×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TJX Is Biggest Data Breach Ever

kdawson posted about 7 years ago | from the millions-and-milliions dept.

Security 104

jcatcw writes "Jaikumar Vijayan reports for Computerworld that TJX is finally offering more details about the extent of the compromise which, at 45.6M cards, is the biggest ever. He has been following the story since it started. The systems that were broken into processed payment card, checks, and returns for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico, and customers of Winners and HomeSense stores in Canada and T.K. Maxx in the U.K. Customer names and addresses were not included in the stolen data. So far the company has spent about $5 million in connection with the breach. Several lawsuits that have been filed against the company, including a suit by the Arkansas Carpenters Pension Fund, one of its shareholders, for failure to divulge more details about the breach."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

104 comments

Suggested (4, Interesting)

Stanistani (808333) | about 7 years ago | (#18530239)

Suggested new tag for stories like this - pwnshop

Re:Suggested (1, Informative)

Anonymous Coward | about 7 years ago | (#18530509)

All I can say is that I worked there after the breach, and omg was it a joke.

Not to mention there was only 1 guy that was running the portion that led to the infiltration ! That is plain and simple nuts ! What a shame though they are a really nice group of folks around that shop and this breach was not just them.

Also I wonder exactly how many folks were affected and they didn't know until they got a new bank card or credit card.

Also this is an example of retail , where making money is #1 and all else is #2.

Re:Suggested (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#18533107)

Suggested new tag for stories like this - pwnshop

<rant> That would imply pwn == pawn. It doesn't. It's a typo of "own". Once upon a time, uber1337 k1ddi3z would say "ownez". But, as often happens on teh internet, somebody made a typo. Look at your keyboard. 'P' is right next to 'O'. "I pawn your machine" makes no sense. The hacker hocked it for dope money? No, he owns it, as in he stole it from you. See also http://www.google.com/search?q=define%3Apwn [google.com] , and http://en.wikipedia.org/wiki/Pwn [wikipedia.org] . Please, it's not pawn, people, it's own. </rant>

Unfortunately, I do have to admit it's still pretty funny... Cheers.

our bank did good (1)

networkBoy (774728) | about 7 years ago | (#18530241)

first we heard of this was our bank re-issuing visa cards for anyone who had shopped there in the past.
-nB

Re:our bank did good (1)

blankaBrew (1000609) | about 7 years ago | (#18530323)

You're lucky. I heard of it after I discovered $16,000 worth of fraudulent AirFrance tickets charged to my credit card. Thankfully, the credit card co removed the charges. My other bankcards were also swapped out by my bank on their own.

Does this mean that the ass-hats that did this are in France? Can we blame France?

New PINs too (4, Funny)

PIPBoy3000 (619296) | about 7 years ago | (#18530379)

The worst part was getting a new PIN that didn't have the easy-to-remember "69" in the digits. Now I'm stuck with one that has no sexual connotations at all. Sniff.

Re:New PINs too (1, Funny)

Anonymous Coward | about 7 years ago | (#18530681)

What's your new pin, I'll come up with something for you!

Re:New PINs too (-1, Troll)

Anonymous Coward | about 7 years ago | (#18533267)

That's because you lack imagination! I guarantee I'll find said connotations.

What's your PIN? ;-)

Re:New PINs too (1)

LordSnooty (853791) | about 7 years ago | (#18533429)

Tip: walk to any ATM and change it.

Re:New PINs too (1)

ncc74656 (45571) | about 7 years ago | (#18535993)

Tip: walk to any ATM and change it.

What ATM lets you change the PIN on your ATM card? That sounds like it'd be a security hole bigger than Mr. Goatse.cx's backside.

Re:our bank did good (0)

Anonymous Coward | about 7 years ago | (#18532811)

And if they posted all the card numbers and info on a web site, a lot of slashdotters would think it is OK because after all, the cards were already stolen so what would it matter if someone just posted them in some forum somewhere.

Legal ramifications (2, Interesting)

Mister Whirly (964219) | about 7 years ago | (#18530249)

When a breach like this happens, is the company legally obligated to inform those who may have had their information compromised?? If so, how the hell do you do that with 45 million people?

Re:Legal ramifications (1)

GWLlosa (800011) | about 7 years ago | (#18530343)

You can't notify the people involved. Read the article. They don't even know for sure which data was stolen.

Re:Legal ramifications (1)

Mister Whirly (964219) | about 7 years ago | (#18530471)

I did read the article, and that is why I am wondering - how do you go about informing people when you are not sure who or the extent of the data affected? Do they have to inform you of a "maybe" incident if they even suspect something?

Re:Legal ramifications (0)

Anonymous Coward | about 7 years ago | (#18530345)

Uhm. Using "we f-ed up" notices, sent to the same mailing or email address where the card's bills are sent. Preferably with the CxO's licking the envelopes.

Re:Legal ramifications (0)

Anonymous Coward | about 7 years ago | (#18531391)

45 million people... that's more people than some countries. If they, the management and board of the company, got them into this mess by not having the correct and enough people to do their work then management and board of the company should pay for this out of the pocket. LOL I need to stop laughing now. It is too bad that corporate management and boards of many companies has been absolve of any consequences of their actions and if they were responsible and felt the consequences of those actions they would we have an better society now. It is the irresponsibility of corporate management and board members that we get our companies into trouble and we (taxpayers, employees, stockholders and other people who really work) have to pay for their foray into crime and corruption. They all use the excuse of helping the stockholders but the look at Enron and Worldcom which corporate management and board said that and look at the stockholders now. It is too bad that congress cannot do any about this because corporate management and boards have bought out most of congress and made laws to make it easier to them to skirt around the Constitution and if they do get caught it is only slap in the hand. They even have separate prisons for them so they live in wonderful place rather the real prisons. Look at Martha Stewart. Please, if they went to real prison or SuperMax then they would think again about doing this.

Re:Legal ramifications (0)

Anonymous Coward | about 7 years ago | (#18530563)

Everyone, CEO and board included, starts licking stamps.

Then you stop storing data that's irrelevant after 7 days.

Re:Legal ramifications (0)

Anonymous Coward | about 7 years ago | (#18531879)

I got my letter about this a month or three ago from my bank...so I would guess "yes, they are".

Re:Legal ramifications (1)

devnulljapan (316200) | about 7 years ago | (#18532059)

When a breach like this happens, is the company legally obligated to inform those who may have had their information compromised?? If so, how the hell do you do that with 45 million people?
Well, you can be damn sure they'd find a way if 45 million people owed them money.

Re:Legal ramifications (2, Informative)

mrhandstand (233183) | about 7 years ago | (#18533357)

I'm a QDSP (VISA PCI certified assessor - been through VISA requirements training). Yes, you have to notify those who have been effected - as for how - snail mail. After all, they HAVE your info...

Re:Legal ramifications (1)

echo_kmem (982727) | about 7 years ago | (#18534291)

The Responsibility of Identifying those 'Cards' affected is with the Financial Institutions. Most have the ability to attempt to scan through their Customers transactions and possibly determine who was affected by this even in the slightest, and issue a new card to their Customer/Client/Member, Etc.

And just to add, TJX/TJ Max/Etc, is just the latest in a long history of comprimises occurring. In Example, about a year or so ago, Mastercard just had trouble with one of it's Vendors not meeting minimum requirements of security, thus Mastercard was forced to alert all Financial Institutions of the 'Possible' Compromise due to this Vendor not being able to say Yes or No to data potentially being leaked.

With this, I have not read (nor probably will) anything on those stolen cards being put to use, but due to the amount of 'Re-Issuing' that has had to happen as of late, F.I.'s are just in the mode of 'Better Safe than Sorry'.

Re:Legal ramifications (1)

Hulleye (126367) | about 7 years ago | (#18537375)

Easy. log on to irc, buy back the data you lost and send out legalese spam to 45 million people.

All encompassing (3, Interesting)

HomelessInLaJolla (1026842) | about 7 years ago | (#18530273)

The breach is sure to lend urgency to efforts by the major credit card companies to get retailers to implement PCI requirements...So far about 50% of Tier 1 merchants...are fully compliant

TJX is a Tier 1 merchant and may even qualify to be a processor
PCI requirements, even for Tier 1 merchants, don't seem to have much credibility when a rogue gang of six people [computerworld.com] can infiltrate TJX and Wal-Mart.

Losses experienced by Wal-Mart and the banks issuing the credit cards total more than $8 million and are still being calculated
I'd like more technical details. Are there any theories about how the attackers breached the system? Who wrote the front line software which they breached? Who wrote the operating system it runs on? Who wrote the database system which was being used? Who was in charge of network monitoring and security at the time? What tools were they misusing (obviously) that they weren't able to catch this ahead of time?

The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door.

Patriot illegal HP domestic wiretap Enron insider FBI trading Martha 9/11 Stewart Congressional inquiry comes to mind.

Re:All encompassing (1)

larkost (79011) | about 7 years ago | (#18530955)

Those six people were caught using the credit card information, that is not to say that they were the ones who obtained it in the first place. They probably purchased the sub-set of the information that they were using from someone else (who might still be a step or two removed from the initial cracker). There seems to be a whole ecosystem of people trafficking in data like this, with the initial providers only working through multiple layers of intermediaries.

Re:All encompassing (1)

HomelessInLaJolla (1026842) | about 7 years ago | (#18531003)

There seems to be a whole ecosystem of people trafficking in data like this, with the initial providers only working through multiple layers of intermediaries
Sort of like the Federal Government politicians separating themselves from Wall Street bankers by multiple layers of contractors, subcontractors, nonprofits, and private companies.

The ecosystem, in this example, is trafficking in taxpayer money and insider trading information.

Re:All encompassing (1)

eimsand (903055) | about 7 years ago | (#18531663)

According to the rumor mill that I plug into, Wal-Mart was not actually compromised. Instead, as I heard it, the thieves purchased Wal-Mart gift cards with the stolen cards. The rumor I heard was that the cards were purchased with enough frequency and for large enough dollar amounts so that Wal-Mart's internal fraud alerts were set off.

Re:All encompassing (4, Informative)

monkeydo (173558) | about 7 years ago | (#18532135)

Wal-Mart giftcards over $500 require ID to redeem. So they were buying only $400 giftcards. Cashiers were suspicous of people using multiple $400 giftcards to make large purchases.

watching too many episodes of 24 .. (3, Insightful)

rs232 (849320) | about 7 years ago | (#18531707)

'The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door'

An interesting exercise in fallacious reductio ad absurdum. Just because they passed the cards don't mean they wrote the code and the Florida police caught them port-scaning the server and only arrested them to give the real criminals time slip out the back door.

Do you seriously think the hackers would drive about Florida trying to pass the stolen cards, especially months after it went public. The six are more likely to be down stream crooks that purchased the stolen card details not realising where they came from.

Re:All encompassing (Score: 5, Interesting :)

Re:All encompassing (0)

Anonymous Coward | about 7 years ago | (#18532587)

PCI requirements, even for Tier 1 merchants, don't seem to have much credibility when a rogue gang of six people can infiltrate TJX and Wal-Mart.

What do Peripheral Component Interconnect requirements have to do with it? Was this a physical access hack that exploits a vulnerability in PCI bus implementations?

deep insight? the odds are against it. (4, Informative)

Gary W. Longsine (124661) | about 7 years ago | (#18533123)

Of course, the attacker might have a team of experts, moles planted in the corporation, and their own Tom Cruise who slapped magnetic signs on a white van, posed as a janitor, rappelled into the hermetically sealed server room, looked under keyboards for the post-it with the root password, modified the corporation's custom software on the fly and installed the resulting trojaned version (all without touching the floor) and then cleaned the urinals on his way out so that nobody would suspect a thing for years in a mission-impossible-style coordinated assault requiring deep insight to the code, but given that most such incidents of data theft are quite a bit less sophisticated, I doubt deep insight was required.

Deep insight is mainly useful to attackers who seek a very specific set of data from a particular target. People after credit card data typically just cast a wide net and exploit the low hanging fruit. Let a worm loose, it gets in somewhere. See what it finds. Exploit it. Much, much simpler. Of course since we lack the technical details you mentioned (and others) we have no idea what really happened, and the technical details would probably be interesting. I suspect that the weeks long delay in releasing the information that came out today was due to the fact that the investigators suspected, or merely feared, an inside job.

This is a common and largely emotional response to an attack like this. "Somebody broke into our highly secure system and stole 45 million customer records complete with credit card numbers? Inconceivable!" ("You keep using that word. I do not think it means what you think it means.")

It's certainly *not* a requirement to have "deep insight" into the code or even the specific computing infrastructure of the typical corporation in order to steal data. In fact, ordinary insight is sufficient once you have access, given the attacker has basic technical skills. Rather than deep insight, what is usually seen is a plodding industrial spam-like approach.
  • bots are built and released to the wild internet (network worms, email worms, web trojans, etc.)
  • a single system behind a company firewall is infected with the bot (e.g. through a web browser, or a laptop hit by a worm at a coffee shop)
  • the bot spreads behind the company firewall, infecting many machines, attracting much attention
  • company managers crack the whip over IT to clean up the mess without re-installing the infected systems, often against the advice of people who understand the problem who say things like, "we have no way to know what damage has been done, the only secure fix is to re-image the infected systems," which sounds are like one hand clapping to managers who have been told to contain IT costs
  • some of the infected systems are "noisy", probing around the network trying to spread itself
  • some of the infected systems are "stealthy", the bot does not attempt to spread further from them, it seeks data on the local system including what processes are running on the system
  • some of the infected systems appear to have data of interest to the attacker
  • the bot is instructed to install a root kit and possibly remove itself from the system
  • the attacker explores the systems of interest, looking for files, looking at database contents, stealing what they want, etc.

From the article:
"In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it was referring to.
This sounds like a smokescreen. The "technology" might be quite simple and common. Any of these could apply, for example:
  • the intruders used scp to upload files to a remote host so our IDS logged the connection, but we can't tell what was in the files
  • the intruders used ftp, but our IDS system was configured to log only meta-data (packet header, not data segment)
  • we didn't have an IDS system in place
  • a rootkit on the system allowed the attacker to perform arbitrary commands on the system over an encrypted connection without those commands being logged
The six people arrested were using the stolen data. They may have purchased it from the person or people who stole it. It's possible (even likely) that they don't even know the identity of their supplier.

Re:All encompassing (1)

PPH (736903) | about 7 years ago | (#18533843)

I'd like more technical details. Are there any theories about how the attackers breached the system?

NPR had a bit on this on the news at noon. Apparently, some 'software' was discovered on several computers in one of their corporate offices back in December. At that time, they turned the case over to law enforcement. The magnitude of the breach has only recently become evident, requiring TJX to notify the SEC about events that may have a material effect on their financial status. IBM has been working on the forensics with TJX for some time.


They didn't say what sort of computers were affected nor how the software got on them. While widespread virii are easy to spot once their signature is known and filters configured, targeted ones are more difficult to detect. Very few instances get caught 'in the wild' and well written ones run so unobtrusively that network performance is not affected noticeably. I've seen PC virii slipped inside defense contractors on more than one occasion that weren't caught for years.

Virus ridden defense contractors (1)

HomelessInLaJolla (1026842) | about 7 years ago | (#18535211)

I've seen the same. At Battelle, in Aberdeen, MD, more than one system had popups which arrived on the desktop when no browser was running. When I worked on the Aberdeen Proving Grounds military base, as a contractor for Battelle, the public use computers were absolutely riddled with quirks (eg. sound drivers failing, mouse clicks lost, shared drives disappearing and reappearing) which weren't consistent with usual WinNT problems, weren't part of announced outages, and didn't correspond with scheduled system maintenance or upgrades.

While none of these events were ever well-tracked or investigated and could just as easily been the generic useless malware variants I wouldn't be at all surprised if a thorough forensics investigation uncovered more targeted attacks or trojans which had been slipped in under the guise of innocuous maladware.

Sounds like damage control doublespeak (4, Informative)

Critical Facilities (850111) | about 7 years ago | (#18530283)

From TFA:
Customer names and addresses were not included with any of the payment card data believed stolen from the Framingham systems, TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for transactions

Also from TFA:
It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said.

Sounds like they're just desparately trying to control the obviously egregious oversights that happened here. It also sounds like they're still trying to figure out what has happened. To say that heads are rolling is probably the biggest understatement ever.

The Answer is... (4, Insightful)

WED Fan (911325) | about 7 years ago | (#18530307)

The simple answer for users, and it exists now: Revokeable Credit Cards.

The long term is separation of credit and banking from the Social Security system.

Re:The Answer is... (1)

afidel (530433) | about 7 years ago | (#18530669)

The answer is smart cards. I had a credit card with a smartchip in it from 2000-2005 and the chip was used exactly three times, twice at burger kings and once at a haircut place. None of the major retailers had the readers (or the readers didn't enforce smartcard use for cards with the flag). The only other use was for extra security in online banking, which is already probably the most secure part of the CC system due to SSL. If CC companies and merchants were serious about security smartcards with picture ID would be required, instead they are nearly impossible to obtain and the additional features aren't utilized during the majority of transactions. I have to conclude that the CC companies and merchants find it cheaper to continue with the status quo then to implement real security.

Re:The Answer is... (1)

hacker (14635) | about 7 years ago | (#18531333)

The answer is smart cards. I had a credit card with a smartchip in it from 2000-2005 and the chip was used exactly three times, twice at burger kings and once at a haircut place.

How is THAT the answer, when only 3 places in the 5 years you've used the card, support reading the chip on it? Doesn't sound very pervasive to me.

Re:The Answer is... (1)

afidel (530433) | about 7 years ago | (#18531563)

It's the answer to the need for security, but unfortunately the people who need to implement the security don't seem to really care about it. It apparently costs them less to do nothing and pay out for breaches than it would to implement real security. Unfortunately it costs the powerless consumers orders of magnitude more in time, frustration, and real costs to fix the problem but that isn't the concern of the companies because it doesn't show up on the balance sheet and there is no real alternative.

The Complicator's Card (3, Interesting)

Beardo the Bearded (321478) | about 7 years ago | (#18531819)

The answer isn't expensive smart cards with new infrastructure. As you've stated, the smart card chips aren't used in the majority of places.

Fortunately, we don't have to so that. It's way simpler.

1. Require all credit cards to add a photograph to the back as well as a signature panel. Overlay parts of the photo with holograms to make sure it's tough to copy. (It's not like the "lost card" field does fuck all when you've lost the card.)

2. Put identity photographs in everyone's credit history. If you're getting a mortgage or credit card or something else where you have to go in person, then it's pretty obvious if you're faking it.

3. Have the credit agency computers call a number listed in the credit history every time the history is accessed. ("This is Equifax. Beardo has applied for a $500k mortgage. If you are not aware of this transaction, call 1-800-HEY-WAIT.")

That's it.

The reason we won't see this - ever - is because it will cost the banks money to implement. When they can instead blame the victims for their DARING to have their stuff stolen, why bother to invest in making a secure environment? After all, it's perfectly secure from the bank's point of view.

Re:The Complicator's Card (1)

WGFELyL5 (989566) | about 7 years ago | (#18534527)

3. Have the credit agency computers call a number listed in the credit history every time the history is accessed. ("This is Equifax. Beardo has applied for a $500k mortgage. If you are not aware of this transaction, call 1-800-HEY-WAIT.")
You can do something like this now by filing a "fraud alert [experian.com] which will be shared between the three credit bureaus (equifax, transunion, experian).

You can require that a phone number (provided by you) be called each time a credit application is processed using your information.

You can set this up for 90-days, or 7-years. This also will remove your name from appearing on credit card junk mail. (A different process is involved in stopping the mails altogether.)

(I became aware of this service only recently, after Discover Card called me at work to verify a non-matching home address on a fraudulent credit card application.)

Re:No No! No! (1)

mpapet (761907) | about 7 years ago | (#18531359)

I agree with another post that mentions smart cards. Much more difficult to create fraudulent transactions when you _must_ insert the card into a reader for authentication.

But this is not about "banking" transactions. This is an almost unregulated gray area where the retailer is processing/managing it's own credit accounts. It sounds like those accounts stored individuals banking information along with their internal account info. (duhh!) This explains the ability for some bad guys to buy things elsewhere.

Some things to think about:

1. Did they write the software themselves? I suspect they didn't, but who knows. I'm sure there's hardly any reconciling/auditing features.

2. You will see more of these where accounts (ex. gift cards, store credit) will be fraudulently loaded with store credit for large-scale theft.

3. Since there is practically no regulation of this kind of financial activity (retailer-run credit accounts) expect quite a bit more theft. Both in dollars and banking info theft.

4. There's no way they have enough sysadmins/accountants doing the necessary auditing. Otherwise, they wouldn't have started what is a very profitable game for retailers. They operate as retailers, not banks.

Today's lesson: Don't get one of those store credit cards. You shouldn't be in debt to a retailer, ever.

Re:No No! No! (1)

Misch (158807) | about 7 years ago | (#18532197)

Today's lesson: Don't get one of those store credit cards. You shouldn't be in debt to a retailer, ever.

Most of the time, the "store card" is offered by a bank. CompUSA's credit card program is administered by HSBC, etc...

Re:No No! No! (1)

ahmusch (777177) | about 7 years ago | (#18536081)

There is a gigantic difference between "managing your own accounts" and "processing your own transactions."

One involves issuing payment instruments. One involves being responsible for accepting those transactions and settling with whomever did issue that payment instrument.

It is frequently worthwhile for large, national merchants to maintain their own relationships to the issuing associations; they control all the data, and they don't have to pay a merchant processor a cut. Tater's Toe Service may only have Visa/MC transactions per day; TJMaxx likely has (had) millions.

Also, a gift card is not a credit instrument, it's a debit instrument. Whoever issues you such an instrument isn't lending you money, they already have it. There is a gigantic difference between a, for example, JCPenney (or any other "private label") credit card and a JCPenney gift card -- the only real similarity is that either can only be used at JCPenney.

Oh, and like hell private label isn't regulated; it's regulated exactly the same way Visa, MasterCard, American Express, Discover, and any other is.

In short, you have demonstrated that not only do you not know what you're talking about, but you managed to jump into unrelated areas... where you still didn't know what you're talking about.

How will that help? (1)

Slashdot Parent (995749) | about 7 years ago | (#18534831)

The long term is separation of credit and banking from the Social Security system.
How will that help?

If congress were to pass a law that forbids banks from collecting social security numbers and mandates that they destroy all social security numbers already collected, has congress just solved the Identity Theft problem?

(Hint: the answer is "no")

Re:The Answer is... (1)

ahmusch (777177) | about 7 years ago | (#18536501)

Banks have to collect Social Security numbers, because interest paid is income, and until sometime in the 70's/80's, all interest -- including credit card interest -- was deductible. Haven't you ever gotted a 1099-INT?

You may as well advocate the elimination of private property while you're at it.

Example (4, Insightful)

Renraku (518261) | about 7 years ago | (#18530321)

Lets say that you're sitting at home one day. You get your credit card statement. Apparently your card is maxed out at $10,000. Your interest rate has tripled and the company is calling you wondering why you spent $10,000 in Bumfuck, India.

Ok, so you're not responsible.

How do you know how they got your info? It could have been from a call center, when you called about double billing you over and over. It could have been when you called your bank, which also has call centers in India. It could have been when you lost your card, someone found it.

Point is, you probably will never know how they got your info. Only that they did. Even if you did find out, could you prove it in a court of law enough to sue TJX?

Re:Example (3, Insightful)

stratjakt (596332) | about 7 years ago | (#18530513)

You dispute all charges, say you didn't make 'em, and you do this as soon as you find out, before anything can go to collections, and end up on a credit report. You have to be pretty negligent of your own finances to let it go that far.

I have no pity for someone who doesn't at least look at their monthly statements.

The risk to your credit is absolutely minimal if you pay attention, and call the 1-800 number on the back of the card to dispute the claims immediately.

As for suing TJX, you wouldnt. You just get your money back, and the CC company goes after the guy who fraudulently used your card.

I've had my credit card stolen (physically) and dealt with this. At first I was freaked out, "o noes identity theft" and all, but after a phone call I had my money back the next day.

As an epilogue, the moron who took it worked with me, and used it at the gas station across from my work - the station manager had no problem letting our company pres and I check out the tape, and there's dumbass.

In my case he didn't get a chance to spend more than a grand before I phoned the card in, so it was just petty theft. I never had to follow up on it, though, BoA did that.

Re:Example (1)

Thuktun (221615) | about 7 years ago | (#18536503)

In my case he didn't get a chance to spend more than a grand before I phoned the card in, so it was just petty theft.
One wonders if there's a downside to waiting a skosh to see if the loser was going to rack up sufficient theft to make it a felony. If a loser cow-orker stole from me, I'd prefer to see him end up in PMITA prison, myself.

Re:Example (1, Interesting)

955301 (209856) | about 7 years ago | (#18530671)

yes, you can find out. Almost all companies who do lookups against card information have trace information. A court will be able to get that information.

how they got your info .. (1)

rs232 (849320) | about 7 years ago | (#18530765)

'How do you know how they got your info?'

Well according to the article how they got the information by hacking TJX and using it to purchase large quantities of gift cards from Wal-Mart and Sam's Club. So in this case we don't have to wonder.

'in filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems [computerworld.com] over a period of more than 18 months by an unknown number of intruders'

'in partnership with the Gainesville Police Department, officials from the Florida Department of Law Enforcement said they have taken six of 10 suspects into custody for allegedly using the TJX customer data [computerworld.com] to purchase large quantities of gift cards from discount chains Wal-Mart and Sam's Club'

was .. Example (Score:5, Interesting)

Re:Example (2, Interesting)

FuryG3 (113706) | about 7 years ago | (#18532221)

This EXACT situation happened to me.

I was traveling internationally, lost my wallet, reported cards as stolen. Ended up finding the wallet (with money, yay!) but had to wait for my new cards to get to my house in the US, and then to me in Europe.

Fast forward 2 weeks. I receive my cards in Europe and 2 days later I notice that there's a charge on one of my cards for something I didn't buy. And it was made BETWEEN the times that I reported my card "stolen" and when I activated my new card. The charges are getting wiped off my bill, but still, I'll never know what was going on.

Did someone at the hotel get my card number? If so, how could they use it 1 1/2 weeks after it was reported stolen?
Did someone grab the number while it was being shipped in the USPS (charges were before it was shipped int'l)? If so, how could they use a card before it's activated?
Was it just an error at my Financial Institution? How can that happen?

Unfortunately Providian (now WaMu) won't tell me what card number they used to make the transaction (new one or old one?). That would narrow it down a lot, but they claim "they don't have that information." I don't know what would worry me more, them actually not having that information or them lying to me to cover their ass, but I suspect it's the latter...

Read your cardholder agreement.... (0)

Anonymous Coward | about 7 years ago | (#18532861)

VISA International made some recent changes that make you responsible for many cases like this. I'm not joking; I just canceled 2 cards of mine due to the change in legal language (only a few words different, but according to my attorney, it totally shifts burden). I'm looking forward to "pay-as-you-go" account ballance cards.

Re:Example (0)

Anonymous Coward | about 7 years ago | (#18534811)

Is this why, when the prime lending rate is has been very low for several years, that the standard credit card rates are approaching 30%? Aside from the potentially bad PR, it's you and I who pay the price.

Re:Example (1)

Pharmboy (216950) | about 7 years ago | (#18537467)

30% credit cards? I'm pretty sure that I have never seen that. Interest rates over 24% are illegal in most states (Usery laws) and the "average" rate is probably closer to 12-15%. If you are paying 30%, then obviously your credit is majorly fucked.

inevitable (1, Insightful)

Anonymous Coward | about 7 years ago | (#18530493)

Without knowing any details, I would have to say this kind of thing is inevitable. TJX is probably another company which views it's IT staff as nothing more than a cost center with all the expertise they need as being a simple commodity. Why pay somebody with real experience and a proven track record a good salary when you can hire somebody with a bunch of certificates for 1/3 the cost? Or intimidate an H1-B employee into working 75 hours a week?

I wonder if making the upper management personally responsible for losses in cases like these would change their perceptions.

Re:inevitable (0)

Anonymous Coward | about 7 years ago | (#18534257)

Bingo ! That is retail in general. They see it as a pool of debt. The major problem is like many business's people there are tribal. And when that happens , top talent who don't mind working for less then the max they can make leave for greener pastures.

I am happy I left. Although I hate where I am now. It is better then worrying every day about who is watching you and who wants to get your contract killed in the name of a raise and maybe a cube in a different part of the building!

The people in the IT section are great and thier heads are not rolling, but the rest of the company , at least where I was sucked.

Re:inevitable (0)

Anonymous Coward | about 7 years ago | (#18539031)

I worked for TJX for over 10 years. About 5 years ago they rolled out a stored valued card that could be used for returns and gift cards. The shopsmart system as its was called, would crash almost every Saturday and Sunday. We would issue a shopsmart card and then not be able to redeem them five minutes later. This lead to lots of pissed off customers. I found out that TJX had a bid from the top company in the stored value cards for 10 million to sell us a turn key solution. TJX decided to do a roll your own solution for approx 1 million. A regional vice president later admitted to me it probably cost more in lost business than they saved. TJX was cheap to a fault at times. They did things they thought would save expenses, to the detriment of business. I would be willing to bet the same mindset got them into this problem. Instead of letting a company who are experts manage their security, they probably did it themselves. As someone once said, "The best predictor of the future is the past"

what OS was it running on .. (3, Interesting)

rs232 (849320) | about 7 years ago | (#18530501)

Re:what OS was it running on .. (1)

McNihil (612243) | about 7 years ago | (#18530667)

Just because their webserver is running IIS doesn't necessarely mean that everything else is. Interesting that they migrated over to W2k... well assuming they are hardcore FrontPage users that would explain why... and WebDAV might have been used to make it much simpler to compromise (been there got the t-shirt... will never ever use DAV again.)

As much as I want to jump on Microsoft and nail a couple more in the coffin I doubt that it is an OS issue and more an inside job.

Re:what OS was it running on .. (1)

rs232 (849320) | about 7 years ago | (#18531023)

What does the OS of their web server have to do with what OS thier internal billing systems are using?
, Anonymous Coward

It was the ecommerce server that was compromised, unless you know different.

'Just because their webserver is running IIS doesn't necessarely mean that everything else is .. I doubt that it is an OS issue and more an inside job'

What does their internal billing systems run on. How is it connected to the front end. How was the breach achieved. Did they break in through the front end. Have you told the Florida police about this inside job.

Re:what OS was it running on .. (1)

McNihil (612243) | about 7 years ago | (#18531543)

'Have you told the Florida police about this inside job.'

Why would I need to... don't they have a brain?

Re:what OS was it running on .. (1, Insightful)

Anonymous Coward | about 7 years ago | (#18530685)

What does the OS of their web server have to do with what OS thier internal billing systems are using? I've worked plenty of places that had IIS hosted their "find a store near me" web site but used *nix or Big Iron for the systems that did real work such as billing or inventory control.

Re:what OS was it running on .. (1)

roman_mir (125474) | about 7 years ago | (#18531303)

Wow, netcraft usefull for something unrelated to death sentences? Who would have thunk?

Re:what OS was it running on .. (0)

Anonymous Coward | about 7 years ago | (#18531577)

I don't know for sure, but since I work for TJX I can tell everyone that MicroSoft probably isn't to blame on this one. But the Apple fanboys and the Linux geeks aren't to blame either. TJX is an AS/400 shop.

For Canadians, Winners and HomeSense affected (1)

kbahey (102895) | about 7 years ago | (#18530593)

This affects some purchasers from the Canadian retailers Winners, and HomeSense, as per this CBC article [www.cbc.ca] .

More importantly, there has been recent arrests in Florida [www.cbc.ca] relating to this case.

Re:For Canadians, Winners and HomeSense affected (1)

Dr Caleb (121505) | about 7 years ago | (#18531607)

It's my understanding from previous articles that Winners and Homesense store Interac card #s and PINs (but Canadian Interac cards were not breached). What possible business reason is there to store PINs, and why are they storing card information at all?

Re:For Canadians, Winners and HomeSense affected (1)

kbahey (102895) | about 7 years ago | (#18531865)

My understanding is that Interac (debit cards for USians) are not affected, but credit card may have been stolen.

A message [tjx.com] on TJX's corporate web site advise customers to take certain steps [tjx.com] (Canadian version), which include getting a credit report.

I did that, since we shop at Winners occasionally, and did not find anything unusual, and our credit cards have not shown any unusual transactions.

Because they were aware since at least December... (2)

DragonPup (302885) | about 7 years ago | (#18530627)

..but decided not to tell anyone until late March, can we file a class action lawsuit for negligence if any of our card numbers were compromised, or illegally used?

Systematic Credibility Gap (2, Insightful)

ehaggis (879721) | about 7 years ago | (#18530743)

Credit scores, reports and identity are in trouble in the US. It is a large pink elephant in the living room, but no one with any influence wants to admit it. Your credit record can be inaccurate due to:
1. Credit Agency mistake
2. Creditor error
3. Criminal activity
4. Poor security measures by xyz company
5. ???

With each of these is these problems, the onus for repair is on the customer / victim. There is no standard or easy resolution.

Re:Systematic Credibility Gap (1)

rgriff59 (526951) | about 7 years ago | (#18535371)

...the onus for repair is on the customer / victim...
I find it quite telling that for a breach of more than 45 million card, they have, so far, spent 5 million dollars. To put this in another light, the value of each customer's data to TJX is slightly more than a dime? If that isn't a credibility gap...

Meanwhile... (4, Insightful)

jeevesbond (1066726) | about 7 years ago | (#18531203)

In other news a story on Microsoft's Get The FUD [microsoft.com] campaign mysteriously disappears, the title was: 'TJX Chooses Windows Over Linux for Reliability and Security'.

I'm joking, but you never know. On a more serious note: what mystifies me is why these companies need to store customers credit card details at all?! Having had experience with POS (Point of Sale) I know that the system should keep these details long enough to complete a transaction, then it should delete it.

Security starts with only keeping the information you need. Courts should be questioning why these companies retained this data in the first place!

Re:Meanwhile... (1)

SuluSulu (1039126) | about 7 years ago | (#18531551)

what mystifies me is why these companies need to store customers credit card details at all?!

It's used to help prevent credit card fraud. I've worked in retail and I have had to deal with it myself to a small extent. It's one of the reasons that many places will only refund money onto the card you made the purchase on. (Also so that they have proof that the money was refunded and the customer can see it refunded on their statement) The other reason is traceability. Having things like the credit card number and signature slip, electronic or paper, are used to prove that a person made the purchase that they forgot that they made or are "claiming" that they didn't make. Of course this is no excuse for lax security.

I never save credit card info after a sale (1)

vinn01 (178295) | about 7 years ago | (#18533261)


Yes, chargebacks can be a problem. But your other points are not unversial. For me, there is little need to keep the credit card information once the transaction has been completed. The only piece of info that I store is the Transaction ID. I never store the Authorization number. Once the transaction is auth'ed, there is no point.

Refunds don't have to be made the the same credit card. But if I wanted to enforce that as a policy, I could go back to my processor (VeriSign) and lookup the the credit card number using the Transaction ID.

Your mileage may vary. But that is my experience.

Re:I never save credit card info after a sale (1)

ahmusch (777177) | about 7 years ago | (#18536211)

The difference is that VeriSign's your merchant processor. The merchant processor has the responsibility to keep that information throughout the transaction's life cycle.

TJ Maxx is their own merchant processor. Therefore, they needed to keep all the information relevant for the transaction.

Now, did they keep information they didn't need to keep longer than they should? It certainly seems that way.

Re:Meanwhile... (1)

mdm-adph (1030332) | about 7 years ago | (#18532203)

I'm joking, but you never know. On a more serious note: what mystifies me is why these companies need to store customers credit card details at all?! Having had experience with POS (Point of Sale) I know that the system should keep these details long enough to complete a transaction, then it should delete it.

Because they have to report it to the government in order to keep track of everything you do as part of a global information dragnet on every living man, woman, and child in the world?

Nah....

Re:Meanwhile... (1)

FutureDomain (1073116) | about 7 years ago | (#18532541)

The only answer I can think of is for tracking purposes. If your credit card is stolen, they can track purchases made by it.

The solution to allow tracking, but keep hackers at bay is to cryptographically hash the card number with a one-way hash and store that after the transaction is completed. Then, if Joe's identity is stolen, they could hash Joe's card number and compare it in the database with purchases. But if the database is broken into, the hackers just have useless hashes instead of credit card numbers.

Re:Meanwhile... (1)

mrcaseyj (902945) | about 7 years ago | (#18536717)

>The solution to allow tracking, but keep hackers at bay is to cryptographically hash the card number...

That's what I was going to say. As I was writing a post to tell people to mod you up I realized why it might not do much good. The credit card number is only 16 digits and isn't completely random. This means it would probably be practical to make a rainbow table with the hash of every likely card number. A salt unique to the merchant might help especially if it could be kept from the hackers. A salt that included items unique to the customer such as name, address etc. would require a complete hash search for every customer and might do the trick, or it might not.

Re:Meanwhile... (1)

Eklypz (731361) | about 7 years ago | (#18535575)

Actually, they were violating regulations by keeping the credit card data

Re:Meanwhile... (2, Informative)

Kalriath (849904) | about 7 years ago | (#18535727)

Actually, you're only violating regs if you keep the CVV2 number (three digit number on the back) - PCI DSS says you dump that as soon as you verify it, but you do not have to with the credit card number (otherwise how do you expect PayPal et. al. to work?)

"This is what happens, Larry!" (1)

Rimbo (139781) | about 7 years ago | (#18531269)

This is what happens when you buy Microsoft's line about how Windows is adequate for anything other than video games.

And Vista's so slow and has so many driver problems, it can't even do that very well.

Re:"This is what happens, Larry!" (0)

Anonymous Coward | about 7 years ago | (#18532339)

I know this is Slashdot so mindless attacks on M$ are mandatory, but TJX uses AS/400s for these systems.

Re:"This is what happens, Larry!" (1)

Rimbo (139781) | about 7 years ago | (#18532929)

Gah! AS/400s? EVEN WORSE! Akers' incompetence and focus on this hunk o' junk is how Microsoft was able to become the Evil Empire...

Re:"This is what happens, Larry!" (1)

Mister Whirly (964219) | about 7 years ago | (#18532545)

That's right, because this is Slashdot and Microsoft is responsible for 100% of the world's problems. Amazing how some folks have less than 1 degree of separation between a problem of ANY sort and Microsoft...

A Credit Card Solution (1)

ThOr101 (515492) | about 7 years ago | (#18531351)

I post this fleeting thought here to see if this is viable, and maybe spark a thought in the minds of Credit Card companies.

What if our CC numbers weren't so persistant. I have cards in my wallet that don't expire for 3 or 4 years. Why not issue a new card every 12 months? That way, people who steal credit cards from these systems only have at most 12 months to use them.

One possible problem: recurring bills. Instead of the one time use cards that Amex used to have (I REALLY liked those) or that Discover Card has now, you issue a One Merchant number. So if I want to purchase dedicated server hosting, I give the server company a specially created CC number that doesn't expire after 1 year, but once 1 merchant uses it, only that merchant can use it again.

What about returns? Keep your receipts.

Ok slashdotters. Poke your holes!

--B

Re:A Credit Card Solution (1)

untouchableForce (927584) | about 7 years ago | (#18531949)

A better solution would be constantly changing credit card numbers. Utilizing something like the RSA tokens in combination with a credit card number would eliminate everything except physical theft of your card. Instead of having your credit card be static 4444 4444 4444 4444 it would be 4444 4444 4444 4444 XXXXXX where the x's change every minute. A retailer stores the transaction time (synchronized of course), and the card number at the time of the sale. Utilizing the widely available RSA token technology the card company would be able to know if it was the correct token for your account. If it wasn't the card is denied. This would make someone who stole your credit card online from a database worthless (unless you happened to buy something a minute before they did the hack) and could be mostly transparent to users purchasing in the store and only mildly different for people purchasing online (mostly it'd be a UI difference where you input your credit card number and 'token' on a separate screen so you can enter it in the short amount of time given. The biggest problems with this whole plan is RSA owns the patent on that, and it's likely to be too expensive to implement for that reason.

I'm in UK, got hit (1)

badzilla (50355) | about 7 years ago | (#18535741)

Bogus transactions appeared on my card last week. The transactions looked pretty much like the kind of purchases I do all the time anyway but somehow the card company (NatWest) security department noticed it was happening and blocked the card pretty quick. I shop at TK Maxx all the time and when I phoned them a couple months ago they said we can't tell you anything but look out for any fraud on your card. Well it happened so called them back yesterday and they said yep it was likely my card details came out of their break-in.

Simple Solution.... (1)

CrazyFool (55822) | about 7 years ago | (#18536127)

Make the corporation,its board, and officers personally responsible for lost data....

As in Bank A looses 10K records of personal data which results in 100M in fraudulent charges. Bank A has to pay the merchants and CC companies 100M.....

You'll see data protections and security go up so fast you'll get whiplash....

(What? Hold people responsible?)

Re:Simple Solution.... (0)

Anonymous Coward | about 7 years ago | (#18539745)

You just don't get it! Only the corporation is sued and held responsible. The investors pay for the lawyers and penalties. The managers are forced out, taking their golden parachutes with them (the investors pay for this too). Directors have insurance policies so their screw-ups are paid for by insurance companies (because of policy premiums paid for by investors). The managers and directors move on to other companies richly capitalized by money from -- wait for it -- investors!

Welcome to Wall Street; invest early, invest often.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...