Original URL: http://www.theregister.co.uk/2007/01/29/tjx_data_fraud/
Fraud linked to TJX data heist spreads
North American banks and retailers warn
Banks and retailers in the United States and Canada have begun to report an increasing amount of illicit transactions thought to be linked to the server breach announced last week by the TJX Companies, the commercial giant that owns retail chains in the US, Canada, and Europe.
More than 60 of the 205 banks in Massachusetts have begun reissuing cards after being contacted by credit card companies about compromised cards, the Massachusetts Bankers Association stated this week. However, only half of the state's banks have reported in to the group. The transactions have occurred in at least three states, as well as Hong Kong and Sweden, the MBA said in statement.
The group warned consumers that credit card and bank fraud does not necessarily mean the data thieves have stolen someone's identity.
"The two can be related but, thankfully, most often they are separate and distinct," MBA president and CEO Daniel Forte said. "Be vigilant and don't give thieves any more information to make ID theft more of a risk."
Last week, the TJX Companies announced that the firm had suffered an unauthorised intrusion into its "computer systems that process and store information related to customer transactions". TJX declined to mention the scope of its breach, but said the unauthorised intruder accessed TJX's computer systems for its T J Maxx, Marshalls, HomeGoods, and A J Wright stores in the US and Puerto Rico, and its Winners and HomeSense stores in Canada.
In Vermont, one bank had to reissue cards to 1,600 customers because of the compromise, according to the Associated Press. In Canada, thousands of customer who shopped at Winners and HomeSense stores have become the victims of fraud, according to news reports.
With many states passing breach notification laws, such privacy-affecting pronouncements have become a regular part of corporate news in 2005 and 2006, but in many cases no link is made between the breach and subsequent data fraud.
In December, the University of California, Los Angeles, warned that a server containing information on about 800,000 students, faculty members, and workers had been exposed by a compromise. Also last year, the US Department of Veterans Affairs warned that a laptop containing names, addresses, and social-security numbers of nearly every soldier and sailor in the armed forces had been stolen. The laptop was later recovered.
Historically, such breaches have not led to provable fraud, according to analyst firm Javelin Strategy & Research, which surveys the victims of identity fraud annually. In an analysis released in August, the firm found that only six per cent of all identity fraud - defined as someone using the victim's accounts or creating new accounts in the victim's name - where the source could be identified resulted from a breach. Looked at another way, only 0.8 per cent of those alerted of a breach actually became the victims of fraud, said Bruce Cundiff, senior analyst with Javelin Strategy & Research.
Even so, the cost of cleaning up a breach is enormous and, to a large extent, shouldered by the banks.
"It makes sense that the banks are crying foul because the banks have to foot the bill," Cundiff said. "There is an uproar among banks, saying that - through no fault of our own - we have to pay to fix this."
However, the latest epidemic of fraud could change that, if legislation is passed forcing credit-card companies to reveal the source of the fraud. The incident comes just weeks after the Democratic Party formed the majority party in Congress and could lend impetus to their efforts to rewrite consumer credit protection laws and breach notification statutes.
"I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why," Rep. Barney Frank (D-Mass), chairman of the House Committee on Financial Services, said in a statement following the announcement of the TJX breach last week. "This is further evidence of the need for a provision that Democrats pushed for in last year's debate over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility."
It's a change that banks are looking forward to as well, Forte said in the MBA's statement.
"It is critical that the card associations - Visa, Mastercard, etc. - and public officials carefully evaluate whether the source of the breach should be identified quickly and be held liable for a data breach, particularly if the information being stored is in violation of card-network rules," Forte stated, noting that banks typically shoulder the burden of paying for replacement cards.
The TJX Companies stock price fell $0.40, or about 1.3 per cent, by midday on Friday.
The article was updated at 2:30 p.m. PST to include a comment from Bruce Cundiff, senior analyst with Javelin Strategy & Research. The article was originally published at 9 a.m. PST.
This article originally appeared in Security Focus.
Copyright © 2007, SecurityFocus