TJX Is Biggest Data Breach Ever 104
jcatcw writes "Jaikumar Vijayan reports for Computerworld that TJX is finally offering more details about the extent of the compromise which, at 45.6M cards, is the biggest ever. He has been following the story since it started. The systems that were broken into processed payment card, checks, and returns for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico, and customers of Winners and HomeSense stores in Canada and T.K. Maxx in the U.K. Customer names and addresses were not included in the stolen data. So far the company has spent about $5 million in connection with the breach. Several lawsuits that have been filed against the company, including a suit by the Arkansas Carpenters Pension Fund, one of its shareholders, for failure to divulge more details about the breach."
Sounds like damage control doublespeak (Score:4, Informative)
Customer names and addresses were not included with any of the payment card data believed stolen from the Framingham systems, TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for transactions
Also from TFA:
It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said.
Sounds like they're just desparately trying to control the obviously egregious oversights that happened here. It also sounds like they're still trying to figure out what has happened. To say that heads are rolling is probably the biggest understatement ever.
Re:Suggested (Score:1, Informative)
Not to mention there was only 1 guy that was running the portion that led to the infiltration ! That is plain and simple nuts ! What a shame though they are a really nice group of folks around that shop and this breach was not just them.
Also I wonder exactly how many folks were affected and they didn't know until they got a new bank card or credit card.
Also this is an example of retail , where making money is #1 and all else is #2.
Re:All encompassing (Score:5, Informative)
deep insight? the odds are against it. (Score:5, Informative)
Deep insight is mainly useful to attackers who seek a very specific set of data from a particular target. People after credit card data typically just cast a wide net and exploit the low hanging fruit. Let a worm loose, it gets in somewhere. See what it finds. Exploit it. Much, much simpler. Of course since we lack the technical details you mentioned (and others) we have no idea what really happened, and the technical details would probably be interesting. I suspect that the weeks long delay in releasing the information that came out today was due to the fact that the investigators suspected, or merely feared, an inside job.
This is a common and largely emotional response to an attack like this. "Somebody broke into our highly secure system and stole 45 million customer records complete with credit card numbers? Inconceivable!" ("You keep using that word. I do not think it means what you think it means.")
It's certainly *not* a requirement to have "deep insight" into the code or even the specific computing infrastructure of the typical corporation in order to steal data. In fact, ordinary insight is sufficient once you have access, given the attacker has basic technical skills. Rather than deep insight, what is usually seen is a plodding industrial spam-like approach.
This sounds like a smokescreen. The "technology" might be quite simple and common. Any of these could apply, for example:
Re:Legal ramifications (Score:3, Informative)
Re:Meanwhile... (Score:3, Informative)