ of all fraud and if in place the TK Maxx theft would not have been as serious. Could they have claims for a counter lawsuit on the basis that the banks had not utilised all means necessary to protect them if a problem did occur?